From ca24a67f3dc3269001d65b8c327f92f9b60eab1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Str=C3=B6mberg?= Date: Tue, 17 Dec 2024 09:29:59 -0500 Subject: [PATCH 1/2] Allow find-missing-metadata to be run from other directories (#710) * Allow find-missing-metadata to be run from other directories * run shfmt --- tests/find-missing-testdata.sh | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) mode change 100644 => 100755 tests/find-missing-testdata.sh diff --git a/tests/find-missing-testdata.sh b/tests/find-missing-testdata.sh old mode 100644 new mode 100755 index f8b036a1..0f70cf0f --- a/tests/find-missing-testdata.sh +++ b/tests/find-missing-testdata.sh @@ -6,7 +6,10 @@ # set -e -u -o pipefail -SAMPLE_DIR=${1:-"$(dirname $0)/../../malcontent-samples"} +samples_rel_path="$(dirname $0)" +cd "${samples_rel_path}" +# assumes sample repo is checked out in directory above malcontent +SAMPLE_DIR=${1:-"../../malcontent-samples"} # number of days to look back for missing testdata AGE_IN_DAYS=30 @@ -18,7 +21,12 @@ if [[ ! -d "${SAMPLE_DIR}/does-nothing" ]]; then exit 1 fi -for sample_path in $(find "${SAMPLE_DIR}/" -type f -mtime -"${AGE_IN_DAYS}" -size +100c); do +if [[ ! -f "does-nothing/does-nothing.simple" ]]; then + echo "working directory $(pwd) does not appear to be a valid tests directory; missing does-nothing/does-nothing.simple" + exit 1 +fi + +for sample_path in $(find "${SAMPLE_DIR}" -type f -mtime -"${AGE_IN_DAYS}" -size +100c); do if [[ "${sample_path}" =~ ".git" ]]; then continue fi @@ -37,18 +45,20 @@ for sample_path in $(find "${SAMPLE_DIR}/" -type f -mtime -"${AGE_IN_DAYS}" -siz basename="${sample_path/${SAMPLE_DIR}\//}" basename="${basename%\.xz}" - relative="./${basename}" found=0 - for test_path in "${relative}".*; do + for test_path in "${basename}".*; do if [[ -f "${test_path}" ]]; then found=1 fi done + relative="${samples_rel_path}/${basename}" + if [[ "${found}" -eq 0 ]]; then - dir=$(dirname ${relative}) - if [[ ! -d "${dir}" ]]; then - echo "mkdir -p ${dir} && touch ${relative}.simple" + real_dir=$(dirname ${basename}) + if [[ ! -d "${real_dir}" ]]; then + rel_dir=$(dirname ${relative}) + echo "mkdir -p "${rel_dir}" && touch ${relative}.simple" else echo "touch ${relative}.simple" fi From 368f804609ac626e297ad34b2108f7feb1daea3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Str=C3=B6mberg?= Date: Tue, 17 Dec 2024 10:21:18 -0500 Subject: [PATCH 2/2] Tune HIGH/CRITICAL findings + disallow "clean" samples from matching (#712) * Tune HIGH/CRITICAL findings based on Wolfi review * refresh testdata * refresh testdata * update tests * update testdata * further rule tuning * further rule tuning * further rule tuning * run yara-x-fmt --- Makefile | 2 +- pkg/compile/compile.go | 1 + rules/anti-behavior/process-check.yara | 6 +- rules/anti-static/base64/exec.yara | 54 +++---- rules/anti-static/base64/http_agent.yara | 14 +- rules/anti-static/elf/entropy.yara | 3 +- rules/anti-static/obfuscation/bitwise.yara | 5 +- rules/anti-static/obfuscation/python.yara | 18 ++- rules/anti-static/xor/xor-commands.yara | 53 ++++--- rules/anti-static/xor/xor-functions.yara | 11 ++ rules/c2/addr/ip.yara | 2 + rules/c2/addr/url.yara | 1 + rules/c2/tool_transfer/exe_url.yara | 11 +- rules/c2/tool_transfer/grayware.yara | 1 - rules/c2/tool_transfer/python.yara | 14 +- rules/credential/shell/bash_history.yara | 18 +-- rules/credential/ssh/ssh.yara | 15 +- rules/crypto/xor.yara | 18 +-- rules/data/embedded/embedded-base64-gzip.yara | 14 +- rules/discover/ip/public_ip.yara | 2 +- rules/evasion/file/location/x11-unix.yara | 26 ++-- rules/evasion/process_injection/ptrace.yara | 18 ++- rules/exec/remote_commands/code_eval.yara | 1 + rules/exec/shell/tmp_semicolon.yara | 8 +- rules/false_positives/acme.yara | 14 ++ rules/false_positives/ap_compiler.yara | 11 ++ rules/false_positives/flatpak.yara | 4 +- rules/false_positives/kibana.yara | 6 + rules/false_positives/libdw.yara | 11 -- rules/false_positives/nmap.yara | 2 + rules/false_positives/prisma_client_js.yara | 1 + rules/false_positives/qemu.yara | 8 +- rules/false_positives/snapd.yara | 2 +- rules/false_positives/trufflehog.yara | 15 ++ rules/fs/proc/pid-fd.yara | 4 +- rules/impact/cryptojacking/nicehash_pool.yara | 2 +- rules/impact/exploit/overflow-shellcode.yara | 13 +- rules/impact/remote_access/backdoor.yara | 11 +- .../remote_access/socket_filter_exec.yara | 2 + rules/net/ip/host_port.yara | 9 +- rules/persist/shell/bash.yara | 3 + rules/persist/shell/zsh.yara | 20 +-- rules/sus/compiler.yara | 14 +- .../clean/falco/filter_compiler.ut.cpp.simple | 10 ++ tests/c/clean/falco/ppm_events.c.simple | 8 ++ .../clean/falco/string_visitor.ut.cpp.simple | 8 ++ tests/does-nothing/does-nothing.go.simple | 0 ...8f9f687751843dbc0be03d4f2ceb468e8453a4940d | 0 .../lottie-player.min.js.mdiff | 2 +- tests/javascript/clean/bash.js.simple | 3 +- tests/javascript/clean/faker.js.simple | 4 +- .../clean/frequency_lists.js.simple | 1 + tests/javascript/clean/mode-php.js.simple | 3 +- .../clean/mode-php_laravel_blade.js.simple | 3 +- tests/javascript/clean/php.js.simple | 3 +- tests/javascript/clean/prism-bash.js.simple | 3 +- .../javascript/clean/prism-bash.min.js.simple | 3 +- .../clean/securityDashboards.plugin.js.simple | 1 + tests/javascript/clean/zxcvbn.js.simple | 1 + tests/linux/2021.FontOnLake/45E9.elf.simple | 2 +- tests/linux/2021.XMR-Stak/1b1a56.elf.simple | 2 +- tests/linux/2024.kubo_injector/injector.json | 4 +- .../emp3r0r.agent.simple | 1 - ...f84a0a6b7769a67ecbf6c0c9100c38d.elf.simple | 1 - tests/linux/clean/acme.sh.simple | 51 +++++++ .../aws-c-io-0.14.10-r0.spdx.json.simple | 0 .../aws-c-io-0.14.11-r0.spdx.json.simple | 0 tests/linux/clean/bat.simple | 73 ++++++++++ tests/linux/clean/bazel.simple | 89 ++++++++++++ tests/linux/clean/botan.simple | 35 +++++ tests/linux/clean/bpftool.simple | 40 ++++++ tests/linux/clean/buildkitd.simple | 132 ++++++++++++++++++ tests/linux/clean/busybox.simple | 3 +- tests/linux/clean/chezmoi.simple | 1 + tests/linux/clean/clickhouse.simple | 4 +- .../linux/clean/http-fingerprints.lua.simple | 6 +- .../securitySolution.chunk.22.js.simple | 14 +- .../kibana/securitySolution.chunk.9.js.simple | 15 +- tests/linux/clean/nvim.simple | 1 - tests/linux/clean/pandoc.md | 4 +- tests/linux/clean/qemu-system-xtensa.md | 5 +- tests/linux/clean/sshd.simple | 1 - tests/linux/clean/tree-sitter.md | 3 +- tests/linux/clean/trufflehog.md | 16 +-- tests/linux/clean/x11vnc.simple | 103 ++++++++++++++ .../cnc-dns-over-https.aarch64.simple | 71 ++++++++++ tests/npm/2024.depe-tool/package.json.simple | 5 + .../npm/2024.depe-tool/preinstall.json.simple | 0 tests/php/2024.malcure/simple.php.simple | 1 + .../2024.coloredtxt/base64_payload3.py.simple | 1 - ...29c3ea4ec1c660f441729efdb7f2d5a4.py.simple | 1 - .../clean/versioneer/versioneer.py.simple | 3 +- .../homebrew_no_overrides_spec.rb.simple | 4 + .../clean/homebrew/homebrew_test.pdf.simple | 0 tests/samples_test.go | 28 ++++ tests/windows/clean/make-win.ps1.simple | 4 +- 96 files changed, 1000 insertions(+), 245 deletions(-) create mode 100644 rules/anti-static/xor/xor-functions.yara create mode 100644 rules/false_positives/acme.yara create mode 100644 rules/false_positives/ap_compiler.yara delete mode 100644 rules/false_positives/libdw.yara create mode 100644 rules/false_positives/prisma_client_js.yara create mode 100644 rules/false_positives/trufflehog.yara create mode 100644 tests/c/clean/falco/filter_compiler.ut.cpp.simple create mode 100644 tests/c/clean/falco/ppm_events.c.simple create mode 100644 tests/c/clean/falco/string_visitor.ut.cpp.simple create mode 100644 tests/does-nothing/does-nothing.go.simple create mode 100644 tests/javascript/2024.STRRAT/f252f6e0d8f9f687751843dbc0be03d4f2ceb468e8453a4940d create mode 100644 tests/linux/clean/acme.sh.simple create mode 100644 tests/linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json.simple create mode 100644 tests/linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json.simple create mode 100644 tests/linux/clean/bat.simple create mode 100644 tests/linux/clean/bazel.simple create mode 100644 tests/linux/clean/botan.simple create mode 100644 tests/linux/clean/bpftool.simple create mode 100644 tests/linux/clean/buildkitd.simple create mode 100644 tests/linux/clean/x11vnc.simple create mode 100644 tests/linux/synthetic/cnc-dns-over-https.aarch64.simple create mode 100644 tests/npm/2024.depe-tool/package.json.simple create mode 100644 tests/npm/2024.depe-tool/preinstall.json.simple create mode 100644 tests/ruby/clean/homebrew/homebrew_no_overrides_spec.rb.simple create mode 100644 tests/ruby/clean/homebrew/homebrew_test.pdf.simple diff --git a/Makefile b/Makefile index a9188d04..621cf5bb 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ SAMPLES_REPO ?= chainguard-dev/malcontent-samples -SAMPLES_COMMIT ?= dd5e3099092d965b83ac31f803769ab04bc18d7d +SAMPLES_COMMIT ?= 38d8faef6bcbd63f7cc02bb243b12aaa3e1ba70c # BEGIN: lint-install ../malcontent # http://github.com/tinkerbell/lint-install diff --git a/pkg/compile/compile.go b/pkg/compile/compile.go index 25b3cf2b..c945c1ac 100644 --- a/pkg/compile/compile.go +++ b/pkg/compile/compile.go @@ -58,6 +58,7 @@ var badRules = map[string]bool{ "mimikatz_offensive_tool_keyword": true, // Inquest "Microsoft_Excel_Hidden_Macrosheet": true, + "Adobe_Type_1_Font": true, // YARA VT "Base64_Encoded_URL": true, "Windows_API_Function": true, diff --git a/rules/anti-behavior/process-check.yara b/rules/anti-behavior/process-check.yara index 474ddcd3..9cfeb71c 100644 --- a/rules/anti-behavior/process-check.yara +++ b/rules/anti-behavior/process-check.yara @@ -34,8 +34,12 @@ rule linux_monitors: high linux { $x_vmstat = "vmstat" fullword $x_ps = "ps" fullword + $not_renice = "renice" fullword + $not_ddrescue = "ddrescue" fullword + $not_traceroute = "traceroute" fullword + condition: - filesize < 100KB and any of ($p*) and 3 of ($x*) + filesize < 100KB and any of ($p*) and 3 of ($x*) and none of ($not*) } rule anti_rootkit_hunter: high linux { diff --git a/rules/anti-static/base64/exec.yara b/rules/anti-static/base64/exec.yara index 80eaace5..53678075 100644 --- a/rules/anti-static/base64/exec.yara +++ b/rules/anti-static/base64/exec.yara @@ -3,26 +3,27 @@ rule base64_commands: high { description = "commands in base64 form" strings: - $b_chmod = "chmod" base64 - $b_curl = "curl -" base64 - $b_bin_sh = "/bin/sh" base64 - $b_bin_bash = "/bin/bash" base64 - $b_openssl = "openssl" base64 - $b_dev_null = "/dev/null" base64 - $b_usr_bin = "/usr/bin" base64 - $b_usr_sbin = "/usr/sbin" base64 - $b_var_tmp = "/var/tmp" base64 - $b_var_run = "/var/run" base64 - $b_screen_dm = "screen -" base64 - $b_zmodload = "zmodload" base64 - $b_dev_tcp = "/dev/tcp" base64 - $b_bash_i = "bash -i" base64 - $b_tar_c = "tar -c" base64 - $b_tar_x = "tar -x" base64 - $b_bash_c = "bash -c" base64 - $not_kandji = "kandji-parameter-agent" - $not_mdmprofile = "mdmprofile" - $not_example = "commands are encoded" + $b_chmod = "chmod" base64 + $b_curl = "curl -" base64 + $b_bin_sh = "/bin/sh" base64 + $b_bin_bash = "/bin/bash" base64 + $b_openssl = "openssl" base64 + $b_dev_null = "/dev/null" base64 + $b_usr_bin = "/usr/bin" base64 + $b_usr_sbin = "/usr/sbin" base64 + $b_var_tmp = "/var/tmp" base64 + $b_var_run = "/var/run" base64 + $b_screen_dm = "screen -" base64 + $b_zmodload = "zmodload" base64 + $b_dev_tcp = "/dev/tcp" base64 + $b_bash_i = "bash -i" base64 + $b_tar_c = "tar -c" base64 + $b_tar_x = "tar -x" base64 + $b_bash_c = "bash -c" base64 + $not_kandji = "kandji-parameter-agent" + $not_mdmprofile = "mdmprofile" + $not_example = "commands are encoded" + $not_sourcemappingURL = "sourceMappingURL=data:application/json;charset=utf-8;base64" condition: any of ($b_*) and none of ($not_*) @@ -82,19 +83,6 @@ rule echo_decode_bash_probable: high { filesize < 256KB and any of them and (@shell[#shell] - @decode[#decode]) < 32 and (@shell[#shell] - @decode[#decode]) > 0 } -rule acme_sh: override { - meta: - description = "acme.sh" - echo_decode_bash_probable = "medium" - iplookup_website = "medium" - - strings: - $ref = "https://github.com/acmesh-official" - - condition: - $ref -} - rule ruby_system_near_enough: critical { meta: description = "Executes commands from base64 content" diff --git a/rules/anti-static/base64/http_agent.yara b/rules/anti-static/base64/http_agent.yara index 5a683b38..81375eb4 100644 --- a/rules/anti-static/base64/http_agent.yara +++ b/rules/anti-static/base64/http_agent.yara @@ -3,12 +3,14 @@ rule base64_http_val: high { description = "base64 HTTP protocol references" strings: - $user_agent = "User-Agent" base64 - $mozilla_5_0 = "Mozilla/5.0" base64 - $referer = "Referer" base64 - $http_1_0 = "HTTP/1.0" base64 - $http_1_1 = "HTTP/1.1" base64 + $b_user_agent = "User-Agent" base64 + $b_mozilla_5_0 = "Mozilla/5.0" base64 + $b_referer = "Referer" base64 + $b_http_1_0 = "HTTP/1.0" base64 + $b_http_1_1 = "HTTP/1.1" base64 + + $not_sourcemappingURL = "sourceMappingURL=data:application/json;charset=utf-8;base64" condition: - any of them + any of ($b*) and none of ($not*) } diff --git a/rules/anti-static/elf/entropy.yara b/rules/anti-static/elf/entropy.yara index 262adae5..a656ac54 100644 --- a/rules/anti-static/elf/entropy.yara +++ b/rules/anti-static/elf/entropy.yara @@ -24,9 +24,10 @@ rule normal_elf_high_entropy_7_4: high { strings: $not_whirlpool = "libgcrypt-grub/cipher/whirlpool.c" + $not_bazel = "BazelLogHandler" condition: - normal_elf and math.entropy(1, filesize) >= 7.4 and none of ($not*) + filesize < 30MB and normal_elf and math.entropy(1, filesize) >= 7.4 and none of ($not*) } rule normal_elf_high_entropy_footer_7_4: high { diff --git a/rules/anti-static/obfuscation/bitwise.yara b/rules/anti-static/obfuscation/bitwise.yara index 96a08b14..a40b71e8 100644 --- a/rules/anti-static/obfuscation/bitwise.yara +++ b/rules/anti-static/obfuscation/bitwise.yara @@ -32,6 +32,7 @@ rule excessive_bitwise_math: high { $not_effective_bits = "effective bits" $not_bit_offsets = "bit offsets" $not_uuid = "uuid" fullword + $not_webpack = "webpack-api-runtime.js" fullword condition: filesize < 192KB and #x > 64 and none of ($not*) @@ -132,8 +133,10 @@ rule unsigned_bitwise_math_excess: high { $left = /[a-z]\>\>\>\d{1,3}/ $right = /[a-z]\>\>\>\d{1,3}/ + $not_webpack = "webpack-api-runtime.js" fullword + condition: - filesize < 5MB and $function and $charAt and (#left > 50 or #right > 50) + filesize < 5MB and $function and $charAt and (#left > 50 or #right > 50) and none of ($not*) } rule charAtBitwise: high { diff --git a/rules/anti-static/obfuscation/python.yara b/rules/anti-static/obfuscation/python.yara index b06a6f2b..8eb7e5a5 100644 --- a/rules/anti-static/obfuscation/python.yara +++ b/rules/anti-static/obfuscation/python.yara @@ -1,13 +1,11 @@ private rule probably_python { strings: - $f_function = "import" fullword - $f_for = "for x in" fullword - $f_return = "return self." - $f_def = "def _" - $f_ord = " ord(" + $import = "import " + $f_common = /\s(def|if|with|else:) / + $f_exotic = /exec\(|b64decode|bytes\(/ condition: - filesize < 10MB and any of ($f*) + filesize < 10MB and $import in (1..1024) and any of ($f*) } rule py_indirect_builtins: suspicious { @@ -282,7 +280,7 @@ rule multi_decode_3: high { $decode_or_b64decode = /\.[b64]{0,3}decode\(.{0,256}\.[b64]{0,3}decode\(.{0,256}\.[b64]{0,3}decode/ condition: - filesize < 10MB and all of them + probably_python and filesize < 10MB and all of them } rule multi_decode: medium { @@ -311,13 +309,13 @@ rule rename_requests: medium { rule rename_requests_2char: high { meta: - description = "imports 'requests' library and gives it a two-letter name" + description = "imports 'requests' library and gives it a shorter name" strings: - $ref = /import requests as \w{2}/ + $ref = /import requests as \w{1,2}/ fullword condition: - filesize < 65535 and all of them + filesize < 32KB and all of them } rule rename_os: high { diff --git a/rules/anti-static/xor/xor-commands.yara b/rules/anti-static/xor/xor-commands.yara index b7b48296..31350d54 100644 --- a/rules/anti-static/xor/xor-commands.yara +++ b/rules/anti-static/xor/xor-commands.yara @@ -3,34 +3,31 @@ rule xor_commands: high { description = "commands obfuscated using xor" strings: - $b_chmod = "chmod " xor(1-31) - $b_curl = "curl -" xor(1-31) - $b_bin_sh = "/bin/sh" xor(1-31) - $b_bin_bash = "/bin/bash" xor(1-31) - $b_openssl = "openssl" xor(1-31) - $b_screen_dm = "screen -" xor(1-31) - $b_zmodload = "zmodload" xor(1-31) - $b_dev_tcp = "/dev/tcp" xor(1-31) - $b_bash_i = "bash -i" xor(1-31) - $b_bash_c = "bash -c" xor(1-31) - $b_base64 = "base64" xor(1-31) - $b_eval = "eval(" xor(1-31) - $b_chmod2 = "chmod " xor(33-255) - $b_curl2 = "curl -" xor(33-255) - $b_bin_sh2 = "/bin/sh" xor(33-255) - $b_bin_bash2 = "/bin/bash" xor(33-255) - $b_openssl2 = "openssl" xor(33-255) - $b_screen_dm2 = "screen -" xor(33-255) - $b_zmodload2 = "zmodload" xor(33-255) - $b_dev_tcp2 = "/dev/tcp" xor(33-255) - $b_bash_i2 = "bash -i" xor(33-255) - $b_bash_c2 = "bash -c" xor(33-255) - $b_base642 = "base64" xor(33-255) - $b_eval2 = "eval(" xor(33-255) - $b_xterm = "TERM=xterm" xor(1-31) - $b_xterm2 = "TERM=xterm" xor(33-255) - $not_password_list = "qwer1234" + $b_chmod = "chmod " xor(1-31) + $b_curl = "curl -" xor(1-31) + $b_bin_sh = "/bin/sh" xor(1-31) + $b_bin_bash = "/bin/bash" xor(1-31) + $b_openssl = "openssl" xor(1-31) + $b_screen_dm = "screen -" xor(1-31) + $b_zmodload = "zmodload" xor(1-31) + $b_dev_tcp = "/dev/tcp" xor(1-31) + $b_bash_i = "bash -i" xor(1-31) + $b_bash_c = "bash -c" xor(1-31) + $b_base64 = "base64" xor(1-31) + $b_chmod2 = "chmod " xor(33-255) + $b_curl2 = "curl -" xor(33-255) + $b_bin_sh2 = "/bin/sh" xor(33-255) + $b_bin_bash2 = "/bin/bash" xor(33-255) + $b_openssl2 = "openssl" xor(33-255) + $b_screen_dm2 = "screen -" xor(33-255) + $b_zmodload2 = "zmodload" xor(33-255) + $b_dev_tcp2 = "/dev/tcp" xor(33-255) + $b_bash_i2 = "bash -i" xor(33-255) + $b_bash_c2 = "bash -c" xor(33-255) + $b_base642 = "base64" xor(33-255) + $b_xterm = "TERM=xterm" xor(1-31) + $b_xterm2 = "TERM=xterm" xor(33-255) condition: - any of ($b_*) and not ($b_eval and $not_password_list) + any of them } diff --git a/rules/anti-static/xor/xor-functions.yara b/rules/anti-static/xor/xor-functions.yara new file mode 100644 index 00000000..0b7bd62c --- /dev/null +++ b/rules/anti-static/xor/xor-functions.yara @@ -0,0 +1,11 @@ +rule xor_eval: medium { + meta: + description = "eval( xor'd" + + strings: + $b_eval = "eval(" xor(1-31) + $b_eval2 = "eval(" xor(33-255) + + condition: + any of ($b_*) +} diff --git a/rules/c2/addr/ip.yara b/rules/c2/addr/ip.yara index 870821c5..d2e074f9 100644 --- a/rules/c2/addr/ip.yara +++ b/rules/c2/addr/ip.yara @@ -43,6 +43,8 @@ rule bin_hardcoded_ip: high { $not_10_11_12_13 = "10.11.12.13" $not_libebt_among_init = "libebt_among_init" $not_send_att = "3.2.5.7" + $not_192_168 = "192.168." + $not_2345 = "23.45.67.89" condition: filesize < 12MB and ip_elf_or_macho and 1 of ($sus_ip*) and none of ($not*) diff --git a/rules/c2/addr/url.yara b/rules/c2/addr/url.yara index 99d7c80c..898c0fd9 100644 --- a/rules/c2/addr/url.yara +++ b/rules/c2/addr/url.yara @@ -95,6 +95,7 @@ rule binary_url_with_question: high { $not_msdn = "msdn.microsoft.com/" $not_codeproject = "www.codeproject.com/" $not_wiki = "index.php?title=" + $not_mesibo = "https://api.mesibo.com/api.php?" condition: filesize < 150MB and elf_or_macho and $ref and none of ($not*) diff --git a/rules/c2/tool_transfer/exe_url.yara b/rules/c2/tool_transfer/exe_url.yara index 87dda5c7..077fcb39 100644 --- a/rules/c2/tool_transfer/exe_url.yara +++ b/rules/c2/tool_transfer/exe_url.yara @@ -3,10 +3,11 @@ rule http_url_with_exe: high { description = "accesses hardcoded executable endpoint" strings: - $exe_url = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.exe/ fullword + $exe_url = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.exe/ + $not_mongodb_404 = "https://docs.mongodb.com/manual/reference/method/Bulk.exe" condition: - any of ($exe*) + any of ($exe*) and none of ($not*) } rule http_ip_url_with_exe: critical { @@ -14,7 +15,7 @@ rule http_ip_url_with_exe: critical { description = "accesses hardcoded executable endpoint via IP" strings: - $exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.exe/ fullword + $exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.exe/ condition: any of ($exe*) @@ -25,7 +26,7 @@ rule http_url_with_msi: high { description = "accesses hardcoded install file endpoint" strings: - $exe_url = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.(msi|pkg)/ fullword + $exe_url = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.msi/ condition: any of ($exe*) @@ -36,7 +37,7 @@ rule http_ip_url_with_msi: critical { description = "accesses hardcoded install file endpoint via IP" strings: - $exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.(msi|pkg)/ fullword + $exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.msi/ condition: any of ($exe*) diff --git a/rules/c2/tool_transfer/grayware.yara b/rules/c2/tool_transfer/grayware.yara index f91f65a8..5615f67a 100644 --- a/rules/c2/tool_transfer/grayware.yara +++ b/rules/c2/tool_transfer/grayware.yara @@ -22,7 +22,6 @@ rule grayware_sites: high { $ = "packetstormsecurity" $ = "pentestmonkey.net" $ = "phpjiami.com" - $ = "shodan.io" $ = "github.com/b374k/b374k" $ = "mumaasp.com" diff --git a/rules/c2/tool_transfer/python.yara b/rules/c2/tool_transfer/python.yara index 9b3df810..8d19547b 100644 --- a/rules/c2/tool_transfer/python.yara +++ b/rules/c2/tool_transfer/python.yara @@ -1,3 +1,13 @@ +private rule probably_python_tt { + strings: + $import = "import " + $f_common = /\s(def|if|with|else:) / + $f_exotic = /exec\(|b64decode|bytes\(/ + + condition: + filesize < 10MB and $import in (1..1024) and any of ($f*) +} + private rule py_fetcher: medium { meta: description = "fetches content" @@ -12,7 +22,7 @@ private rule py_fetcher: medium { $http_wget = "wget" fullword condition: - any of them + probably_python_tt and any of them } private rule py_runner { @@ -27,7 +37,7 @@ private rule py_runner { $system = /system\([\"\'\w\ \-\)\/]{0,64}/ condition: - any of them + probably_python_tt and any of them } rule py_dropper: medium { diff --git a/rules/credential/shell/bash_history.yara b/rules/credential/shell/bash_history.yara index 903ca2eb..b26ef8d3 100644 --- a/rules/credential/shell/bash_history.yara +++ b/rules/credential/shell/bash_history.yara @@ -1,23 +1,25 @@ -rule bash_history: high { +rule bash_history: medium { meta: description = "accesses bash shell history" strings: - $ref = ".bash_history" fullword + $ref = ".bash_history" condition: all of them } -rule bash: override { +rule bash_history_high: high { meta: - description = "bash" - bash_history = "medium" + description = "accesses bash shell history" strings: - $posix = "POSIXLY_CORRECT" - $source = "BASH_SOURCE" + $ref = ".bash_history" + $not_posix = "POSIXLY_CORRECT" + $not_source = "BASH_SOURCE" + $not_cshrc = ".cshrc" condition: - filesize > 100KB and filesize < 2MB and all of them + $ref and none of ($not*) } + diff --git a/rules/credential/ssh/ssh.yara b/rules/credential/ssh/ssh.yara index a508d838..214581b9 100644 --- a/rules/credential/ssh/ssh.yara +++ b/rules/credential/ssh/ssh.yara @@ -29,13 +29,14 @@ rule id_rsa_not_ssh: high { description = "non-SSH client accessing SSH private keys" strings: - $id_rsa = "id_rsa" - $not_ssh_newkeys = "SSH_MSG" - $not_ssh_userauth = "SSH_USERAUTH" - $not_ssh_20 = "SSH-2.0" - $not_openssh = "OpenSSH" - $not_ssh2 = "SSH2" fullword - $not_SSH_AUTH_SOCK = "SSH_AUTH_SOCK" + $id_rsa = "id_rsa" + $not_ssh_newkeys = "SSH_MSG" + $not_ssh_userauth = "SSH_USERAUTH" + $not_ssh_20 = "SSH-2.0" + $not_openssh = "OpenSSH" + $not_ssh2 = "SSH2" fullword + $not_SSH_AUTH_SOCK = "SSH_AUTH_SOCK" + $not_host_key_check = "host_key_check" condition: filesize < 10MB and ssh_folder and $id_rsa and none of ($not*) diff --git a/rules/crypto/xor.yara b/rules/crypto/xor.yara index 737c66df..4473db84 100644 --- a/rules/crypto/xor.yara +++ b/rules/crypto/xor.yara @@ -3,14 +3,16 @@ rule xor_decode_encode: high { description = "decodes/encodes XOR content" strings: - $decode = /\w{0,16}XorDecode[\w]{0,32}/ - $encode = /\w{0,16}XorEncode[\w]{0,32}/ - $file = /\w{0,16}XorFile[\w]{0,32}/ - $decode_ = /\w{0,16}xor_decode[\w]{0,32}/ - $encode_ = /\w{0,16}xor_encode[\w]{0,32}/ - $file_ = /\w{0,16}xor_file[\w]{0,32}/ - $crypt = /\w{0,16}XorCrypt[\w]{0,32}/ + $x_decode = /\w{0,16}XorDecode[\w]{0,32}/ + $x_encode = /\w{0,16}XorEncode[\w]{0,32}/ + $x_file = /\w{0,16}XorFile[\w]{0,32}/ + $x_decode_ = /\w{0,16}xor_decode[\w]{0,32}/ + $x_encode_ = /\w{0,16}xor_encode[\w]{0,32}/ + $x_file_ = /\w{0,16}xor_file[\w]{0,32}/ + $x_crypt = /\w{0,16}XorCrypt[\w]{0,32}/ + + $not_qemu = "Opcode_xor_encode" condition: - any of them + any of ($x*) and none of ($not*) } diff --git a/rules/data/embedded/embedded-base64-gzip.yara b/rules/data/embedded/embedded-base64-gzip.yara index 57913296..8749826e 100644 --- a/rules/data/embedded/embedded-base64-gzip.yara +++ b/rules/data/embedded/embedded-base64-gzip.yara @@ -18,6 +18,7 @@ rule base64_gz_high_entropy: high { strings: $header = "H4sIA" $not_cloudinit = "cloudinit" fullword + $not_webpack = "webpack-api-runtime.js" fullword condition: filesize < 2MB and math.entropy(1, filesize) >= 6.5 and $header and none of ($not*) @@ -28,12 +29,13 @@ rule base64_obfuscated_js: high { description = "Contains base64 gzip content within high-entropy javascript" strings: - $f_header = "H4sIA" - $f_char_at = "charAt(" - $f_substr = "substr(" - $f_join = "join(" - $f_function = "function(" + $f_header = "H4sIA" + $f_char_at = "charAt(" + $f_substr = "substr(" + $f_join = "join(" + $f_function = "function(" + $not_webpack = "webpack-api-runtime.js" fullword condition: - filesize < 2MB and all of ($f*) and math.entropy(1, filesize) >= 5.0 + filesize < 2MB and all of ($f*) and math.entropy(1, filesize) >= 5.0 and none of ($not*) } diff --git a/rules/discover/ip/public_ip.yara b/rules/discover/ip/public_ip.yara index 5d0a5f4f..7c08db4e 100644 --- a/rules/discover/ip/public_ip.yara +++ b/rules/discover/ip/public_ip.yara @@ -3,7 +3,7 @@ rule iplookup_website: high { description = "public service to discover external IP address" strings: - $ipify = "ipify.or" + $ipify = /ipify\.org{0,1}/ $wtfismyip = "wtfismyip" $iplogger = "iplogger.org" $getjsonip = "getjsonip" diff --git a/rules/evasion/file/location/x11-unix.yara b/rules/evasion/file/location/x11-unix.yara index bf2697fe..1a04c652 100644 --- a/rules/evasion/file/location/x11-unix.yara +++ b/rules/evasion/file/location/x11-unix.yara @@ -1,4 +1,4 @@ -rule hidden_x11: high { +rule hidden_x11: medium { meta: description = "references content in /tmp/.X11-unix" ref = "https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/" @@ -10,18 +10,24 @@ rule hidden_x11: high { filesize < 10MB and all of them } -rule X11: override { +rule hidden_x11_unexpected: high { meta: - hidden_x11 = "low" + description = "references content in /tmp/.X11-unix" + ref = "https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/" strings: - $usr_share = "/usr/share/X11" - $X11Gray = "X11Gray" - $X11_space = "/etc/X11/" - $X11R6 = "X11R6/share" - $XForwarding = "X11 forwarding" - $X = "/tmp/.X11-unix/X" fullword + $x11 = /\/tmp\/\.X11-unix\/[\.\w\%\$\{\}\/\-]{1,16}/ + + $not_usr_share = "/usr/share/X11" + $not_X11Gray = "X11Gray" + $not_etc = "/etc/X11/" + $not_X11R6 = "X11R6/share" + $not_XForwarding = "X11 forwarding" + $not_X = "/tmp/.X11-unix/X" fullword + $not_libx11 = "libX11.so.6" + $not_XAUTHORITY = "XAUTHORITY" condition: - filesize < 10MB and any of them + filesize < 10MB and $x11 and none of ($not*) } + diff --git a/rules/evasion/process_injection/ptrace.yara b/rules/evasion/process_injection/ptrace.yara index 783c1b4e..d2fa730d 100644 --- a/rules/evasion/process_injection/ptrace.yara +++ b/rules/evasion/process_injection/ptrace.yara @@ -10,7 +10,7 @@ rule ptrace: medium { any of them } -rule ptrace_injector: high { +rule ptrace_injector: medium { meta: description = "may inject code into other processes" @@ -22,3 +22,19 @@ rule ptrace_injector: high { condition: filesize < 67108864 and $maps and $ptrace and $proc } + +rule ptrace_injector_unknown: high { + meta: + description = "may inject code into other processes" + + strings: + $maps = /\/{0,1}proc\/[%{][%}\w]{0,1}\/maps/ + $ptrace = "ptrace" fullword + $proc = "process" fullword + + $not_bpftool = "bpftool" fullword + $not_libdw = "invalid DWARF" + + condition: + filesize < 67108864 and $maps and $ptrace and $proc and none of ($not*) +} diff --git a/rules/exec/remote_commands/code_eval.yara b/rules/exec/remote_commands/code_eval.yara index 2ae150a6..2930a126 100644 --- a/rules/exec/remote_commands/code_eval.yara +++ b/rules/exec/remote_commands/code_eval.yara @@ -92,6 +92,7 @@ rule python_exec_complex: high { $exec = /exec\([\w\. =]{1,32}\(.{0,8192}\)\)/ fullword $not_javascript = "function(" $not_pyparser = "exec(compile(open(self.parsedef).read(), self.parsedef, 'exec'))" + $not_versioneer = "exec(VERSIONEER.decode(), globals())" condition: filesize < 512KB and $exec and none of ($not*) diff --git a/rules/exec/shell/tmp_semicolon.yara b/rules/exec/shell/tmp_semicolon.yara index aa22d803..05e39872 100644 --- a/rules/exec/shell/tmp_semicolon.yara +++ b/rules/exec/shell/tmp_semicolon.yara @@ -6,8 +6,10 @@ rule semicolon_short_tmp: high { $tmp_before = /[\w\/ \-\;]{0,32} \/tmp\/[a-z]{1,5} {0,2};/ $tmp_after = /[\w\/ \-]{0,32}; {0,2}\/tmp\/[a-z]{1,5}[\w\/ \-\&\;]{0,32}/ + $not_dashes = "--;/tmp" + condition: - any of them + filesize < 1MB and any of ($tmp*) and none of ($not*) } rule semicolon_short_var_tmp: high { @@ -17,7 +19,9 @@ rule semicolon_short_var_tmp: high { strings: $var_tmp_before = /[\w\/ \-\;]{0,32} \/var\/tmp\/[a-z]{1,5} {0,2};/ $var_tmp_after = /[\w\/ \-]{0,32}; {0,2}\/var\/tmp\/[a-z]{1,5}[\w\/ \-\&\;]{0,32}/ + $not_dashes = "--;/var/tmp" condition: - any of them + filesize < 1MB and any of ($var*) and none of ($not*) + } diff --git a/rules/false_positives/acme.yara b/rules/false_positives/acme.yara new file mode 100644 index 00000000..77d42d8e --- /dev/null +++ b/rules/false_positives/acme.yara @@ -0,0 +1,14 @@ +rule acme_sh: override { + meta: + description = "acme.sh" + echo_decode_bash_probable = "medium" + iplookup_website = "medium" + sys_net_recon_exfil = "medium" + cmd_dev_null_quoted = "medium" + + strings: + $ref = "https://github.com/acmesh-official" + + condition: + $ref +} diff --git a/rules/false_positives/ap_compiler.yara b/rules/false_positives/ap_compiler.yara new file mode 100644 index 00000000..41d7e332 --- /dev/null +++ b/rules/false_positives/ap_compiler.yara @@ -0,0 +1,11 @@ +rule ap_compiler_override: override { + meta: + description = "https://github.com/avdaredevil/AP-Compiler" + Base64_Encoded_Powershell_Directives = "medium" + + strings: + $ref = "https://github.com/avdaredevil/AP-Compiler" + + condition: + $ref +} diff --git a/rules/false_positives/flatpak.yara b/rules/false_positives/flatpak.yara index fa802be2..63698d8f 100644 --- a/rules/false_positives/flatpak.yara +++ b/rules/false_positives/flatpak.yara @@ -1,7 +1,7 @@ rule flatpak: override { meta: - description = "flatpak" - hidden_x11 = "medium" + description = "flatpak" + hidden_x11_unexpected = "medium" strings: $flatpak = "FLATPAK_BINARY" fullword diff --git a/rules/false_positives/kibana.yara b/rules/false_positives/kibana.yara index 5c5f2217..8718bcfc 100644 --- a/rules/false_positives/kibana.yara +++ b/rules/false_positives/kibana.yara @@ -15,6 +15,12 @@ rule kibana_powershell_evasion_rule: override { rule security_solution_plugin: override { meta: linux_rootkit_terms = "low" + masscan = "low" + reverse_shell = "low" + grayware_sites = "low" + http_url_with_exe = "Low" + exotic_tld = "low" + download_sites = "low" description = "securitySolution.chunk.9.js, securitySolution.chunk.22.js" strings: diff --git a/rules/false_positives/libdw.yara b/rules/false_positives/libdw.yara deleted file mode 100644 index 17fc183d..00000000 --- a/rules/false_positives/libdw.yara +++ /dev/null @@ -1,11 +0,0 @@ -rule libdw_override: override { - meta: - description = "libdw.so" - ptrace_injector = "medium" - - strings: - $dward = "invalid DWARF" - - condition: - filesize < 2MB and any of them -} diff --git a/rules/false_positives/nmap.yara b/rules/false_positives/nmap.yara index c233668c..224aae82 100644 --- a/rules/false_positives/nmap.yara +++ b/rules/false_positives/nmap.yara @@ -2,6 +2,8 @@ rule nmap_fingerprints: override { meta: description = "http-fingerprints.lua" SIGNATURE_BASE_Hacktool_Strings_P0Wnedshell = "medium" + meterpreter = "medium" + grayware_sites = "medium" strings: $description = "---HTTP Fingerprint files" diff --git a/rules/false_positives/prisma_client_js.yara b/rules/false_positives/prisma_client_js.yara new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/rules/false_positives/prisma_client_js.yara @@ -0,0 +1 @@ + diff --git a/rules/false_positives/qemu.yara b/rules/false_positives/qemu.yara index 181834a7..6268ea83 100644 --- a/rules/false_positives/qemu.yara +++ b/rules/false_positives/qemu.yara @@ -1,10 +1,12 @@ rule qemu: override { meta: - description = "QEMU" + description = "QEMU" + proc_d_cmdline = "medium" strings: - $module = "QEMU_MODULE" + $module = "QEMU_MODULE" + $aligned = "QEMU_IS_ALIGNED" condition: - filesize < 5MB and all of them + filesize < 30MB and any of them } diff --git a/rules/false_positives/snapd.yara b/rules/false_positives/snapd.yara index ffc91346..615e544a 100644 --- a/rules/false_positives/snapd.yara +++ b/rules/false_positives/snapd.yara @@ -7,7 +7,7 @@ rule snapd: override linux { dev_mmc = "medium" busybox_runner = "medium" system_log_references = "medium" - hidden_x11 = "medium" + hidden_x11_unexpected = "medium" filetypes = "elf,so" strings: diff --git a/rules/false_positives/trufflehog.yara b/rules/false_positives/trufflehog.yara new file mode 100644 index 00000000..adcae5da --- /dev/null +++ b/rules/false_positives/trufflehog.yara @@ -0,0 +1,15 @@ +rule trufflehog_override: override { + meta: + description = "github.com/trufflesecurity/trufflehog" + suspected_data_stealer = "medium" + discord_bot = "medium" + iplookup_website = "medium" + download_sites = "medium" + file_io_uploader = "medium" + + strings: + $ref = "github.com/trufflesecurity/trufflehog" + + condition: + filesize > 50MB and filesize < 200MB and any of them +} diff --git a/rules/fs/proc/pid-fd.yara b/rules/fs/proc/pid-fd.yara index 0e5a2751..9e7438e1 100644 --- a/rules/fs/proc/pid-fd.yara +++ b/rules/fs/proc/pid-fd.yara @@ -36,6 +36,8 @@ rule inspects_opened_sockets: high { $ref = "socket:[" fullword $ref2 = /\/proc\/[%{$][\w\}]{0,12}\/fd/ + $not_busybox = "BusyBox" fullword + condition: - all of them + all of ($ref*) and none of ($not*) } diff --git a/rules/impact/cryptojacking/nicehash_pool.yara b/rules/impact/cryptojacking/nicehash_pool.yara index 2ddd7b8a..60c073a9 100644 --- a/rules/impact/cryptojacking/nicehash_pool.yara +++ b/rules/impact/cryptojacking/nicehash_pool.yara @@ -3,7 +3,7 @@ rule nicehash_pool: high { description = "References Nicehash and mining pools" strings: - $ref = "nicehash" + $ref = "nicehash" fullword $ref2 = "pool" condition: diff --git a/rules/impact/exploit/overflow-shellcode.yara b/rules/impact/exploit/overflow-shellcode.yara index 654622b9..a07760a7 100644 --- a/rules/impact/exploit/overflow-shellcode.yara +++ b/rules/impact/exploit/overflow-shellcode.yara @@ -3,13 +3,16 @@ rule exploit: high { description = "Buffer overflow exploit" strings: - $padding = "padding" - $address = "address" - $offset = "offset" - $shellcode = "shellcode" + $n_padding = "padding" fullword + $n_address = "address" fullword + $n_offset = "offset" fullword + $shellcode = "shellcode" fullword + + $not_fishshell = "fishshell" + $not_powershell = "powershell" condition: - $shellcode and 3 of them + filesize < 3MB and $shellcode and 2 of ($n*) and none of ($not*) } rule execute_shellcode: high { diff --git a/rules/impact/remote_access/backdoor.yara b/rules/impact/remote_access/backdoor.yara index a7d35cba..20628e42 100644 --- a/rules/impact/remote_access/backdoor.yara +++ b/rules/impact/remote_access/backdoor.yara @@ -15,7 +15,7 @@ rule backdoor: medium { description = "References a 'backdoor'" strings: - $ref = /[a-zA-Z\-_ \']{0,16}[bB]ackdoor[a-zA-Z\-_ ]{0,16}/ fullword + $ref = /[\/a-zA-Z\-_ \']{0,16}[bB]ackdoor[\/a-zA-Z\-_ ]{0,48}/ $not_vcpu = "VCPUInfoBackdoor" $not_vmware = "gGuestBackdoorOps" @@ -38,7 +38,7 @@ rule backdoor_shell: high { rule backdoor_likely: high { meta: - description = "References a 'backdoor'" + description = "References a 'backdoor', uses sensitive Linux functions" strings: $backdoor = "backdoor" fullword @@ -55,14 +55,17 @@ rule backdoor_likely: high { rule backdoor_high: high { meta: - description = "references a backdoor" + description = "suspicious backdoor reference" strings: $lower_prefix = /(hidden|hide|icmp|pam|ssh|sshd)[ _]backdoor/ $lower_sufifx = /backdoor[_ ](task|process|up|method|user|shell|login|pass)/ + $not_falco_dev_null = "/dev/null is a backdoor method" + $not_falco_backdoor_insert = "backdoor method for inserting special events" + condition: - filesize < 10MB and any of them + filesize < 10MB and any of ($lower*) and none of ($not*) } rule backdoor_caps: high { diff --git a/rules/impact/remote_access/socket_filter_exec.yara b/rules/impact/remote_access/socket_filter_exec.yara index 21bfd800..efc75578 100644 --- a/rules/impact/remote_access/socket_filter_exec.yara +++ b/rules/impact/remote_access/socket_filter_exec.yara @@ -12,6 +12,8 @@ rule linux_network_filter_exec: high { $e_bin_sh = "/bin/sh" $e_bin_bash = "/bin/bash" $not_cilium_node = "CILIUM_SOCK" + $not_tcp_ipv6 = "tcp[ipv6]" + $not_keycode = "keycode=0x" condition: $0x and any of ($p*) and any of ($e*) and none of ($not*) diff --git a/rules/net/ip/host_port.yara b/rules/net/ip/host_port.yara index c5c5ee76..9d9c5a0c 100644 --- a/rules/net/ip/host_port.yara +++ b/rules/net/ip/host_port.yara @@ -69,6 +69,13 @@ rule hardcoded_host_port_over_10k: high { $host_domain_tld = /[a-z]{3,64}\.[a-z]{3,64}\.[a-z]{2,3}:\d{4,5}/ fullword $host_domain_sld_tld = /[a-z]{3,64}\.[a-z]{3,64}\.[a-z]{2,3}\.[a-z]{2,3}:\d{4,5}/ fullword + $not_roughtime_cloudflare = "roughtime.cloudflare.com:2003" + $not_roughtime_google = "sandbox.google.com:2002" + $not_foo_bar = "foo.bar:" + $not_example_com = "example.com:" + $not_mygateway = "mygateway.com:" + $not_mymachine = "mymachine.com:" + condition: - any of ($h*) + any of ($h*) and none of ($not*) } diff --git a/rules/persist/shell/bash.yara b/rules/persist/shell/bash.yara index e0186bb7..83b895b9 100644 --- a/rules/persist/shell/bash.yara +++ b/rules/persist/shell/bash.yara @@ -27,6 +27,8 @@ rule bash_persist_persistent: high { $ref4 = ".bashrc" $not_bash = "POSIXLY_CORRECT" + $not_csh = ".cshrc" fullword + $not_tcsh = "tcsh" fullword condition: 3 of them and none of ($not*) @@ -54,6 +56,7 @@ rule bash_logout_persist: high { $not_bash = "POSIXLY_CORRECT" $not_comment = "# ~/.bash_logout" $not_clear = "/usr/bin/clear_console" + $not_csh = ".cshrc" fullword condition: filesize < 2097152 and any of ($ref*) and none of ($not*) diff --git a/rules/persist/shell/zsh.yara b/rules/persist/shell/zsh.yara index 1356cfcf..195e7ae5 100644 --- a/rules/persist/shell/zsh.yara +++ b/rules/persist/shell/zsh.yara @@ -30,21 +30,11 @@ rule zsh_logout_persist: high { description = "Writes to zsh configuration files to persist" strings: - $ref = ".zlogout" - $ref2 = "/etc/zlogout" + $ref = ".zlogout" + $ref2 = "/etc/zlogout" + $not_cshrc = ".cshrc" + $not_zsh = "ZSH_DEBUG_CMD" condition: - filesize < 2097152 and any of ($ref*) -} - -rule zsh: override { - meta: - description = "zsh" - zsh_logout_persist = "medium" - - strings: - $debug = "ZSH_DEBUG_CMD" - - condition: - filesize > 100KB and filesize < 2MB and all of them + filesize < 2097152 and any of ($ref*) and none of ($not*) } diff --git a/rules/sus/compiler.yara b/rules/sus/compiler.yara index 45ba7090..3cc65968 100644 --- a/rules/sus/compiler.yara +++ b/rules/sus/compiler.yara @@ -32,7 +32,18 @@ private rule binary { filesize < 40MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) } -rule multiple_gcc: high { +rule multiple_gcc: medium { + meta: + description = "built with multiple versions of GCC" + + strings: + $gcc = /GCC: \([\w \.\-\~\(\)]{8,64}/ fullword + + condition: + binary and #gcc > 1 and !gcc[1] != !gcc[2] +} + +rule multiple_gcc_high: high { meta: description = "built with multiple versions of GCC" @@ -40,6 +51,7 @@ rule multiple_gcc: high { $gcc = /GCC: \([\w \.\-\~\(\)]{8,64}/ fullword $not_go_testdata_ranges_elf = "/home/iant/foo4.c" $not_go_testdata = "dwarf/testdata" + $not_java = "JAVA_HOME" condition: binary and #gcc > 1 and !gcc[1] != !gcc[2] and none of ($not*) diff --git a/tests/c/clean/falco/filter_compiler.ut.cpp.simple b/tests/c/clean/falco/filter_compiler.ut.cpp.simple new file mode 100644 index 00000000..b144d941 --- /dev/null +++ b/tests/c/clean/falco/filter_compiler.ut.cpp.simple @@ -0,0 +1,10 @@ +# c/clean/falco/filter_compiler.ut.cpp: medium +credential/shell/bash_history: medium +exec/plugin: low +fs/path/etc: low +fs/path/home: low +fs/path/var: low +net/url/embedded: low +persist/shell/bash: medium +persist/shell/init_files: low +persist/shell/zsh: medium diff --git a/tests/c/clean/falco/ppm_events.c.simple b/tests/c/clean/falco/ppm_events.c.simple new file mode 100644 index 00000000..9e33fc28 --- /dev/null +++ b/tests/c/clean/falco/ppm_events.c.simple @@ -0,0 +1,8 @@ +# c/clean/falco/ppm_events.c: medium +discover/multiple: medium +impact/remote_access/backdoor: medium +net/http/post: medium +net/socket/connect: medium +net/socket/send: low +net/url/embedded: low +persist/kernel_module/symbol_lookup: low diff --git a/tests/c/clean/falco/string_visitor.ut.cpp.simple b/tests/c/clean/falco/string_visitor.ut.cpp.simple new file mode 100644 index 00000000..0b125b98 --- /dev/null +++ b/tests/c/clean/falco/string_visitor.ut.cpp.simple @@ -0,0 +1,8 @@ +# c/clean/falco/string_visitor.ut.cpp: medium +credential/shell/bash_history: medium +fs/path/etc: low +fs/path/var: low +net/url/embedded: low +persist/shell/bash: medium +persist/shell/init_files: low +persist/shell/zsh: medium diff --git a/tests/does-nothing/does-nothing.go.simple b/tests/does-nothing/does-nothing.go.simple new file mode 100644 index 00000000..e69de29b diff --git a/tests/javascript/2024.STRRAT/f252f6e0d8f9f687751843dbc0be03d4f2ceb468e8453a4940d b/tests/javascript/2024.STRRAT/f252f6e0d8f9f687751843dbc0be03d4f2ceb468e8453a4940d new file mode 100644 index 00000000..e69de29b diff --git a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff index 1492dfeb..1f771890 100644 --- a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff +++ b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff @@ -7,10 +7,10 @@ | +CRITICAL | **[anti-static/obfuscation/js](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/js.yara#ebe)** | highly obfuscated javascript (eBe) | [charCodeAt](https://github.com/search?q=charCodeAt&type=code)
[eBe(-1)](https://github.com/search?q=eBe%28-1%29&type=code)
[eBe(-10)](https://github.com/search?q=eBe%28-10%29&type=code)
[eBe(-11)](https://github.com/search?q=eBe%28-11%29&type=code)
[eBe(-12)](https://github.com/search?q=eBe%28-12%29&type=code)
[eBe(-13)](https://github.com/search?q=eBe%28-13%29&type=code)
[eBe(-14)](https://github.com/search?q=eBe%28-14%29&type=code)
[eBe(-15)](https://github.com/search?q=eBe%28-15%29&type=code)
[eBe(-16)](https://github.com/search?q=eBe%28-16%29&type=code)
[eBe(-17)](https://github.com/search?q=eBe%28-17%29&type=code)
[eBe(-18)](https://github.com/search?q=eBe%28-18%29&type=code)
[eBe(-19)](https://github.com/search?q=eBe%28-19%29&type=code)
[eBe(-2)](https://github.com/search?q=eBe%28-2%29&type=code)
[eBe(-20)](https://github.com/search?q=eBe%28-20%29&type=code)
[eBe(-21)](https://github.com/search?q=eBe%28-21%29&type=code)
[eBe(-22)](https://github.com/search?q=eBe%28-22%29&type=code)
[eBe(-23)](https://github.com/search?q=eBe%28-23%29&type=code)
[eBe(-24)](https://github.com/search?q=eBe%28-24%29&type=code)
[eBe(-25)](https://github.com/search?q=eBe%28-25%29&type=code)
[eBe(-26)](https://github.com/search?q=eBe%28-26%29&type=code)
[eBe(-27)](https://github.com/search?q=eBe%28-27%29&type=code)
[eBe(-28)](https://github.com/search?q=eBe%28-28%29&type=code)
[eBe(-29)](https://github.com/search?q=eBe%28-29%29&type=code)
[eBe(-3)](https://github.com/search?q=eBe%28-3%29&type=code)
[eBe(-30)](https://github.com/search?q=eBe%28-30%29&type=code)
[eBe(-31)](https://github.com/search?q=eBe%28-31%29&type=code)
[eBe(-32)](https://github.com/search?q=eBe%28-32%29&type=code)
[eBe(-4)](https://github.com/search?q=eBe%28-4%29&type=code)
[eBe(-5)](https://github.com/search?q=eBe%28-5%29&type=code)
[eBe(-6)](https://github.com/search?q=eBe%28-6%29&type=code)
[eBe(-7)](https://github.com/search?q=eBe%28-7%29&type=code)
[eBe(-8)](https://github.com/search?q=eBe%28-8%29&type=code)
[eBe(-9)](https://github.com/search?q=eBe%28-9%29&type=code)
[function(](https://github.com/search?q=function%28&type=code) | | +CRITICAL | **[exfil/stealer/wallet](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/wallet.yara#crypto_stealer_names)** | makes HTTPS connections and references multiple wallets by name | [BraveWallet](https://github.com/search?q=BraveWallet&type=code)
[CoinbaseBrowser](https://github.com/search?q=CoinbaseBrowser&type=code)
[CoinbaseConnector](https://github.com/search?q=CoinbaseConnector&type=code)
[CoinbaseInjectedProvider](https://github.com/search?q=CoinbaseInjectedProvider&type=code)
[CoinbaseInjectedSigner](https://github.com/search?q=CoinbaseInjectedSigner&type=code)
[CoinbaseOnRampURL](https://github.com/search?q=CoinbaseOnRampURL&type=code)
[CoinbaseTransactions](https://github.com/search?q=CoinbaseTransactions&type=code)
[CoinbaseWalletDeeplink](https://github.com/search?q=CoinbaseWalletDeeplink&type=code)
[CoinbaseWalletLogo](https://github.com/search?q=CoinbaseWalletLogo&type=code)
[CoinbaseWalletProvider](https://github.com/search?q=CoinbaseWalletProvider&type=code)
[CoinbaseWalletRound](https://github.com/search?q=CoinbaseWalletRound&type=code)
[CoinbaseWalletSDK](https://github.com/search?q=CoinbaseWalletSDK&type=code)
[CoinbaseWalletSteps](https://github.com/search?q=CoinbaseWalletSteps&type=code)
[Coinbase_Wordmark_SubBrands_ALL](https://github.com/search?q=Coinbase_Wordmark_SubBrands_ALL&type=code)
[Ronin](https://github.com/search?q=Ronin&type=code)
[http](https://github.com/search?q=http&type=code) | | +HIGH | **[anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#unsigned_bitwise_math_excess)** | [uses an excessive amount of unsigned bitwise math](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [a>>>0](https://github.com/search?q=a%3E%3E%3E0&type=code)
[a>>>11](https://github.com/search?q=a%3E%3E%3E11&type=code)
[a>>>13](https://github.com/search?q=a%3E%3E%3E13&type=code)
[a>>>15](https://github.com/search?q=a%3E%3E%3E15&type=code)
[a>>>16](https://github.com/search?q=a%3E%3E%3E16&type=code)
[a>>>22](https://github.com/search?q=a%3E%3E%3E22&type=code)
[a>>>24](https://github.com/search?q=a%3E%3E%3E24&type=code)
[a>>>25](https://github.com/search?q=a%3E%3E%3E25&type=code)
[a>>>26](https://github.com/search?q=a%3E%3E%3E26&type=code)
[a>>>31](https://github.com/search?q=a%3E%3E%3E31&type=code)
[a>>>32](https://github.com/search?q=a%3E%3E%3E32&type=code)
[a>>>6](https://github.com/search?q=a%3E%3E%3E6&type=code)
[a>>>8](https://github.com/search?q=a%3E%3E%3E8&type=code)
[b>>>0](https://github.com/search?q=b%3E%3E%3E0&type=code)
[b>>>29](https://github.com/search?q=b%3E%3E%3E29&type=code)
[b>>>31](https://github.com/search?q=b%3E%3E%3E31&type=code)
[c>>>0](https://github.com/search?q=c%3E%3E%3E0&type=code)
[c>>>16](https://github.com/search?q=c%3E%3E%3E16&type=code)
[c>>>24](https://github.com/search?q=c%3E%3E%3E24&type=code)
[c>>>31](https://github.com/search?q=c%3E%3E%3E31&type=code)
[c>>>5](https://github.com/search?q=c%3E%3E%3E5&type=code)
[c>>>8](https://github.com/search?q=c%3E%3E%3E8&type=code)
[charAt(a](https://github.com/search?q=charAt%28a&type=code)
[charAt(c](https://github.com/search?q=charAt%28c&type=code)
[charAt(n](https://github.com/search?q=charAt%28n&type=code)
[charAt(s](https://github.com/search?q=charAt%28s&type=code)
[charAt(t](https://github.com/search?q=charAt%28t&type=code)
[charAt(u](https://github.com/search?q=charAt%28u&type=code)
[charAt(w](https://github.com/search?q=charAt%28w&type=code)
[d>>>16](https://github.com/search?q=d%3E%3E%3E16&type=code)
[d>>>24](https://github.com/search?q=d%3E%3E%3E24&type=code)
[d>>>26](https://github.com/search?q=d%3E%3E%3E26&type=code)
[d>>>29](https://github.com/search?q=d%3E%3E%3E29&type=code)
[d>>>31](https://github.com/search?q=d%3E%3E%3E31&type=code)
[d>>>6](https://github.com/search?q=d%3E%3E%3E6&type=code)
[d>>>7](https://github.com/search?q=d%3E%3E%3E7&type=code)
[d>>>8](https://github.com/search?q=d%3E%3E%3E8&type=code)
[e>>>0](https://github.com/search?q=e%3E%3E%3E0&type=code)
[e>>>10](https://github.com/search?q=e%3E%3E%3E10&type=code)
[e>>>11](https://github.com/search?q=e%3E%3E%3E11&type=code)
[e>>>12](https://github.com/search?q=e%3E%3E%3E12&type=code)
[e>>>13](https://github.com/search?q=e%3E%3E%3E13&type=code)
[e>>>14](https://github.com/search?q=e%3E%3E%3E14&type=code)
[e>>>16](https://github.com/search?q=e%3E%3E%3E16&type=code)
[e>>>17](https://github.com/search?q=e%3E%3E%3E17&type=code)
[e>>>18](https://github.com/search?q=e%3E%3E%3E18&type=code)
[e>>>19](https://github.com/search?q=e%3E%3E%3E19&type=code)
[e>>>22](https://github.com/search?q=e%3E%3E%3E22&type=code)
[e>>>24](https://github.com/search?q=e%3E%3E%3E24&type=code)
[e>>>25](https://github.com/search?q=e%3E%3E%3E25&type=code)
[e>>>26](https://github.com/search?q=e%3E%3E%3E26&type=code)
[e>>>27](https://github.com/search?q=e%3E%3E%3E27&type=code)
[e>>>28](https://github.com/search?q=e%3E%3E%3E28&type=code)
[e>>>29](https://github.com/search?q=e%3E%3E%3E29&type=code)
[e>>>31](https://github.com/search?q=e%3E%3E%3E31&type=code)
[e>>>32](https://github.com/search?q=e%3E%3E%3E32&type=code)
[e>>>4](https://github.com/search?q=e%3E%3E%3E4&type=code)
[e>>>5](https://github.com/search?q=e%3E%3E%3E5&type=code)
[e>>>64](https://github.com/search?q=e%3E%3E%3E64&type=code)
[e>>>7](https://github.com/search?q=e%3E%3E%3E7&type=code)
[e>>>8](https://github.com/search?q=e%3E%3E%3E8&type=code)
[f>>>13](https://github.com/search?q=f%3E%3E%3E13&type=code)
[f>>>24](https://github.com/search?q=f%3E%3E%3E24&type=code)
[f>>>31](https://github.com/search?q=f%3E%3E%3E31&type=code)
[f>>>8](https://github.com/search?q=f%3E%3E%3E8&type=code)
[function(](https://github.com/search?q=function%28&type=code)
[g>>>16](https://github.com/search?q=g%3E%3E%3E16&type=code)
[h>>>11](https://github.com/search?q=h%3E%3E%3E11&type=code)
[h>>>16](https://github.com/search?q=h%3E%3E%3E16&type=code)
[h>>>19](https://github.com/search?q=h%3E%3E%3E19&type=code)
[h>>>24](https://github.com/search?q=h%3E%3E%3E24&type=code)
[h>>>25](https://github.com/search?q=h%3E%3E%3E25&type=code)
[h>>>29](https://github.com/search?q=h%3E%3E%3E29&type=code)
[h>>>31](https://github.com/search?q=h%3E%3E%3E31&type=code)
[h>>>6](https://github.com/search?q=h%3E%3E%3E6&type=code)
[h>>>7](https://github.com/search?q=h%3E%3E%3E7&type=code)
[h>>>8](https://github.com/search?q=h%3E%3E%3E8&type=code)
[i>>>0](https://github.com/search?q=i%3E%3E%3E0&type=code)
[i>>>10](https://github.com/search?q=i%3E%3E%3E10&type=code)
[i>>>13](https://github.com/search?q=i%3E%3E%3E13&type=code)
[i>>>16](https://github.com/search?q=i%3E%3E%3E16&type=code)
[i>>>22](https://github.com/search?q=i%3E%3E%3E22&type=code)
[i>>>27](https://github.com/search?q=i%3E%3E%3E27&type=code)
[i>>>31](https://github.com/search?q=i%3E%3E%3E31&type=code)
[i>>>5](https://github.com/search?q=i%3E%3E%3E5&type=code)
[j>>>21](https://github.com/search?q=j%3E%3E%3E21&type=code)
[k>>>20](https://github.com/search?q=k%3E%3E%3E20&type=code)
[k>>>4](https://github.com/search?q=k%3E%3E%3E4&type=code)
[l>>>0](https://github.com/search?q=l%3E%3E%3E0&type=code)
[l>>>26](https://github.com/search?q=l%3E%3E%3E26&type=code)
[l>>>31](https://github.com/search?q=l%3E%3E%3E31&type=code)
[l>>>8](https://github.com/search?q=l%3E%3E%3E8&type=code)
[m>>>0](https://github.com/search?q=m%3E%3E%3E0&type=code)
[m>>>10](https://github.com/search?q=m%3E%3E%3E10&type=code)
[m>>>13](https://github.com/search?q=m%3E%3E%3E13&type=code)
[m>>>17](https://github.com/search?q=m%3E%3E%3E17&type=code)
[m>>>19](https://github.com/search?q=m%3E%3E%3E19&type=code)
[n>>>0](https://github.com/search?q=n%3E%3E%3E0&type=code)
[n>>>13](https://github.com/search?q=n%3E%3E%3E13&type=code)
[n>>>16](https://github.com/search?q=n%3E%3E%3E16&type=code)
[n>>>17](https://github.com/search?q=n%3E%3E%3E17&type=code)
[n>>>24](https://github.com/search?q=n%3E%3E%3E24&type=code)
[n>>>26](https://github.com/search?q=n%3E%3E%3E26&type=code)
[n>>>31](https://github.com/search?q=n%3E%3E%3E31&type=code)
[n>>>5](https://github.com/search?q=n%3E%3E%3E5&type=code)
[n>>>7](https://github.com/search?q=n%3E%3E%3E7&type=code)
[n>>>8](https://github.com/search?q=n%3E%3E%3E8&type=code)
[o>>>0](https://github.com/search?q=o%3E%3E%3E0&type=code)
[o>>>10](https://github.com/search?q=o%3E%3E%3E10&type=code)
[o>>>16](https://github.com/search?q=o%3E%3E%3E16&type=code)
[o>>>22](https://github.com/search?q=o%3E%3E%3E22&type=code)
[o>>>24](https://github.com/search?q=o%3E%3E%3E24&type=code)
[o>>>31](https://github.com/search?q=o%3E%3E%3E31&type=code)
[o>>>4](https://github.com/search?q=o%3E%3E%3E4&type=code)
[o>>>5](https://github.com/search?q=o%3E%3E%3E5&type=code)
[o>>>8](https://github.com/search?q=o%3E%3E%3E8&type=code)
[p>>>0](https://github.com/search?q=p%3E%3E%3E0&type=code)
[p>>>18](https://github.com/search?q=p%3E%3E%3E18&type=code)
[p>>>31](https://github.com/search?q=p%3E%3E%3E31&type=code)
[p>>>7](https://github.com/search?q=p%3E%3E%3E7&type=code)
[p>>>8](https://github.com/search?q=p%3E%3E%3E8&type=code)
[q>>>0](https://github.com/search?q=q%3E%3E%3E0&type=code)
[q>>>3](https://github.com/search?q=q%3E%3E%3E3&type=code)
[r>>>0](https://github.com/search?q=r%3E%3E%3E0&type=code)
[r>>>10](https://github.com/search?q=r%3E%3E%3E10&type=code)
[r>>>13](https://github.com/search?q=r%3E%3E%3E13&type=code)
[r>>>24](https://github.com/search?q=r%3E%3E%3E24&type=code)
[r>>>8](https://github.com/search?q=r%3E%3E%3E8&type=code)
[s>>>0](https://github.com/search?q=s%3E%3E%3E0&type=code)
[s>>>14](https://github.com/search?q=s%3E%3E%3E14&type=code)
[s>>>24](https://github.com/search?q=s%3E%3E%3E24&type=code)
[s>>>26](https://github.com/search?q=s%3E%3E%3E26&type=code)
[s>>>31](https://github.com/search?q=s%3E%3E%3E31&type=code)
[s>>>6](https://github.com/search?q=s%3E%3E%3E6&type=code)
[s>>>8](https://github.com/search?q=s%3E%3E%3E8&type=code)
[t>>>0](https://github.com/search?q=t%3E%3E%3E0&type=code)
[t>>>16](https://github.com/search?q=t%3E%3E%3E16&type=code)
[t>>>26](https://github.com/search?q=t%3E%3E%3E26&type=code)
[t>>>29](https://github.com/search?q=t%3E%3E%3E29&type=code)
[t>>>32](https://github.com/search?q=t%3E%3E%3E32&type=code)
[t>>>64](https://github.com/search?q=t%3E%3E%3E64&type=code)
[t>>>7](https://github.com/search?q=t%3E%3E%3E7&type=code)
[t>>>9](https://github.com/search?q=t%3E%3E%3E9&type=code)
[u>>>13](https://github.com/search?q=u%3E%3E%3E13&type=code)
[u>>>16](https://github.com/search?q=u%3E%3E%3E16&type=code)
[u>>>24](https://github.com/search?q=u%3E%3E%3E24&type=code)
[u>>>31](https://github.com/search?q=u%3E%3E%3E31&type=code)
[u>>>8](https://github.com/search?q=u%3E%3E%3E8&type=code)
[v>>>0](https://github.com/search?q=v%3E%3E%3E0&type=code)
[v>>>16](https://github.com/search?q=v%3E%3E%3E16&type=code)
[v>>>24](https://github.com/search?q=v%3E%3E%3E24&type=code)
[v>>>28](https://github.com/search?q=v%3E%3E%3E28&type=code)
[v>>>8](https://github.com/search?q=v%3E%3E%3E8&type=code)
[w>>>10](https://github.com/search?q=w%3E%3E%3E10&type=code)
[w>>>17](https://github.com/search?q=w%3E%3E%3E17&type=code)
[w>>>18](https://github.com/search?q=w%3E%3E%3E18&type=code)
[w>>>19](https://github.com/search?q=w%3E%3E%3E19&type=code)
[w>>>28](https://github.com/search?q=w%3E%3E%3E28&type=code)
[w>>>3](https://github.com/search?q=w%3E%3E%3E3&type=code)
[w>>>7](https://github.com/search?q=w%3E%3E%3E7&type=code)
[x>>>14](https://github.com/search?q=x%3E%3E%3E14&type=code)
[x>>>18](https://github.com/search?q=x%3E%3E%3E18&type=code)
[x>>>23](https://github.com/search?q=x%3E%3E%3E23&type=code)
[x>>>9](https://github.com/search?q=x%3E%3E%3E9&type=code)
[y>>>13](https://github.com/search?q=y%3E%3E%3E13&type=code)
[y>>>29](https://github.com/search?q=y%3E%3E%3E29&type=code)
[y>>>31](https://github.com/search?q=y%3E%3E%3E31&type=code)
[z>>>0](https://github.com/search?q=z%3E%3E%3E0&type=code)
[z>>>17](https://github.com/search?q=z%3E%3E%3E17&type=code) | -| +HIGH | **[anti-static/obfuscation/python](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/python.yara#multi_decode_3)** | multiple (3+) levels of decoding | [.decode(n);return o._baseCache.set(i,t),o}},jE=(e,t)=>{switch(e[0]){case"Q":{let r=t||N_;return[N_.prefix,r.decode(`${N_.prefix}${e}`)]}case N_.prefix:{let r=t||N_;return[N_.prefix,r.decode(e)]}case y_.prefix:{let r=t||y_;return[y_.prefix,r.decode(e)]}default:if(null==t)throw Error("To parse non base32 or base58btc encoded CID multibase decoder must be provided");return[e[0],t.decode](https://github.com/search?q=.decode%28n%29%3Breturn+o._baseCache.set%28i%2Ct%29%2Co%7D%7D%2CjE%3D%28e%2Ct%29%3D%3E%7Bswitch%28e%5B0%5D%29%7Bcase%22Q%22%3A%7Blet+r%3Dt%7C%7CN_%3Breturn%5BN_.prefix%2Cr.decode%28%60%24%7BN_.prefix%7D%24%7Be%7D%60%29%5D%7Dcase+N_.prefix%3A%7Blet+r%3Dt%7C%7CN_%3Breturn%5BN_.prefix%2Cr.decode%28e%29%5D%7Dcase+y_.prefix%3A%7Blet+r%3Dt%7C%7Cy_%3Breturn%5By_.prefix%2Cr.decode%28e%29%5D%7Ddefault%3Aif%28null%3D%3Dt%29throw+Error%28%22To+parse+non+base32+or+base58btc+encoded+CID+multibase+decoder+must+be+provided%22%29%3Breturn%5Be%5B0%5D%2Ct.decode&type=code)
[.decode(n);return o._baseCache.set(i,t),o}},vB=(e,t)=>{switch(e[0]){case"Q":{let r=t||fN;return[fN.prefix,r.decode(`${fN.prefix}${e}`)]}case fN.prefix:{let r=t||fN;return[fN.prefix,r.decode(e)]}case JO.prefix:{let r=t||JO;return[JO.prefix,r.decode(e)]}default:if(null==t)throw Error("To parse non base32 or base58btc encoded CID multibase decoder must be provided");return[e[0],t.decode](https://github.com/search?q=.decode%28n%29%3Breturn+o._baseCache.set%28i%2Ct%29%2Co%7D%7D%2CvB%3D%28e%2Ct%29%3D%3E%7Bswitch%28e%5B0%5D%29%7Bcase%22Q%22%3A%7Blet+r%3Dt%7C%7CfN%3Breturn%5BfN.prefix%2Cr.decode%28%60%24%7BfN.prefix%7D%24%7Be%7D%60%29%5D%7Dcase+fN.prefix%3A%7Blet+r%3Dt%7C%7CfN%3Breturn%5BfN.prefix%2Cr.decode%28e%29%5D%7Dcase+JO.prefix%3A%7Blet+r%3Dt%7C%7CJO%3Breturn%5BJO.prefix%2Cr.decode%28e%29%5D%7Ddefault%3Aif%28null%3D%3Dt%29throw+Error%28%22To+parse+non+base32+or+base58btc+encoded+CID+multibase+decoder+must+be+provided%22%29%3Breturn%5Be%5B0%5D%2Ct.decode&type=code) | | +HIGH | **[c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#exotic_tld)** | Contains HTTP hostname with unusual top-level domain | [https://api.mantlescan.xyz/](https://api.mantlescan.xyz/)
[https://mantlescan.xyz/](https://mantlescan.xyz/)
[https://openchain.xyz/](https://openchain.xyz/) | | +HIGH | **[data/builtin/appkit](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/builtin/appkit.yara#appkit)** | Includes AppKit, a web3 blockchain library | [Price impact reflects the change in market price due to your trade](https://github.com/search?q=Price+impact+reflects+the+change+in+market+price+due+to+your+trade&type=code)
[Select which chain to connect to your multi](https://github.com/search?q=Select+which+chain+to+connect+to+your+multi&type=code) | | +MEDIUM | **[anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse)** | converts hex data to ASCII | [toString("hex");](https://github.com/search?q=toString%28%22hex%22%29%3B&type=code) | +| +MEDIUM | **[anti-static/obfuscation/python](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/python.yara#python_long_hex)** | contains a large hexadecimal string variable | [="0x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e816101](https://github.com/search?q=%3D%220x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e816101&type=code)
[Zc="0x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e8161](https://github.com/search?q=Zc%3D%220x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e8161&type=code)
[c="0x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e81610](https://github.com/search?q=c%3D%220x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e81610&type=code) | | +MEDIUM | **[c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord)** | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) | | +MEDIUM | **[c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID)** | contains a client ID | [clientId](https://github.com/search?q=clientId&type=code)
[client_id](https://github.com/search?q=client_id&type=code) | | +MEDIUM | **[c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref)** | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://) | diff --git a/tests/javascript/clean/bash.js.simple b/tests/javascript/clean/bash.js.simple index a5c42302..24bb4679 100644 --- a/tests/javascript/clean/bash.js.simple +++ b/tests/javascript/clean/bash.js.simple @@ -1,5 +1,4 @@ -# javascript/clean/bash.js: high -anti-behavior/process_check: high +# javascript/clean/bash.js: medium data/compression/bzip2: low data/compression/gzip: low discover/multiple: medium diff --git a/tests/javascript/clean/faker.js.simple b/tests/javascript/clean/faker.js.simple index 09e9fdde..4235e5e3 100644 --- a/tests/javascript/clean/faker.js.simple +++ b/tests/javascript/clean/faker.js.simple @@ -1,7 +1,5 @@ -# javascript/clean/faker.js: high +# javascript/clean/faker.js: medium anti-behavior/blocklist/user: low -anti-static/base64/exec: high -anti-static/base64/http_agent: high anti-static/obfuscation/obfuscate: low c2/addr/ip: medium c2/tool_transfer/arch: low diff --git a/tests/javascript/clean/frequency_lists.js.simple b/tests/javascript/clean/frequency_lists.js.simple index 31198006..8f6d60c4 100644 --- a/tests/javascript/clean/frequency_lists.js.simple +++ b/tests/javascript/clean/frequency_lists.js.simple @@ -1,4 +1,5 @@ # javascript/clean/frequency_lists.js: medium +anti-static/xor/functions: medium c2/tool_transfer/dropper: medium collect/databases/mysql: medium credential/gaming/minecraft: medium diff --git a/tests/javascript/clean/mode-php.js.simple b/tests/javascript/clean/mode-php.js.simple index 6fe24e92..856a0d54 100644 --- a/tests/javascript/clean/mode-php.js.simple +++ b/tests/javascript/clean/mode-php.js.simple @@ -1,7 +1,6 @@ -# javascript/clean/mode-php.js: high +# javascript/clean/mode-php.js: medium c2/addr/ip: medium c2/client: medium -c2/tool_transfer/python: high collect/databases/mysql: medium collect/databases/sqlite: medium credential/password: low diff --git a/tests/javascript/clean/mode-php_laravel_blade.js.simple b/tests/javascript/clean/mode-php_laravel_blade.js.simple index 8e9ebdff..46e2f437 100644 --- a/tests/javascript/clean/mode-php_laravel_blade.js.simple +++ b/tests/javascript/clean/mode-php_laravel_blade.js.simple @@ -1,7 +1,6 @@ -# javascript/clean/mode-php_laravel_blade.js: high +# javascript/clean/mode-php_laravel_blade.js: medium c2/addr/ip: medium c2/client: medium -c2/tool_transfer/python: high collect/databases/mysql: medium collect/databases/sqlite: medium credential/password: low diff --git a/tests/javascript/clean/php.js.simple b/tests/javascript/clean/php.js.simple index 6d65f938..721ebdf9 100644 --- a/tests/javascript/clean/php.js.simple +++ b/tests/javascript/clean/php.js.simple @@ -1,7 +1,6 @@ -# javascript/clean/php.js: high +# javascript/clean/php.js: medium c2/addr/ip: medium c2/client: medium -c2/tool_transfer/python: high collect/databases/mysql: medium collect/databases/sqlite: medium credential/password: low diff --git a/tests/javascript/clean/prism-bash.js.simple b/tests/javascript/clean/prism-bash.js.simple index 0bc59517..1a1b9e72 100644 --- a/tests/javascript/clean/prism-bash.js.simple +++ b/tests/javascript/clean/prism-bash.js.simple @@ -1,5 +1,4 @@ -# javascript/clean/prism-bash.js: high -anti-behavior/process_check: high +# javascript/clean/prism-bash.js: medium data/compression/bzip2: low data/compression/gzip: low discover/multiple: medium diff --git a/tests/javascript/clean/prism-bash.min.js.simple b/tests/javascript/clean/prism-bash.min.js.simple index 34e42e07..5c39c289 100644 --- a/tests/javascript/clean/prism-bash.min.js.simple +++ b/tests/javascript/clean/prism-bash.min.js.simple @@ -1,5 +1,4 @@ -# javascript/clean/prism-bash.min.js: high -anti-behavior/process_check: high +# javascript/clean/prism-bash.min.js: medium data/compression/bzip2: low data/compression/gzip: low discover/multiple: medium diff --git a/tests/javascript/clean/securityDashboards.plugin.js.simple b/tests/javascript/clean/securityDashboards.plugin.js.simple index d27de09e..23ab066b 100644 --- a/tests/javascript/clean/securityDashboards.plugin.js.simple +++ b/tests/javascript/clean/securityDashboards.plugin.js.simple @@ -2,6 +2,7 @@ anti-static/obfuscation/bitwise: medium anti-static/obfuscation/js: medium anti-static/obfuscation/reverse: medium +anti-static/xor/functions: medium c2/tool_transfer/dropper: medium c2/tool_transfer/os: low collect/databases/mysql: medium diff --git a/tests/javascript/clean/zxcvbn.js.simple b/tests/javascript/clean/zxcvbn.js.simple index befaaecb..9f9bbf4c 100644 --- a/tests/javascript/clean/zxcvbn.js.simple +++ b/tests/javascript/clean/zxcvbn.js.simple @@ -1,5 +1,6 @@ # javascript/clean/zxcvbn.js: medium anti-static/obfuscation/reverse: medium +anti-static/xor/functions: medium c2/tool_transfer/dropper: medium collect/databases/mysql: medium credential/gaming/minecraft: medium diff --git a/tests/linux/2021.FontOnLake/45E9.elf.simple b/tests/linux/2021.FontOnLake/45E9.elf.simple index 6cf7cf53..13fb94ef 100644 --- a/tests/linux/2021.FontOnLake/45E9.elf.simple +++ b/tests/linux/2021.FontOnLake/45E9.elf.simple @@ -25,7 +25,7 @@ discover/system/dmesg: low discover/system/hostname: low discover/user/HOME: low discover/user/USER: low -evasion/file/location/x11_unix: low +evasion/file/location/x11_unix: medium evasion/file/prefix: medium evasion/file/prefix/proc: high evasion/logging/acct: low diff --git a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple index 2cbf045b..f451d15d 100644 --- a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple +++ b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple @@ -78,7 +78,7 @@ net/http/cookies: medium net/http/form_upload: medium net/http/post: medium net/http/request: low -net/ip/host_port: high +net/ip/host_port: medium net/ip/icmp: medium net/ip/parse: medium net/ip/string: medium diff --git a/tests/linux/2024.kubo_injector/injector.json b/tests/linux/2024.kubo_injector/injector.json index 54d87c62..f09a0cc1 100644 --- a/tests/linux/2024.kubo_injector/injector.json +++ b/tests/linux/2024.kubo_injector/injector.json @@ -70,9 +70,9 @@ ], "RiskScore": 3, "RiskLevel": "HIGH", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace_injector", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace_injector_unknown", "ID": "evasion/process_injection/ptrace", - "RuleName": "ptrace_injector" + "RuleName": "ptrace_injector_unknown" }, { "Description": "get the address of a symbol", diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple index 00225be2..e2f9da11 100644 --- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple +++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple @@ -108,7 +108,6 @@ fs/tempfile: low hw/cpu: medium impact/exploit: high impact/exploit/GCONV_PATH: high -impact/exploit/overflow_shellcode: high impact/exploit/pwnkit: critical impact/remote_access/heartbeat: medium impact/remote_access/kill_rm: medium diff --git a/tests/linux/2024.sshdoor/dd98ee5273a02829167b255baf9979759f84a0a6b7769a67ecbf6c0c9100c38d.elf.simple b/tests/linux/2024.sshdoor/dd98ee5273a02829167b255baf9979759f84a0a6b7769a67ecbf6c0c9100c38d.elf.simple index 03ec8de4..dd7d6e7e 100644 --- a/tests/linux/2024.sshdoor/dd98ee5273a02829167b255baf9979759f84a0a6b7769a67ecbf6c0c9100c38d.elf.simple +++ b/tests/linux/2024.sshdoor/dd98ee5273a02829167b255baf9979759f84a0a6b7769a67ecbf6c0c9100c38d.elf.simple @@ -23,7 +23,6 @@ discover/user/HOME: low evasion/file/location/system_directory: medium evasion/file/location/var: high evasion/file/location/var_tmp: high -evasion/file/location/x11_unix: low evasion/file/prefix: medium evasion/logging/failed_logins: medium evasion/logging/historical_logins: medium diff --git a/tests/linux/clean/acme.sh.simple b/tests/linux/clean/acme.sh.simple new file mode 100644 index 00000000..30263974 --- /dev/null +++ b/tests/linux/clean/acme.sh.simple @@ -0,0 +1,51 @@ +# linux/clean/acme.sh: medium +c2/tool_transfer/os: medium +collect/code/github_api: low +credential/password: low +crypto/encrypt: medium +crypto/openssl: medium +crypto/public_key: low +data/base64/encode: medium +data/base64/external: medium +data/embedded/pem_certificate: low +data/encoding/base64: low +discover/multiple: medium +discover/network/netstat: medium +discover/system/platform: medium +discover/user/name_get: medium +evasion/file/prefix: medium +exec/remote_commands/code_eval: medium +exec/shell/SHELL: low +exec/shell/arbitrary_command_dev_null: medium +exec/shell/ignore_output: medium +fs/directory/create: low +fs/file/copy: medium +fs/file/delete_forcibly: medium +fs/file/make_executable: medium +fs/file/times_set: medium +fs/link_create: low +fs/link_read: low +fs/path/bin_su: low +fs/path/etc: low +fs/path/home: low +fs/path/tmp: medium +fs/path/usr_bin: low +fs/permission/modify: medium +fs/tempfile: low +net/dns/over_https: medium +net/dns/txt: low +net/download: medium +net/download/fetch: medium +net/http/form_upload: medium +net/http/post: medium +net/http/request: low +net/ip/host_port: medium +net/socket/listen: medium +net/socket/send: low +net/url/embedded: low +os/time/tzinfo: low +persist/cron/tab: medium +persist/shell/bash: medium +persist/shell/zsh: medium +privesc/sudo: medium +process/chdir: low diff --git a/tests/linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json.simple b/tests/linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json.simple new file mode 100644 index 00000000..e69de29b diff --git a/tests/linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json.simple b/tests/linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json.simple new file mode 100644 index 00000000..e69de29b diff --git a/tests/linux/clean/bat.simple b/tests/linux/clean/bat.simple new file mode 100644 index 00000000..87258ee8 --- /dev/null +++ b/tests/linux/clean/bat.simple @@ -0,0 +1,73 @@ +# linux/clean/bat: medium +anti-static/elf/multiple: medium +c2/addr/ip: medium +c2/addr/url: low +c2/tool_transfer/arch: low +credential/password: low +credential/server/htpasswd: medium +credential/ssh: medium +credential/ssh/authorized_hosts: medium +credential/ssh/d: medium +crypto/public_key: low +crypto/rc4: low +data/compression/zlib: low +data/embedded/pem_private_key: medium +data/encoding/base64: low +data/random/insecure: low +discover/group/lookup: medium +discover/process/parent: low +discover/system/hostname: low +discover/user/APPDATA: low +discover/user/HOME: low +discover/user/USER: low +discover/user/name_get: low +evasion/file/prefix: medium +exec/dylib/iterate: low +exec/program: medium +exec/program/background: low +exec/script/osa: medium +exec/shell/SHELL: low +exec/shell/power: medium +exec/system_controls/systemd: low +exfil/stealer/ssh: medium +fs/directory/create: low +fs/directory/remove: low +fs/file/delete: low +fs/file/times_set: medium +fs/link_read: low +fs/lock_update: low +fs/mount: low +fs/path/etc: low +fs/path/home_config: low +fs/path/var: low +fs/permission/modify: medium +fs/proc/self_exe: medium +fs/symlink_resolve: low +fs/tempdir/TEMP: low +fs/tempfile: low +lateral/scan/tool: medium +net/dns/servers: low +net/dns/txt: low +net/download: medium +net/http/post: medium +net/ip/resolve: low +net/resolve/hostname: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/pair: medium +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +net/tcp/ssh: medium +net/url/embedded: low +net/url/encode: medium +persist/cron/tab: medium +persist/kernel_module/unload: medium +persist/pid_file: medium +persist/shell/init_files: low +persist/ssh_authorized_keys: medium +privesc/setuid: low +process/chroot: low +process/groupid_set: low +process/groups_set: low +sus/leetspeak: medium diff --git a/tests/linux/clean/bazel.simple b/tests/linux/clean/bazel.simple new file mode 100644 index 00000000..9c0664b8 --- /dev/null +++ b/tests/linux/clean/bazel.simple @@ -0,0 +1,89 @@ +# linux/clean/bazel: medium +anti-static/elf/entropy: medium +anti-static/obfuscation/obfuscate: low +anti-static/xor/functions: medium +c2/addr/ip: medium +c2/addr/server: medium +c2/addr/url: low +c2/client: medium +c2/tool_transfer/arch: low +c2/tool_transfer/os: low +crypto/aes: low +data/base64/decode: medium +data/base64/encode: medium +data/compression/gzip: low +data/compression/zlib: low +data/encoding/base64: low +data/hash/md5: low +discover/network/interface: low +discover/network/interface_list: medium +discover/system/hostname: low +discover/system/platform: low +discover/system/sysinfo: medium +discover/user/HOME: low +discover/user/USER: low +evasion/bypass_security/linux/ufw: medium +exec/cmd: medium +exec/conditional/LANG: low +exec/plugin: low +exec/program: medium +exec/program/background: low +exec/shell/SHELL: low +exec/shell/TERM: low +exec/shell/command: medium +exec/shell/exec: medium +exec/tty/pathname: medium +exfil/collection: medium +fs/directory/create: low +fs/directory/remove: low +fs/file/copy: medium +fs/file/create: medium +fs/file/delete: low +fs/file/read: low +fs/file/times_set: medium +fs/file/truncate: low +fs/file/write: low +fs/link_read: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/permission/modify: medium +fs/proc/self_exe: medium +fs/symlink_resolve: low +fs/tempdir: low +fs/tempdir/TEMP: low +fs/tempdir/TMPDIR: low +fs/tempdir/create: low +hw/cpu: medium +lateral/scan/tool: medium +net/dns/servers: low +net/dns/txt: low +net/download: medium +net/http/2: low +net/http/auth: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/parse: medium +net/ip/resolve: low +net/ip/string: medium +net/resolve/hostname: low +net/resolve/hostport_parse: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/pair: medium +net/socket/peer_address: low +net/socket/receive: low +net/socket/reuseport: medium +net/socket/send: low +net/tcp/grpc: low +net/url/embedded: low +os/fd/epoll: low +os/fd/print: low +persist/pid_file: medium +process/chdir: low +process/multithreaded: low +sus/compiler: medium +sus/intercept: medium diff --git a/tests/linux/clean/botan.simple b/tests/linux/clean/botan.simple new file mode 100644 index 00000000..8938ad92 --- /dev/null +++ b/tests/linux/clean/botan.simple @@ -0,0 +1,35 @@ +# linux/clean/botan: medium +credential/password: low +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ed25519: low +crypto/public_key: low +crypto/rc4: low +crypto/tls: low +data/base64/decode: medium +data/base64/encode: medium +data/compression/gzip: low +data/compression/zlib: low +data/encoding/base64: low +discover/network/interface: low +exec/shell/echo: medium +exfil/stealer/credit_card: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/cookies: medium +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/http/websocket: medium +net/ip/host_port: medium +net/ip/parse: medium +net/ip/string: medium +net/resolve/hostport_parse: low +net/socket/listen: medium +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +os/fd/epoll: low +process/multithreaded: low diff --git a/tests/linux/clean/bpftool.simple b/tests/linux/clean/bpftool.simple new file mode 100644 index 00000000..5b0b10d1 --- /dev/null +++ b/tests/linux/clean/bpftool.simple @@ -0,0 +1,40 @@ +# linux/clean/bpftool: medium +anti-static/elf/multiple: medium +anti-static/obfuscation/js: medium +credential/sniffer/bpf: medium +crypto/rc4: low +discover/network/interface: low +discover/system/platform: low +discover/user/USER: low +evasion/hijack_execution/LD_LIBRARY_PATH: low +evasion/logging/acct: low +evasion/process_injection/ptrace: medium +exec/program: medium +fs/directory/create: low +fs/directory/remove: low +fs/file/delete: low +fs/file/delete_forcibly: low +fs/file/open: low +fs/file/times_set: medium +fs/link_read: low +fs/mount: low +fs/mounts_read: medium +fs/path/boot: medium +fs/proc/arbitrary_pid: medium +fs/proc/mounts: medium +fs/proc/pid_fd: medium +fs/proc/pid_maps: medium +fs/symlink_resolve: low +hw/cpu: medium +net/ip/syncookie: medium +net/socket/local_addr: low +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +os/fd/epoll: low +os/kernel/netlink: low +os/kernel/perfmon: low +os/kernel/seccomp: low +persist/kernel_module/symbol_lookup: medium +process/create: low +process/executable_path: low diff --git a/tests/linux/clean/buildkitd.simple b/tests/linux/clean/buildkitd.simple new file mode 100644 index 00000000..b0efb5b9 --- /dev/null +++ b/tests/linux/clean/buildkitd.simple @@ -0,0 +1,132 @@ +# linux/clean/buildkitd: medium +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/url: low +c2/client: medium +c2/discovery/ip_dns_resolver: medium +c2/tool_transfer/arch: low +c2/tool_transfer/os: medium +collect/archives/zip: medium +collect/code/github_api: low +credential/password: low +credential/sniffer/pcap: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/public_key: low +crypto/tls: low +data/compression/bzip2: low +data/compression/gzip: low +data/compression/zstd: low +data/embedded/html: medium +data/embedded/zstd: medium +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/hash/md5: low +discover/network/mac_address: medium +discover/network/netstat: medium +discover/process/name: medium +discover/system/cpu: low +discover/system/hostname: low +discover/system/platform: medium +discover/system/sysinfo: medium +discover/user/HOME: low +discover/user/USER: low +evasion/file/location/dev_mqueue: medium +evasion/file/prefix: medium +evasion/process_injection/ptrace: medium +exec/cmd: medium +exec/plugin: low +exec/program: medium +exec/reconfigure/hostname_set: low +exec/shell/SHELL: low +exec/shell/exec: medium +exec/system_controls/apparmor: medium +exec/system_controls/systemd: low +fs/attributes/set: medium +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/event_monitoring: low +fs/file/copy: medium +fs/file/delete: low +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/stat: low +fs/file/times_set: medium +fs/file/write: low +fs/link_create: low +fs/link_read: low +fs/lock_update: low +fs/loopback: medium +fs/mount: low +fs/node_create: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/usr_local: medium +fs/path/var: low +fs/path/windows_root: low +fs/permission/chown: medium +fs/permission/modify: medium +fs/proc/arbitrary_pid: medium +fs/proc/self_mountinfo: medium +fs/tempdir/TEMP: low +fs/tempdir/create: low +fs/tempfile: low +fs/watch: low +impact/remote_access/heartbeat: medium +impact/remote_access/iptables: medium +impact/remote_access/pseudo_terminal: medium +net/dns: low +net/dns/reverse: medium +net/dns/servers: low +net/dns/txt: low +net/download: medium +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/content_length: medium +net/http/cookies: medium +net/http/form_upload: medium +net/http/oauth2: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/ip: low +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/resolve/hostname: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/pair: medium +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +net/tcp/connect: medium +net/tcp/grpc: low +net/tcp/ssh: medium +net/udp/receive: low +net/udp/send: low +net/url/embedded: low +net/url/encode: medium +net/url/parse: low +net/url/request: medium +os/fd/sendfile: low +os/kernel/kcore: low +os/kernel/netlink: low +os/kernel/seccomp: low +persist/pid_file: medium +persist/service/start: low +process/chroot: low +process/unshare: low +sus/intercept: medium +sus/leetspeak: medium diff --git a/tests/linux/clean/busybox.simple b/tests/linux/clean/busybox.simple index 36ad08b1..24f80b46 100644 --- a/tests/linux/clean/busybox.simple +++ b/tests/linux/clean/busybox.simple @@ -1,4 +1,4 @@ -# linux/clean/busybox: high +# linux/clean/busybox: medium c2/addr/ip: medium c2/addr/url: low c2/tool_transfer/os: low @@ -60,7 +60,6 @@ fs/permission/modify: medium fs/proc/arbitrary_pid: medium fs/proc/meminfo: medium fs/proc/mounts: medium -fs/proc/pid_fd: high fs/proc/stat: medium fs/symlink_resolve: low fs/tempdir: low diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple index 22b81a60..3340aff7 100644 --- a/tests/linux/clean/chezmoi.simple +++ b/tests/linux/clean/chezmoi.simple @@ -1,4 +1,5 @@ # linux/clean/chezmoi: medium +anti-static/xor/functions: medium c2/addr/discord: medium c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple index 75be78df..1d49e3f5 100644 --- a/tests/linux/clean/clickhouse.simple +++ b/tests/linux/clean/clickhouse.simple @@ -1,4 +1,4 @@ -# linux/clean/clickhouse: high +# linux/clean/clickhouse: medium anti-static/elf/multiple: medium anti-static/obfuscation/obfuscate: low c2/addr/http_dynamic: medium @@ -9,7 +9,7 @@ c2/discovery/dyndns: medium c2/tool_transfer/arch: low c2/tool_transfer/download: medium c2/tool_transfer/dropper: medium -c2/tool_transfer/grayware: high +c2/tool_transfer/grayware: medium c2/tool_transfer/os: medium collect/databases/leveldb: medium collect/databases/mysql: medium diff --git a/tests/linux/clean/http-fingerprints.lua.simple b/tests/linux/clean/http-fingerprints.lua.simple index 63fe30f1..3f5253e9 100644 --- a/tests/linux/clean/http-fingerprints.lua.simple +++ b/tests/linux/clean/http-fingerprints.lua.simple @@ -1,6 +1,6 @@ -# linux/clean/http-fingerprints.lua: high +# linux/clean/http-fingerprints.lua: medium 3P/sig_base/hacktool_strings_p0wnedshell: medium -c2/tool_transfer/grayware: high +c2/tool_transfer/grayware: medium c2/tool_transfer/os: medium collect/archives/zip: medium collect/databases/mysql: medium @@ -21,4 +21,4 @@ net/http/request: low net/tcp/ssh: medium net/url/embedded: medium sec-tool/net/nmap: medium -sec-tool/vulncheck/metasploit: high +sec-tool/vulncheck/metasploit: medium diff --git a/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple index 1519652c..a78a1d8a 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple @@ -1,11 +1,11 @@ -# linux/clean/kibana/securitySolution.chunk.22.js: critical -c2/addr/url: high +# linux/clean/kibana/securitySolution.chunk.22.js: medium +c2/addr/url: low c2/discovery/dyndns: medium c2/tool_transfer/arch: low -c2/tool_transfer/download: high +c2/tool_transfer/download: low c2/tool_transfer/dropper: medium -c2/tool_transfer/exe_url: high -c2/tool_transfer/grayware: high +c2/tool_transfer/exe_url: low +c2/tool_transfer/grayware: low c2/tool_transfer/os: medium collect/databases/mysql: medium credential/keylogger: medium @@ -30,7 +30,7 @@ impact/infection/infected: medium impact/infection/worm: medium impact/remote_access/backdoor: medium impact/remote_access/iptables: medium -impact/remote_access/reverse_shell: high +impact/remote_access/reverse_shell: low impact/remote_access/trojan: medium lateral/scan/brute_force: low malware/ref: medium @@ -41,7 +41,7 @@ net/url/embedded: medium net/url/parse: low persist/daemon: medium process/chroot: low -sec-tool/net/masscan: high +sec-tool/net/masscan: low sec-tool/net/nmap: medium sec-tool/pentest/metasploit_ref: medium sus/leetspeak: medium diff --git a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple index 9a1d7634..3478ac9b 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple @@ -1,14 +1,14 @@ -# linux/clean/kibana/securitySolution.chunk.9.js: critical +# linux/clean/kibana/securitySolution.chunk.9.js: medium anti-static/obfuscation/js: medium anti-static/obfuscation/reverse: medium c2/addr/ip: medium -c2/addr/url: high +c2/addr/url: low c2/discovery/dyndns: medium c2/tool_transfer/arch: low -c2/tool_transfer/download: high +c2/tool_transfer/download: low c2/tool_transfer/dropper: medium -c2/tool_transfer/exe_url: high -c2/tool_transfer/grayware: high +c2/tool_transfer/exe_url: low +c2/tool_transfer/grayware: low c2/tool_transfer/os: medium collect/databases/mysql: medium credential/keylogger: medium @@ -40,12 +40,11 @@ impact/ddos: medium impact/exploit: medium impact/exploit/cve: medium impact/exploit/known_s: medium -impact/exploit/overflow_shellcode: high impact/infection/infected: medium impact/infection/worm: medium impact/remote_access/backdoor: medium impact/remote_access/iptables: medium -impact/remote_access/reverse_shell: high +impact/remote_access/reverse_shell: low impact/remote_access/trojan: medium lateral/scan/brute_force: low malware/ref: medium @@ -64,7 +63,7 @@ net/url/request: medium os/kernel/seccomp: low persist/daemon: medium process/chroot: low -sec-tool/net/masscan: high +sec-tool/net/masscan: low sec-tool/net/nmap: medium sec-tool/pentest/metasploit_ref: medium sus/leetspeak: medium diff --git a/tests/linux/clean/nvim.simple b/tests/linux/clean/nvim.simple index e5f53b52..04a232ae 100644 --- a/tests/linux/clean/nvim.simple +++ b/tests/linux/clean/nvim.simple @@ -21,7 +21,6 @@ discover/processes/pgrep: medium discover/system/platform: low discover/user/HOME: low discover/user/USER: low -evasion/file/location/x11_unix: low evasion/file/prefix: medium exec/conditional/LANG: low exec/dylib/symbol_address: medium diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md index e4f1cb3c..064d08ab 100644 --- a/tests/linux/clean/pandoc.md +++ b/tests/linux/clean/pandoc.md @@ -1,9 +1,7 @@ -## linux/clean/pandoc [🛑 HIGH] +## linux/clean/pandoc [🟡 MEDIUM] | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| HIGH | [impact/exploit/overflow_shellcode](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/exploit/overflow-shellcode.yara#exploit) | Buffer overflow exploit | [address](https://github.com/search?q=address&type=code)
[offset](https://github.com/search?q=offset&type=code)
[padding](https://github.com/search?q=padding&type=code)
[shellcode](https://github.com/search?q=shellcode&type=code) | -| HIGH | [persist/shell/bash](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/shell/bash.yara#bash_persist_persistent) | acccesses multiple bash startup files | [.bash_login](https://github.com/search?q=.bash_login&type=code)
[.bash_profile](https://github.com/search?q=.bash_profile&type=code)
[.bashrc](https://github.com/search?q=.bashrc&type=code)
[.profile](https://github.com/search?q=.profile&type=code) | | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bindPort](https://github.com/search?q=bindPort&type=code)
[blIp](https://github.com/search?q=blIp&type=code)
[client_ip](https://github.com/search?q=client_ip&type=code)
[client_port](https://github.com/search?q=client_port&type=code)
[config_port](https://github.com/search?q=config_port&type=code)
[curlopt_port](https://github.com/search?q=curlopt_port&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[domain_port](https://github.com/search?q=domain_port&type=code)
[eIp](https://github.com/search?q=eIp&type=code)
[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)
[framed_ip](https://github.com/search?q=framed_ip&type=code)
[ftp_port](https://github.com/search?q=ftp_port&type=code)
[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)
[getPort](https://github.com/search?q=getPort&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)
[host_ip](https://github.com/search?q=host_ip&type=code)
[http_port](https://github.com/search?q=http_port&type=code)
[internal_ip](https://github.com/search?q=internal_ip&type=code)
[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)
[is_port](https://github.com/search?q=is_port&type=code)
[lat_port](https://github.com/search?q=lat_port&type=code)
[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)
[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[local_port](https://github.com/search?q=local_port&type=code)
[login_ip](https://github.com/search?q=login_ip&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[nas_ip](https://github.com/search?q=nas_ip&type=code)
[nas_port](https://github.com/search?q=nas_port&type=code)
[open_port](https://github.com/search?q=open_port&type=code)
[pg_port](https://github.com/search?q=pg_port&type=code)
[primary_ip](https://github.com/search?q=primary_ip&type=code)
[primary_port](https://github.com/search?q=primary_port&type=code)
[proxyPort](https://github.com/search?q=proxyPort&type=code)
[radius_port](https://github.com/search?q=radius_port&type=code)
[sam_port](https://github.com/search?q=sam_port&type=code)
[serverPort](https://github.com/search?q=serverPort&type=code)
[server_port](https://github.com/search?q=server_port&type=code)
[setPort](https://github.com/search?q=setPort&type=code)
[socketPort](https://github.com/search?q=socketPort&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[uriPort](https://github.com/search?q=uriPort&type=code)
[url_port](https://github.com/search?q=url_port&type=code)
[validate_ip](https://github.com/search?q=validate_ip&type=code)
[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)
[xIp](https://github.com/search?q=xIp&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) | diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md index f24a1df5..c5d2a7b1 100644 --- a/tests/linux/clean/qemu-system-xtensa.md +++ b/tests/linux/clean/qemu-system-xtensa.md @@ -1,9 +1,7 @@ -## linux/clean/qemu-system-xtensa [🛑 HIGH] +## linux/clean/qemu-system-xtensa [🟡 MEDIUM] | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| HIGH | [crypto/xor](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/xor.yara#xor_decode_encode) | decodes/encodes XOR content | [Opcode_xor_encode_fns](https://github.com/search?q=Opcode_xor_encode_fns&type=code) | -| HIGH | [fs/proc/pid_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-cmdline.yara#proc_d_cmdline) | access command-line of other processes | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) | | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Ip](https://github.com/search?q=Ip&type=code)
[Port](https://github.com/search?q=Port&type=code)
[add_port](https://github.com/search?q=add_port&type=code)
[ahci_port](https://github.com/search?q=ahci_port&type=code)
[and_port](https://github.com/search?q=and_port&type=code)
[be_port](https://github.com/search?q=be_port&type=code)
[claim_port](https://github.com/search?q=claim_port&type=code)
[clear_port](https://github.com/search?q=clear_port&type=code)
[compare_ip](https://github.com/search?q=compare_ip&type=code)
[ehci_port](https://github.com/search?q=ehci_port&type=code)
[extract_ip](https://github.com/search?q=extract_ip&type=code)
[find_port](https://github.com/search?q=find_port&type=code)
[fix_port](https://github.com/search?q=fix_port&type=code)
[get_ip](https://github.com/search?q=get_ip&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[handle_port](https://github.com/search?q=handle_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[hub_port](https://github.com/search?q=hub_port&type=code)
[megasas_port](https://github.com/search?q=megasas_port&type=code)
[mem_port](https://github.com/search?q=mem_port&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[metadata_ip](https://github.com/search?q=metadata_ip&type=code)
[mmio_port](https://github.com/search?q=mmio_port&type=code)
[mptsas_port](https://github.com/search?q=mptsas_port&type=code)
[ohci_port](https://github.com/search?q=ohci_port&type=code)
[pcie_port](https://github.com/search?q=pcie_port&type=code)
[register_port](https://github.com/search?q=register_port&type=code)
[release_port](https://github.com/search?q=release_port&type=code)
[remove_port](https://github.com/search?q=remove_port&type=code)
[reset_port](https://github.com/search?q=reset_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[spdm_port](https://github.com/search?q=spdm_port&type=code)
[state_port](https://github.com/search?q=state_port&type=code)
[throttle_port](https://github.com/search?q=throttle_port&type=code)
[uhci_port](https://github.com/search?q=uhci_port&type=code)
[update_ip](https://github.com/search?q=update_ip&type=code)
[upstream_port](https://github.com/search?q=upstream_port&type=code)
[usb_port](https://github.com/search?q=usb_port&type=code)
[virtser_port](https://github.com/search?q=virtser_port&type=code)
[write_port](https://github.com/search?q=write_port&type=code)
[xhci_port](https://github.com/search?q=xhci_port&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [vnc_init_basic_info_from_server_addr](https://github.com/search?q=vnc_init_basic_info_from_server_addr&type=code) | @@ -29,6 +27,7 @@ | MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/perf-%d.map](https://github.com/search?q=%2Ftmp%2Fperf-%25d.map&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/block/block-gen.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fblock%2Fblock-gen.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/hw/usb/hcd-ehci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fhw%2Fusb%2Fhcd-ehci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/base.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fbase.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/list.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flist.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/listfile.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flistfile.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/simple.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fsimple.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/block/throttle-gro](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fblock%2Fthrottle-gro&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-fd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-fd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-socke](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-socke&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_comm](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_comm&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_keyr](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_keyr&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tls-cipher-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftls-cipher-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscreds.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscreds.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsano](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsano&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredspsk](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredspsk&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsx50](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsx50&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory_ldst_c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory_ldst_c&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/ram_addr.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fram_addr.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_aml_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_aml_i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_dev_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_dev_i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/vmgenid.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Fvmgenid.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/block/flash.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fblock%2Fflash.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/boards.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fboards.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/char/serial.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fchar%2Fserial.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/clock.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fclock.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/cpu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fcpu.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/generic-lo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fgeneric-lo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/resetconta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fresetconta&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/cluster.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcluster.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcore.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/display/i2c-ddc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fdisplay%2Fi2c-ddc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/elf_ops.h.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Felf_ops.h.inc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/fw-path-provide](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Ffw-path-provide&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/hotplug.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fhotplug.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/i2c/i2c.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fi2c%2Fi2c.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-pci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-sysbus](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-sysbus&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-bus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-bus.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-dev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-dev.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/intc/intc.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fintc%2Fintc.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ipack/ipack.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fipack%2Fipack.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/misc/vmcoreinfo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fmisc%2Fvmcoreinfo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nmi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnmi.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nvram/fw_cfg.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnvram%2Ffw_cfg.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci-host/gpex.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci-host%2Fgpex.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_bridge.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_bridge.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_device.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_device.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_port.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_port.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/qdev-core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fqdev-core.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/resettable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fresettable.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/esp.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fesp.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/scsi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fscsi.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sdhci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsdhci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sysbus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsysbus.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/imx-usb-phy](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fimx-usb-phy&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/msd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fmsd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-commo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-commo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-conta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-conta&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vdpa-dev](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvdpa-dev&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-sc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-sc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-us](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-us&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-vs](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-vs&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-b](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-b&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-c&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-g](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-g&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-n](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-n&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-p](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-p&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-r](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-r&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-s](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-s&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vmstate-if.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvmstate-if.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-buffer.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-buffer.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-command](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-command&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-file.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-file.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-null.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-null.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-socket.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-socket.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-tls.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-tls.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-websock](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-websock&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/dns-resolver.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fdns-resolver.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/net-listener.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fnet-listener.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/can_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Fcan_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/filter.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Ffilter.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qapi/qmp/qobject.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqapi%2Fqmp%2Fqobject.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bitops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbitops.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bswap.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbswap.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/coroutine.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fcoroutine.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/int128.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fint128.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/iov.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fiov.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/lockable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Flockable.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/main-loop.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fmain-loop.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/range.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frange.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/ratelimit.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fratelimit.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/rcu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frcu.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/thread-contex](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fthread-contex&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qom/object_interfa](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqom%2Fobject_interfa&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/scsi/pr-manager.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fscsi%2Fpr-manager.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/accel-ops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Faccel-ops.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/cryptodev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fcryptodev.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/event-loop-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fevent-loop-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/host_iommu_](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhost_iommu_&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/hostmem.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhostmem.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/iothread.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fiothread.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng-random.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng-random.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm_backend](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm_backend&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/vhost-user-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fvhost-user-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/console.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fconsole.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/dbus-display.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fdbus-display.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/qemu-spice.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fqemu-spice.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/migration/channel-block.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fmigration%2Fchannel-block.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/tcg/i386/tcg-target.c.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftcg%2Fi386%2Ftcg-target.c.inc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/trace/control-internal.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftrace%2Fcontrol-internal.h&type=code) | | MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | | MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) | +| MEDIUM | [fs/proc/pid_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-cmdline.yara#proc_d_cmdline) | access command-line of other processes | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) | | MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | | MEDIUM | [hw/dev/block_ice](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/block-device.yara#block_devices) | works with block devices | [/dev/block/%u](https://github.com/search?q=%2Fdev%2Fblock%2F%25u&type=code)
[/sys/dev/block](https://github.com/search?q=%2Fsys%2Fdev%2Fblock&type=code) | | MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [vdagent](https://github.com/search?q=vdagent&type=code) | diff --git a/tests/linux/clean/sshd.simple b/tests/linux/clean/sshd.simple index 0f440871..685efa64 100644 --- a/tests/linux/clean/sshd.simple +++ b/tests/linux/clean/sshd.simple @@ -17,7 +17,6 @@ discover/process/parent: low discover/system/hostname: low discover/user/HOME: low discover/user/USER: low -evasion/file/location/x11_unix: low evasion/file/prefix: medium evasion/logging/acct: low evasion/logging/failed_logins: medium diff --git a/tests/linux/clean/tree-sitter.md b/tests/linux/clean/tree-sitter.md index 9daab615..d49287bc 100644 --- a/tests/linux/clean/tree-sitter.md +++ b/tests/linux/clean/tree-sitter.md @@ -1,8 +1,7 @@ -## linux/clean/tree-sitter [🛑 HIGH] +## linux/clean/tree-sitter [🟡 MEDIUM] | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| HIGH | [exec/shell/tmp_semicolon](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/tmp_semicolon.yara#semicolon_short_tmp) | unusual one-liners involving /tmp | [--;/tmp/rust-20241004-6494-uljaw4/rustc-1](https://github.com/search?q=--%3B%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1&type=code) | | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | | MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [Dropper](https://github.com/search?q=Dropper&type=code) | | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://)
[macOS](https://github.com/search?q=macOS&type=code) | diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md index ad6c6c17..547b6155 100644 --- a/tests/linux/clean/trufflehog.md +++ b/tests/linux/clean/trufflehog.md @@ -1,14 +1,7 @@ -## linux/clean/trufflehog [😈 CRITICAL] +## linux/clean/trufflehog [🟡 MEDIUM] | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_url_with_question) | binary contains hardcoded URL with question mark | [https://api.mesibo.com/api.php?op=useradd&token=https](https://api.mesibo.com/api.php?op=useradd&token=https)
[https://api.route4me.com/api.v4/address_book.php?api_key=https](https://api.route4me.com/api.v4/address_book.php?api_key=https)
[https://api.websitepulse.com/textserver.php?method=GetContacts&username=](https://api.websitepulse.com/textserver.php?method=GetContacts&username=)
[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https) | -| HIGH | [c2/tool_transfer/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#download_sites) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [pastebin.Scanner](https://github.com/search?q=pastebin.Scanner&type=code)
[pastebin.com/api/api_post](https://github.com/search?q=pastebin.com%2Fapi%2Fapi_post&type=code)
[pastebin.go](https://github.com/search?q=pastebin.go&type=code)
[pastebin.init](https://github.com/search?q=pastebin.init&type=code) | -| HIGH | [c2/tool_transfer/grayware](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/grayware.yara#grayware_sites) | References websites that host code that can be used maliciously | [shodan.io](https://github.com/search?q=shodan.io&type=code) | -| HIGH | [discover/ip/public](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/ip/public_ip.yara#iplookup_website) | public service to discover external IP address | [ipify.or](https://github.com/search?q=ipify.or&type=code) | -| HIGH | [exfil/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/discord.yara#discord_bot) | [Uses the Discord webhooks API](https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L706) | [discord.com/api/webhooks/](https://github.com/search?q=discord.com%2Fapi%2Fwebhooks%2F&type=code) | -| HIGH | [exfil/stealer/creds](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/creds.yara#suspected_data_stealer) | suspected data stealer | [Atomic](https://github.com/search?q=Atomic&type=code)
[Binance](https://github.com/search?q=Binance&type=code)
[Chrome](https://github.com/search?q=Chrome&type=code)
[Discord](https://github.com/search?q=Discord&type=code)
[Firefox](https://github.com/search?q=Firefox&type=code)
[History](https://github.com/search?q=History&type=code)
[OpenVPN](https://github.com/search?q=OpenVPN&type=code)
[Snowflake](https://github.com/search?q=Snowflake&type=code)
[Telegram](https://github.com/search?q=Telegram&type=code) | -| HIGH | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#file_io_uploader) | uploads content to file.io | [POST](https://github.com/search?q=POST&type=code)
[file.io](https://github.com/search?q=file.io&type=code)
[post](https://github.com/search?q=post&type=code) | | MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)
[VMware](https://github.com/search?q=VMware&type=code) | | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | | MEDIUM | [c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord) | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) | @@ -19,6 +12,8 @@ | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientID](https://github.com/search?q=clientID&type=code)
[clientId](https://github.com/search?q=clientId&type=code)
[client_id](https://github.com/search?q=client_id&type=code) | | MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) | | MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#download_ref) | downloads files | [download file](https://github.com/search?q=download+file&type=code) | +| MEDIUM | [c2/tool_transfer/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#download_sites) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [pastebin.Scanner](https://github.com/search?q=pastebin.Scanner&type=code)
[pastebin.com/api/api_post](https://github.com/search?q=pastebin.com%2Fapi%2Fapi_post&type=code)
[pastebin.go](https://github.com/search?q=pastebin.go&type=code)
[pastebin.init](https://github.com/search?q=pastebin.init&type=code) | +| MEDIUM | [c2/tool_transfer/grayware](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/grayware.yara#shodan_io) | References shodan.io | [shodan.io](https://github.com/search?q=shodan.io&type=code) | | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://) | | MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [UnarchiveProject](https://github.com/search?q=UnarchiveProject&type=code)
[unarchiveadmin](https://github.com/search?q=unarchiveadmin&type=code)
[unarchiveapp_configurations](https://github.com/search?q=unarchiveapp_configurations&type=code) | | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [archive/zip](https://github.com/search?q=archive%2Fzip&type=code) | @@ -38,6 +33,7 @@ | MEDIUM | [data/embedded/pem_private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-private_key.yara#begin_private_key) | Contains RSA PRIVATE KEY directive | [PRIVATE KEY--](https://github.com/search?q=PRIVATE+KEY--&type=code) | | MEDIUM | [data/embedded/ssh_signature](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-ssh-signature.yara#ssh_signature) | Contains embedded SSH signature | [--BEGIN SSH SIGNATURE--](https://github.com/search?q=--BEGIN+SSH+SIGNATURE--&type=code) | | MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)
[getgrent](https://github.com/search?q=getgrent&type=code)
[setgrent](https://github.com/search?q=setgrent&type=code) | +| MEDIUM | [discover/ip/public](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/ip/public_ip.yara#iplookup_website) | public service to discover external IP address | [ipify.org](https://github.com/search?q=ipify.org&type=code) | | MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code)
[macAddress](https://github.com/search?q=macAddress&type=code) | | MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code)
[systeminfo](https://github.com/search?q=systeminfo&type=code) | @@ -48,7 +44,10 @@ | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#exec_cmd_run) | executes external programs | [).CombinedOutput](https://github.com/search?q=%29.CombinedOutput&type=code)
[exec.(*Cmd).Run](https://github.com/search?q=exec.%28%2ACmd%29.Run&type=code) | | MEDIUM | [exec/script/osa](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/script/osascript.yara#osascript_caller) | runs osascript | [display dialog](https://github.com/search?q=display+dialog&type=code) | | MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershell](https://github.com/search?q=powershell&type=code) | +| MEDIUM | [exfil/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/discord.yara#discord_bot) | [Uses the Discord webhooks API](https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L706) | [discord.com/api/webhooks/](https://github.com/search?q=discord.com%2Fapi%2Fwebhooks%2F&type=code) | | MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code) | +| MEDIUM | [exfil/stealer/creds](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/creds.yara#suspected_data_stealer) | suspected data stealer | [Atomic](https://github.com/search?q=Atomic&type=code)
[Binance](https://github.com/search?q=Binance&type=code)
[Chrome](https://github.com/search?q=Chrome&type=code)
[Discord](https://github.com/search?q=Discord&type=code)
[Firefox](https://github.com/search?q=Firefox&type=code)
[History](https://github.com/search?q=History&type=code)
[OpenVPN](https://github.com/search?q=OpenVPN&type=code)
[Snowflake](https://github.com/search?q=Snowflake&type=code)
[Telegram](https://github.com/search?q=Telegram&type=code) | +| MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#file_io_uploader) | uploads content to file.io | [POST](https://github.com/search?q=POST&type=code)
[file.io](https://github.com/search?q=file.io&type=code)
[post](https://github.com/search?q=post&type=code) | | MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy_cp) | copy files using cp | [cp](https://github.com/search?q=cp&type=code) | | MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileProperty](https://github.com/search?q=CreateFileProperty&type=code) | | MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFile](https://github.com/search?q=DeleteFile&type=code) | @@ -92,6 +91,7 @@ | MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) | | MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercepted](https://github.com/search?q=intercepted&type=code)
[interceptor](https://github.com/search?q=interceptor&type=code) | | MEDIUM | [sus/malicious](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/malicious.yara#malicious) | References 'malicious' | [other kinds of malicious content](https://github.com/search?q=other+kinds+of+malicious+content&type=code) | +| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://169.254.169.254/latest/api/tokennonce](http://169.254.169.254/latest/api/tokennonce)
[http://169.254.169.254/latest/meta](http://169.254.169.254/latest/meta)
[http://169.254.169.254/latestProcessProviderExecutionErrorfailed](http://169.254.169.254/latestProcessProviderExecutionErrorfailed)
[http://169.254.169.254/metadata/identity/oauth2/token](http://169.254.169.254/metadata/identity/oauth2/token)
[http://169.254.169.254BalancerAttributes](http://169.254.169.254BalancerAttributes)
[http://169.254.170.2/redis](http://169.254.170.2/redis)
[http://169.254.170.2RequestLimitExceededinvalid](http://169.254.170.2RequestLimitExceededinvalid)
[http://Descriptionrelatively](http://Descriptionrelatively)
[http://according](http://according)
[http://addEventListenerresponsible](http://addEventListenerresponsible)
[http://applicationslink](http://applicationslink)
[http://chunkednosniffCreatedIM](http://chunkednosniffCreatedIM)
[http://dictionaryperceptionrevolutionfoundationpx](http://dictionaryperceptionrevolutionfoundationpx)
[http://earth.google.com/kml/2.0](http://earth.google.com/kml/2.0)
[http://earth.google.com/kml/2.1](http://earth.google.com/kml/2.1)
[http://earth.google.com/kml/2.2](http://earth.google.com/kml/2.2)
[http://encoding=](http://encoding=)
[http://familiar](http://familiar)
[http://google.com](http://google.com)
[http://html4/loose.dtd](http://html4/loose.dtd)
[http://imEnglish](http://imEnglish)
[http://interested](http://interested)
[http://interpreted](http://interpreted)
[http://iparticipation](http://iparticipation)
[http://localhost/truncate](http://localhost/truncate)
[http://mathematicsmargin](http://mathematicsmargin)
[http://metadata/computeMetadata/v1/instance/service](http://metadata/computeMetadata/v1/instance/service)
[http://navigation](http://navigation)
[http://ns.adobe.com/xfdf/](http://ns.adobe.com/xfdf/)
[http://ocsp.snowflakecomputing.comFailed](http://ocsp.snowflakecomputing.comFailed)
[http://portal.microsoftazure.de/https](http://portal.microsoftazure.de/https)
[http://s3.amazonaws.com/doc/2006](http://s3.amazonaws.com/doc/2006)
[http://schemas.microsoft.com/3dmanufacturing/core/2015/02](http://schemas.microsoft.com/3dmanufacturing/core/2015/02)
[http://site_name](http://site_name)
[http://staticsuggested](http://staticsuggested)
[http://www./div](http://www./div)
[http://www.C//DTD](http://www.C//DTD)
[http://www.collada.org/2005/11/COLLADASchema](http://www.collada.org/2005/11/COLLADASchema)
[http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2](http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2)
[http://www.hortcut](http://www.hortcut)
[http://www.icon](http://www.icon)
[http://www.interpretation](http://www.interpretation)
[http://www.language=](http://www.language=)
[http://www.opengis.net/gml/3.2](http://www.opengis.net/gml/3.2)
[http://www.opengis.net/gml/3.3/exr](http://www.opengis.net/gml/3.3/exr)
[http://www.opengis.net/kml/2.2](http://www.opengis.net/kml/2.2)
[http://www.style=](http://www.style=)
[http://www.text](http://www.text)
[http://www.topografix.com/GPX/1/1](http://www.topografix.com/GPX/1/1)
[http://www.w3.org/2000/svg](http://www.w3.org/2000/svg)
[http://www.w3.org/2001/XMLSchema](http://www.w3.org/2001/XMLSchema)
[http://www.w3.org/2002/07/owl](http://www.w3.org/2002/07/owl)
[http://www.w3.org/2005/Atom](http://www.w3.org/2005/Atom)
[http://www.w3.org/TR/2001/REC](http://www.w3.org/TR/2001/REC)
[http://www.w3.org/XML/1998/namespacexml](http://www.w3.org/XML/1998/namespacexml)
[http://www.w3.org/shortcut](http://www.w3.org/shortcut)
[http://www.wencodeURIComponent](http://www.wencodeURIComponent)
[http://www.years](http://www.years)
[https://a.klaviyo.com/api/profileshttps](https://a.klaviyo.com/api/profileshttps)
[https://accounts.google.com/o/oauth2/authhttps](https://accounts.google.com/o/oauth2/authhttps)
[https://amplitude.com/api/2/taxonomy/categoryhttps](https://amplitude.com/api/2/taxonomy/categoryhttps)
[https://anypoint.mulesoft.com/apiplatform/repository/v2/organizations/](https://anypoint.mulesoft.com/apiplatform/repository/v2/organizations/)
[https://anypointapi2cartapiflashBasic](https://anypointapi2cartapiflashBasic)
[https://api.abuseipdb.com/api/v2/check](https://api.abuseipdb.com/api/v2/check)
[https://api.abyssale.com/ready](https://api.abyssale.com/ready)
[https://api.adzuna.com](https://api.adzuna.com)
[https://api.aeroworkflow.com/api/unexpected](https://api.aeroworkflow.com/api/unexpected)
[https://api.agora.io/dev/v1/projectshttps](https://api.agora.io/dev/v1/projectshttps)
[https://api.airbrake.io/api/v4/projects/grant_type=client_credentials&client_id=ht](https://api.airbrake.io/api/v4/projects/grant_type=client_credentials&client_id=ht)
[https://api.airtable.com/v0/AWS](https://api.airtable.com/v0/AWS)
[https://api.airvisual.com/v2/countries](https://api.airvisual.com/v2/countries)
[https://api.aiven.io/v1/project](https://api.aiven.io/v1/project)
[https://api.alegra.com/api/v1/users](https://api.alegra.com/api/v1/users)
[https://api.aletheiaapi.com/StockData](https://api.aletheiaapi.com/StockData)
[https://api.ambeedata.com/latest/by](https://api.ambeedata.com/latest/by)
[https://api.anthropic.com/v1/messageshttps](https://api.anthropic.com/v1/messageshttps)
[https://api.api2cart.com/v1.1/account.cart.list.json](https://api.api2cart.com/v1.1/account.cart.list.json)
[https://api.apiflash.com/v1/urltoimage](https://api.apiflash.com/v1/urltoimage)
[https://api.apifonica.com/v2/accounts&my=true&offset=10&limit=99&desc](https://api.apifonica.com/v2/accounts&my=true&offset=10&limit=99&desc)
[https://api.apify.com/v2/acts](https://api.apify.com/v2/acts)
[https://api.apilayer.com/number_verification/countrieshttps](https://api.apilayer.com/number_verification/countrieshttps)
[https://api.apiscience.com/v1/monitorshttps](https://api.apiscience.com/v1/monitorshttps)
[https://api.apitemplate.io/v1/list](https://api.apitemplate.io/v1/list)
[https://api.app.shortcut.com/api/v3/member](https://api.app.shortcut.com/api/v3/member)
[https://api.appcues.com/v2/accounts/](https://api.appcues.com/v2/accounts/)
[https://api.appfollow.io/api/v2/account/usershttps](https://api.appfollow.io/api/v2/account/usershttps)
[https://api.appointedd.com/v1/availability/slots](https://api.appointedd.com/v1/availability/slots)
[https://api.appoptics.com/v1/metricshost](https://api.appoptics.com/v1/metricshost)
[https://api.apptivo.com/app/dao/v6/leads](https://api.apptivo.com/app/dao/v6/leads)
[https://api.artsy.net/api/tokens/xapp_token](https://api.artsy.net/api/tokens/xapp_token)
[https://api.assemblyai.com/v2/transcripthttps](https://api.assemblyai.com/v2/transcripthttps)
[https://api.atlassian.com/admin/v1/orgshttps](https://api.atlassian.com/admin/v1/orgshttps)
[https://api.audd.io/setCallbackUrl/](https://api.audd.io/setCallbackUrl/)
[https://api.autoklose.com/api/campaigns/](https://api.autoklose.com/api/campaigns/)
[https://api.avaza.com/api/Account.blob.core.windows.net/](https://api.avaza.com/api/Account.blob.core.windows.net/)
[https://api.aviationstack.com/v1/flights](https://api.aviationstack.com/v1/flights)
[https://api.aylien.com/news/stories](https://api.aylien.com/news/stories)
[https://api.bannerbear.com/v2/authhttps](https://api.bannerbear.com/v2/authhttps)
[https://api.baremetrics.com/v1/accounthttps](https://api.baremetrics.com/v1/accounthttps)
[https://api.bitbucket.org/2.0/repositoriesMake](https://api.bitbucket.org/2.0/repositoriesMake)
[https://api.blocknative.com/gasprices/blockpriceshttps](https://api.blocknative.com/gasprices/blockpriceshttps)
[https://api.bombbomb.com/v2/lists/https](https://api.bombbomb.com/v2/lists/https)
[https://api.borgbase.com/graphqlhttps](https://api.borgbase.com/graphqlhttps)
[https://api.brandfetch.io/v1/color](https://api.brandfetch.io/v1/color)
[https://api.browshot.com/api/v1/instance/list](https://api.browshot.com/api/v1/instance/list)
[https://api.bscscan.com/api](https://api.bscscan.com/api)
[https://api.bugsnag.com/user/organizations](https://api.bugsnag.com/user/organizations)
[https://api.buildkite.com/v2/access](https://api.buildkite.com/v2/access)
[https://api.bulksms.com/v1/messageshttps](https://api.bulksms.com/v1/messageshttps)
[https://api.buttercms.com/v2/posts/](https://api.buttercms.com/v2/posts/)
[https://api.calendly.com/users/mehttps](https://api.calendly.com/users/mehttps)
[https://api.calorieninjas.com/v1/nutrition](https://api.calorieninjas.com/v1/nutrition)
[https://api.capsulecrm.com/api/v2/usershttps](https://api.capsulecrm.com/api/v2/usershttps)
[https://api.captaindata.co/v2/https](https://api.captaindata.co/v2/https)
[https://api.cashboardapp.com/account.xmlhttps](https://api.cashboardapp.com/account.xmlhttps)
[https://api.centralstationcrm.net/api/users.jsonhttps](https://api.centralstationcrm.net/api/users.jsonhttps)
[https://api.chartmogul.com/v1/pinghttps](https://api.chartmogul.com/v1/pinghttps)
[https://api.chatbot.com/storieshttps](https://api.chatbot.com/storieshttps)
[https://api.chec.io/v1/categorieshttps](https://api.chec.io/v1/categorieshttps)
[https://api.chec.io/v1/products](https://api.chec.io/v1/products)
[https://api.checklyhq.com/v1/checks](https://api.checklyhq.com/v1/checks)
[https://api.clarifai.com/v2/inputshttps](https://api.clarifai.com/v2/inputshttps)
[https://api.clarifai.com/v2/users/mehttps](https://api.clarifai.com/v2/users/mehttps)
[https://api.clickup.com/api/v2/userhttps](https://api.clickup.com/api/v2/userhttps)
[https://api.cliengo.com/1.0/account](https://api.cliengo.com/1.0/account)
[https://api.clockify.me/api/v1/userhttps](https://api.clockify.me/api/v1/userhttps)
[https://api.close.com/api/v1/me/https](https://api.close.com/api/v1/me/https)
[https://api.cloudconvert.com/v2/users/mehttps](https://api.cloudconvert.com/v2/users/mehttps)
[https://api.cloudflare.com/client/v4/certificates](https://api.cloudflare.com/client/v4/certificates)
[https://api.cloudflare.com/client/v4/user/tokens/verify](https://api.cloudflare.com/client/v4/user/tokens/verify)
[https://api.cloudflare.com/client/v4/userhttps](https://api.cloudflare.com/client/v4/userhttps)
[https://api.cloudimage.com/invalidatehttps](https://api.cloudimage.com/invalidatehttps)
[https://api.cloudmersive.com/validate/address/parsehttps](https://api.cloudmersive.com/validate/address/parsehttps)
[https://api.cloudplan.biz/api/user/me](https://api.cloudplan.biz/api/user/me)
[https://api.cloudsmith.io/v1/user/self/https](https://api.cloudsmith.io/v1/user/self/https)
[https://api.cloverly.com/2019](https://api.cloverly.com/2019)
[https://api.cloze.com/v1/profile](https://api.cloze.com/v1/profile)
[https://api.codeclimate.com/v1/userhttps](https://api.codeclimate.com/v1/userhttps)
[https://api.codemagic.io/appsunexpected](https://api.codemagic.io/appsunexpected)
[https://api.coinbase.com/v2/userhttps](https://api.coinbase.com/v2/userhttps)
[https://api.coinlayer.com/api/livelive](https://api.coinlayer.com/api/livelive)
[https://api.column.com/entities](https://api.column.com/entities)
[https://api.companyhub.com/v1/me](https://api.companyhub.com/v1/me)
[https://api.confluent.cloud/iam/v2/api](https://api.confluent.cloud/iam/v2/api)
[https://api.contentful.com/organizationshttps](https://api.contentful.com/organizationshttps)
[https://api.conversiontools.io/v1/taskshttps](https://api.conversiontools.io/v1/taskshttps)
[https://api.convertkit.com/v3/forms](https://api.convertkit.com/v3/forms)
[https://api.copper.com/developer_api/v1/tasks/searchhttps](https://api.copper.com/developer_api/v1/tasks/searchhttps)
[https://api.countrylayer.com/v2/all](https://api.countrylayer.com/v2/all)
[https://api.courier.com/preferences](https://api.courier.com/preferences)
[https://api.craftmypdf.com/v1/get](https://api.craftmypdf.com/v1/get)
[https://api.crowdin.com/api/v2/storageshttps](https://api.crowdin.com/api/v2/storageshttps)
[https://api.currencyfreaks.com/latest](https://api.currencyfreaks.com/latest)
[https://api.currencylayer.com/live](https://api.currencylayer.com/live)
[https://api.currencyscoop.com/v1/latest](https://api.currencyscoop.com/v1/latest)
[https://api.currentsapi.services/v1/latest](https://api.currentsapi.services/v1/latest)
[https://api.dandelion.eu/datatxt/li/v1/](https://api.dandelion.eu/datatxt/li/v1/)
[https://api.dareboost.com/0.8/confighttps](https://api.dareboost.com/0.8/confighttps)
[https://api.datadoghq.comhttps](https://api.datadoghq.comhttps)
[https://api.deepai.org/api/text](https://api.deepai.org/api/text)
[https://api.deepgram.com/v1/projects](https://api.deepgram.com/v1/projects)
[https://api.delighted.com/v1/people.jsonapplication/vnd.docusign](https://api.delighted.com/v1/people.jsonapplication/vnd.docusign)
[https://api.deno.com/user](https://api.deno.com/user)
[https://api.detectify.com/rest/v2/assets/https](https://api.detectify.com/rest/v2/assets/https)
[https://api.developer.coinbase.com/waas/pools/protoc](https://api.developer.coinbase.com/waas/pools/protoc)
[https://api.developer.coinbase.com/waas/poolsquery](https://api.developer.coinbase.com/waas/poolsquery)
[https://api.diffbot.com/v4/account](https://api.diffbot.com/v4/account)
[https://api.digitalocean.com/v2/accounthttps](https://api.digitalocean.com/v2/accounthttps)
[https://api.dittowords.com/variantshttps](https://api.dittowords.com/variantshttps)
[https://api.docparser.com/v1/parsers](https://api.docparser.com/v1/parsers)
[https://api.documo.com/v1/me](https://api.documo.com/v1/me)
[https://api.doppler.com/v3/mehttps](https://api.doppler.com/v3/mehttps)
[https://api.dovico.com/Employees/](https://api.dovico.com/Employees/)
[https://api.dropboxapi.com/2/users/get_current_account](https://api.dropboxapi.com/2/users/get_current_account)
[https://api.dyspatch.io/templateshttps](https://api.dyspatch.io/templateshttps)
[https://api.ecostruxureit.com/rest/v1/organizationshttps](https://api.ecostruxureit.com/rest/v1/organizationshttps)
[https://api.edamam.com/auto](https://api.edamam.com/auto)
[https://api.edenai.run/v1/automl/text/projecthttps](https://api.edenai.run/v1/automl/text/projecthttps)
[https://api.elasticemail.com/v2/account/profileoverview](https://api.elasticemail.com/v2/account/profileoverview)
[https://api.elevenlabs.io/v1/user](https://api.elevenlabs.io/v1/user)
[https://api.enablex.io/voice/v1/call/api/access](https://api.enablex.io/voice/v1/call/api/access)
[https://api.endorlabs.com/v1/auth/api](https://api.endorlabs.com/v1/auth/api)
[https://api.enigma.com/businesses/matchhttps](https://api.enigma.com/businesses/matchhttps)
[https://api.envoy.com/v1/locations](https://api.envoy.com/v1/locations)
[https://api.ers.usda.gov/data/arms/state](https://api.ers.usda.gov/data/arms/state)
[https://api.etherscan.io/api](https://api.etherscan.io/api)
[https://api.eu.newrelic.com/v2/users.jsonapplication/vnd.onesignal](https://api.eu.newrelic.com/v2/users.jsonapplication/vnd.onesignal)
[https://api.eu.sendgrid.comtag](https://api.eu.sendgrid.comtag)
[https://api.everhour.com/clientshttps](https://api.everhour.com/clientshttps)
[https://api.exchangeratesapi.io/v1/latest](https://api.exchangeratesapi.io/v1/latest)
[https://api.exportsdk.com/v1/pdfhttps](https://api.exportsdk.com/v1/pdfhttps)
[https://api.fastforex.io/fetch](https://api.fastforex.io/fetch)
[https://api.fastly.com/current_userhttps](https://api.fastly.com/current_userhttps)
[https://api.feedier.com/v1/carriers](https://api.feedier.com/v1/carriers)
[https://api.figma.com/v1/me](https://api.figma.com/v1/me)
[https://api.finage.co.uk/symbol](https://api.finage.co.uk/symbol)
[https://api.findl.com/v1.0/query](https://api.findl.com/v1.0/query)
[https://api.flat.io/v2/meapplication](https://api.flat.io/v2/meapplication)
[https://api.fleetbase.io/v1/contacts/](https://api.fleetbase.io/v1/contacts/)
[https://api.flightapi.io/iata/](https://api.flightapi.io/iata/)
[https://api.flightstats.com/flex/aircraft/rest/v1/json/availableFields](https://api.flightstats.com/flex/aircraft/rest/v1/json/availableFields)
[https://api.float.com/v3/people](https://api.float.com/v3/people)
[https://api.flutterwave.com/v3/subaccountshttps](https://api.flutterwave.com/v3/subaccountshttps)
[https://api.fmfw.io/api/3/spot/balancegithub](https://api.fmfw.io/api/3/spot/balancegithub)
[https://api.foursquare.com/v2/venues/trending](https://api.foursquare.com/v2/venues/trending)
[https://api.frame.io/v2/mehttps](https://api.frame.io/v2/mehttps)
[https://api.fulcrumapp.com/api/v2/forms.jsonhttps](https://api.fulcrumapp.com/api/v2/forms.jsonhttps)
[https://api.fullstory.com/operations/v1https](https://api.fullstory.com/operations/v1https)
[https://api.fullstory.com/v2/users](https://api.fullstory.com/v2/users)
[https://api.geckoboard.com/](https://api.geckoboard.com/)
[https://api.gemini.com/v1/accounthttps](https://api.gemini.com/v1/accounthttps)
[https://api.gengo.com/v2/account/me](https://api.gengo.com/v2/account/me)
[https://api.geoapify.com/v1/geocode/search](https://api.geoapify.com/v1/geocode/search)
[https://api.geocod.io/v1.6/geocode](https://api.geocod.io/v1.6/geocode)
[https://api.geocodify.com/v2/geocode](https://api.geocodify.com/v2/geocode)
[https://api.getbeamer.com/v0/url](https://api.getbeamer.com/v0/url)
[https://api.getgeoapi.com/v2/currency/list](https://api.getgeoapi.com/v2/currency/list)
[https://api.getgist.com/contacts/](https://api.getgist.com/contacts/)
[https://api.getpostman.com/collections/0/ch1/0/](https://api.getpostman.com/collections/0/ch1/0/)
[https://api.getpostman.com/environments/](https://api.getpostman.com/environments/)
[https://api.getpostman.com/meaccess_settings.activity.readmail_settings.template.updatesuppression.spam_reports.readsuppression.unsubscribes.readtracking_settings.open.updateuser](https://api.getpostman.com/meaccess_settings.activity.readmail_settings.template.updatesuppression.spam_reports.readsuppression.unsubscribes.readtracking_settings.open.updateuser)
[https://api.getpostman.com/workspaces/](https://api.getpostman.com/workspaces/)
[https://api.getpostman.com/workspacestracking_settings.subscription.updateworkflows.triggers.permissions.removehttps](https://api.getpostman.com/workspacestracking_settings.subscription.updateworkflows.triggers.permissions.removehttps)
[https://api.getresponse.com/v3/accountshttps](https://api.getresponse.com/v3/accountshttps)
[https://api.github.com/2006](https://api.github.com/2006)
[https://api.github.com/apphttps](https://api.github.com/apphttps)
[https://api.github.com/graphqlfailed](https://api.github.com/graphqlfailed)
[https://api.github.com/repos/exec](https://api.github.com/repos/exec)
[https://api.github.com/user/interaction](https://api.github.com/user/interaction)
[https://api.github.com/user/social_accountssql](https://api.github.com/user/social_accountssql)
[https://api.github.comInclude](https://api.github.comInclude)
[https://api.gitter.im/v1/user/me](https://api.gitter.im/v1/user/me)
[https://api.glassnode.com/v1/metrics/indicators/sopr](https://api.glassnode.com/v1/metrics/indicators/sopr)
[https://api.gocardless.com/customers/](https://api.gocardless.com/customers/)
[https://api.goodday.work/2.0/users](https://api.goodday.work/2.0/users)
[https://api.groovehq.com/v1/meexpected](https://api.groovehq.com/v1/meexpected)
[https://api.groq.com/openai/v1/models](https://api.groq.com/openai/v1/models)
[https://api.gumroad.com/v2/products](https://api.gumroad.com/v2/products)
[https://api.gyazo.com/api/images](https://api.gyazo.com/api/images)
[https://api.harvestapp.com/v2/users/me](https://api.harvestapp.com/v2/users/me)
[https://api.hellosign.com/v3/accounthttps](https://api.hellosign.com/v3/accounthttps)
[https://api.helpcrunch.com/v1/departmentshttps](https://api.helpcrunch.com/v1/departmentshttps)
[https://api.heroku.com/apps](https://api.heroku.com/apps)
[https://api.holistic.dev/api/v1/projecthttps](https://api.holistic.dev/api/v1/projecthttps)
[https://api.honeycomb.io/1/authhttps](https://api.honeycomb.io/1/authhttps)
[https://api.html2pdf.app/v1/generatehttps](https://api.html2pdf.app/v1/generatehttps)
[https://api.hubapi.com/contacts/v1/lists](https://api.hubapi.com/contacts/v1/lists)
[https://api.hunter.io/v2/leads_lists](https://api.hunter.io/v2/leads_lists)
[https://api.hybiscus.dev/api/v1/get](https://api.hybiscus.dev/api/v1/get)
[https://api.iconfinder.com/v4/iconsetslogin](https://api.iconfinder.com/v4/iconsetslogin)
[https://api.imagekit.io/v1/fileshttps](https://api.imagekit.io/v1/fileshttps)
[https://api.imagga.com/v2/usagehttps](https://api.imagga.com/v2/usagehttps)
[https://api.instabot.io/v1spring.datasource.password](https://api.instabot.io/v1spring.datasource.password)
[https://api.instamojo.com/oauth2/token/https](https://api.instamojo.com/oauth2/token/https)
[https://api.intercom.io/contacts](https://api.intercom.io/contacts)
[https://api.intra.42.fr/oauth/token](https://api.intra.42.fr/oauth/token)
[https://api.ip2location.io/](https://api.ip2location.io/)
[https://api.ipapi.com/49.146.239.251](https://api.ipapi.com/49.146.239.251)
[https://api.ipgeolocation.io/ipgeo](https://api.ipgeolocation.io/ipgeo)
[https://api.ipinfodb.com/v3/ip](https://api.ipinfodb.com/v3/ip)
[https://api.ipstack.com/134.201.250.155](https://api.ipstack.com/134.201.250.155)
[https://api.jotform.com/user](https://api.jotform.com/user)
[https://api.juro.com/v3/templates](https://api.juro.com/v3/templates)
[https://api.keen.io/3.0/organizations/](https://api.keen.io/3.0/organizations/)
[https://api.kickbox.com/v2/verify](https://api.kickbox.com/v2/verify)
[https://api.knapsackpro.com/v1/builds](https://api.knapsackpro.com/v1/builds)
[https://api.kraken.com/0/private/Balanceapplication/vnd.loadmill](https://api.kraken.com/0/private/Balanceapplication/vnd.loadmill)
[https://api.kucoin.com](https://api.kucoin.com)
[https://api.kylas.io/v1/contactshttps](https://api.kylas.io/v1/contactshttps)
[https://api.languagelayer.com/languages](https://api.languagelayer.com/languages)
[https://api.leadfeeder.com/accountsunexpected](https://api.leadfeeder.com/accountsunexpected)
[https://api.lemlist.com/api/teamhttps](https://api.lemlist.com/api/teamhttps)
[https://api.lemonsqueezy.com/v1/products/](https://api.lemonsqueezy.com/v1/products/)
[https://api.lessannoyingcrm.com](https://api.lessannoyingcrm.com)
[https://api.lexigram.io/v1/lexigraph/search](https://api.lexigram.io/v1/lexigraph/search)
[https://api.linear.app/graphqlhttps](https://api.linear.app/graphqlhttps)
[https://api.linkpreview.net/](https://api.linkpreview.net/)
[https://api.livestorm.co/v1/ping](https://api.livestorm.co/v1/ping)
[https://api.loganalytics.iohttps](https://api.loganalytics.iohttps)
[https://api.loganalytics.usservicebus.chinacloudapi.cndocuments.microsoftazure.denot](https://api.loganalytics.usservicebus.chinacloudapi.cndocuments.microsoftazure.denot)
[https://api.loginradius.com/identity/v2/serverinfo](https://api.loginradius.com/identity/v2/serverinfo)
[https://api.logz.io/v2/whoami](https://api.logz.io/v2/whoami)
[https://api.lokalise.com/api2/system/languages](https://api.lokalise.com/api2/system/languages)
[https://api.loyverse.com/v1.0/merchant/https](https://api.loyverse.com/v1.0/merchant/https)
[https://api.luno.com/api/1/balancehttps](https://api.luno.com/api/1/balancehttps)
[https://api.madkudu.com/v1/pinghttps](https://api.madkudu.com/v1/pinghttps)
[https://api.magicbell.com/notification_preferenceshttps](https://api.magicbell.com/notification_preferenceshttps)
[https://api.mailerlite.com/api/v2/campaigns](https://api.mailerlite.com/api/v2/campaigns)
[https://api.mailgun.net/v3/domainshttps](https://api.mailgun.net/v3/domainshttps)
[https://api.mailgun.net/v4/domainstracking_settings.google_analyticsmail_settings.plain_content.updatetemplates.versions.activate.createtemplates.versions.activate.deletetemplates](https://api.mailgun.net/v4/domainstracking_settings.google_analyticsmail_settings.plain_content.updatetemplates.versions.activate.createtemplates.versions.activate.deletetemplates)
[https://api.mailjet.com/v3/REST/messagehttps](https://api.mailjet.com/v3/REST/messagehttps)
[https://api.mailjet.com/v4/sms](https://api.mailjet.com/v4/sms)
[https://api.mailmodo.com/api/v1/campaigns](https://api.mailmodo.com/api/v1/campaigns)
[https://api.mapbox.com/tokens/v2/](https://api.mapbox.com/tokens/v2/)
[https://api.marketstack.com/v1/eod](https://api.marketstack.com/v1/eod)
[https://api.mavenlink.com/api/v1/workspaces.jsonhttps](https://api.mavenlink.com/api/v1/workspaces.jsonhttps)
[https://api.meaningcloud.com/lang](https://api.meaningcloud.com/lang)
[https://api.mediastack.com/v1/news](https://api.mediastack.com/v1/news)
[https://api.mesibo.com/api.php](https://api.mesibo.com/api.php)
[https://api.meta](https://api.meta)
[https://api.miro.com/v1/users/mehttps](https://api.miro.com/v1/users/mehttps)
[https://api.mixmax.com/v1/users/meNvidia](https://api.mixmax.com/v1/users/meNvidia)
[https://api.mockaroo.com/api/types](https://api.mockaroo.com/api/types)
[https://api.monday.com/v2](https://api.monday.com/v2)
[https://api.monkeylearn.com/v3/classifiers](https://api.monkeylearn.com/v3/classifiers)
[https://api.moonclerk.com/forms](https://api.moonclerk.com/forms)
[https://api.moosend.com/v3/lists.json](https://api.moosend.com/v3/lists.json)
[https://api.mux.com/video/v1/assetshttps](https://api.mux.com/video/v1/assetshttps)
[https://api.myintervals.com/client/https](https://api.myintervals.com/client/https)
[https://api.na1.insightly.com/v3.1/Contacts](https://api.na1.insightly.com/v3.1/Contacts)
[https://api.netlify.com/api/v1/siteshttps](https://api.netlify.com/api/v1/siteshttps)
[https://api.newrelic.com/v2/users.json](https://api.newrelic.com/v2/users.json)
[https://api.newscatcherapi.com/v2/search](https://api.newscatcherapi.com/v2/search)
[https://api.nftport.xyz/me/contractshttps](https://api.nftport.xyz/me/contractshttps)
[https://api.ngc.nvidia.com/v3/keys/get](https://api.ngc.nvidia.com/v3/keys/get)
[https://api.ngrok.com/agent_ingressesapplication/vnd.nylas](https://api.ngrok.com/agent_ingressesapplication/vnd.nylas)
[https://api.nicereply.com/v1/users/statshttps](https://api.nicereply.com/v1/users/statshttps)
[https://api.nightfall.ai/v3/uploadhttps](https://api.nightfall.ai/v3/uploadhttps)
[https://api.noticeable.io/graphql](https://api.noticeable.io/graphql)
[https://api.notion.com/v1/usershttps](https://api.notion.com/v1/usershttps)
[https://api.nylas.com/account](https://api.nylas.com/account)
[https://api.omnisend.com/v3/contacts](https://api.omnisend.com/v3/contacts)
[https://api.oopspam.com/v1/spamdetectionhttps](https://api.oopspam.com/v1/spamdetectionhttps)
[https://api.openai.com/v1/assistantsmail_settings.address_whitelist.readuser.multifactor_authentication.readadmin.conversations.convertToPrivateadmin.conversations.disconnectSharedadmin](https://api.openai.com/v1/assistantsmail_settings.address_whitelist.readuser.multifactor_authentication.readadmin.conversations.convertToPrivateadmin.conversations.disconnectSharedadmin)
[https://api.openai.com/v1/filesmail_settings.address_whitelistuser.multifactor_authenticationmail_settings.bounce_purge.readmail_settings.forward_spam.readpartner_settings](https://api.openai.com/v1/filesmail_settings.address_whitelistuser.multifactor_authenticationmail_settings.bounce_purge.readmail_settings.forward_spam.readpartner_settings)
[https://api.openai.com/v1/fine_tuning/jobsfailed](https://api.openai.com/v1/fine_tuning/jobsfailed)
[https://api.openai.com/v1/images/generations](https://api.openai.com/v1/images/generations)
[https://api.openai.com/v1/me](https://api.openai.com/v1/me)
[https://api.openai.com/v1/modelsuser.scheduled_sends](https://api.openai.com/v1/modelsuser.scheduled_sends)
[https://api.openai.com/v1/organizationsfailed](https://api.openai.com/v1/organizationsfailed)
[https://api.openai.com/v1/threads/1error](https://api.openai.com/v1/threads/1error)
[https://api.openai.com/v1/threadshttps](https://api.openai.com/v1/threadshttps)
[https://api.opencagedata.com/geocode/v1/json](https://api.opencagedata.com/geocode/v1/json)
[https://api.openuv.io/api/v1/uv](https://api.openuv.io/api/v1/uv)
[https://api.openweathermap.org/data/2.5/weather](https://api.openweathermap.org/data/2.5/weather)
[https://api.opsgenie.com/v2/account](https://api.opsgenie.com/v2/account)
[https://api.opsgenie.com/v2/alerts/](https://api.opsgenie.com/v2/alerts/)
[https://api.opsgenie.com/v2/users](https://api.opsgenie.com/v2/users)
[https://api.optimizely.com/v2/projectsapplication/vnd.planyo](https://api.optimizely.com/v2/projectsapplication/vnd.planyo)
[https://api.overloop.com/public/v1/usersapplication/vnd.pagerduty](https://api.overloop.com/public/v1/usersapplication/vnd.pagerduty)
[https://api.pagar.me/1/balance](https://api.pagar.me/1/balance)
[https://api.pagerduty.com/usershttps](https://api.pagerduty.com/usershttps)
[https://api.pandadoc.com/public/v1/documentshttps](https://api.pandadoc.com/public/v1/documentshttps)
[https://api.pandascore.co/videogames](https://api.pandascore.co/videogames)
[https://api.paperform.co/v1/formshttps](https://api.paperform.co/v1/formshttps)
[https://api.parsers.dev/api/v1/parse/postgresql/https](https://api.parsers.dev/api/v1/parse/postgresql/https)
[https://api.parseur.com/postgresql](https://api.parseur.com/postgresql)
[https://api.partnerstack.com/api/v2/partnershipshttps](https://api.partnerstack.com/api/v2/partnershipshttps)
[https://api.paymongo.com/v1/payment_methodshttps](https://api.paymongo.com/v1/payment_methodshttps)
[https://api.paystack.co/customerhttps](https://api.paystack.co/customerhttps)
[https://api.pdflayer.com/api/convert](https://api.pdflayer.com/api/convert)
[https://api.pdfshift.io/v3/credits/usagehttps](https://api.pdfshift.io/v3/credits/usagehttps)
[https://api.peopledatalabs.com/v5/person/enrich](https://api.peopledatalabs.com/v5/person/enrich)
[https://api.pepipost.com/v5.1/domain/getDomains](https://api.pepipost.com/v5.1/domain/getDomains)
[https://api.pinata.cloud/pinning/pinJSONToIPFS](https://api.pinata.cloud/pinning/pinJSONToIPFS)
[https://api.pipedream.com/v1/users/mehttps](https://api.pipedream.com/v1/users/mehttps)
[https://api.planetscale.com/v1/organizationshttps](https://api.planetscale.com/v1/organizationshttps)
[https://api.plivo.com/v1/Account/](https://api.plivo.com/v1/Account/)
[https://api.podio.com/user](https://api.podio.com/user)
[https://api.pollsapi.com/v1/get/polls](https://api.pollsapi.com/v1/get/polls)
[https://api.polygon.io/v2/reference/locales](https://api.polygon.io/v2/reference/locales)
[https://api.positionstack.com/v1/forward](https://api.positionstack.com/v1/forward)
[https://api.postageapp.com/v.1.0/get_account_info.json](https://api.postageapp.com/v.1.0/get_account_info.json)
[https://api.postbacks.io/v1/requestPostbackhttps](https://api.postbacks.io/v1/requestPostbackhttps)
[https://api.postmarkapp.com/deliverystatshttps](https://api.postmarkapp.com/deliverystatshttps)
[https://api.prefect.cloud/auth/loginInclude](https://api.prefect.cloud/auth/loginInclude)
[https://api.privacy.com/v1/card](https://api.privacy.com/v1/card)
[https://api.prodpad.com/v1/tagshttps](https://api.prodpad.com/v1/tagshttps)
[https://api.proxycrawl.com/leads](https://api.proxycrawl.com/leads)
[https://api.pulumi.com/api/user/stackshttps](https://api.pulumi.com/api/user/stackshttps)
[https://api.pushbullet.com/v2/users/mehttps](https://api.pushbullet.com/v2/users/mehttps)
[https://api.qase.io/v1/user](https://api.qase.io/v1/user)
[https://api.qualaroo.com/api/v1/nudgeshttps](https://api.qualaroo.com/api/v1/nudgeshttps)
[https://api.ramp.com/developer/v1/tokenhttps](https://api.ramp.com/developer/v1/tokenhttps)
[https://api.rawg.io/api/platforms](https://api.rawg.io/api/platforms)
[https://api.razorpay.com/v1/items](https://api.razorpay.com/v1/items)
[https://api.rebrandly.com/v1/accounthttps](https://api.rebrandly.com/v1/accounthttps)
[https://api.rechargeapps.com/token_information&url=https](https://api.rechargeapps.com/token_information&url=https)
[https://api.refiner.io/v1/identify](https://api.refiner.io/v1/identify)
[https://api.rentman.net/filesAPI](https://api.rentman.net/filesAPI)
[https://api.replicate.com/v1/predictionshttps](https://api.replicate.com/v1/predictionshttps)
[https://api.reply.io/v1/peoplehttps](https://api.reply.io/v1/peoplehttps)
[https://api.request.finance/invoiceshttps](https://api.request.finance/invoiceshttps)
[https://api.ritekit.com/v1/stats/multiple](https://api.ritekit.com/v1/stats/multiple)
[https://api.roaring.io/token](https://api.roaring.io/token)
[https://api.rocketreach.co/v2/api/accountapplication/vnd.semaphore](https://api.rocketreach.co/v2/api/accountapplication/vnd.semaphore)
[https://api.route4me.com/api.v4/address_book.php](https://api.route4me.com/api.v4/address_book.php)
[https://api.rownd.io/applications/https](https://api.rownd.io/applications/https)
[https://api.rs2.usw2.rockset.com/v1/orgs/self/querieshttps](https://api.rs2.usw2.rockset.com/v1/orgs/self/querieshttps)
[https://api.runscope.com/accounthttps](https://api.runscope.com/accounthttps)
[https://api.salesflare.com/me/contacts](https://api.salesflare.com/me/contacts)
[https://api.sandbox.checkout.com/customers/https](https://api.sandbox.checkout.com/customers/https)
[https://api.sandbox.signaturit.com/v3/signatures.jsonhttps](https://api.sandbox.signaturit.com/v3/signatures.jsonhttps)
[https://api.scaleway.com/instance/v1/zones/fr](https://api.scaleway.com/instance/v1/zones/fr)
[https://api.scrapeowl.com/v1/scrape](https://api.scrapeowl.com/v1/scrape)
[https://api.scraperapi.com](https://api.scraperapi.com)
[https://api.scraperbox.com/scrape](https://api.scraperbox.com/scrape)
[https://api.scrapestack.com/scrape](https://api.scrapestack.com/scrape)
[https://api.scrapfly.io/scrape](https://api.scrapfly.io/scrape)
[https://api.scrapingant.com/v1/general](https://api.scrapingant.com/v1/general)
[https://api.screenshotlayer.com/api/capture](https://api.screenshotlayer.com/api/capture)
[https://api.securitytrails.com/v1/pinghttps](https://api.securitytrails.com/v1/pinghttps)
[https://api.semaphore.co/api/v4/account](https://api.semaphore.co/api/v4/account)
[https://api.sendgrid.com/v3/scopesfailed](https://api.sendgrid.com/v3/scopesfailed)
[https://api.sendgrid.comShopify](https://api.sendgrid.comShopify)
[https://api.sendinblue.com/v3/account](https://api.sendinblue.com/v3/account)
[https://api.serphouse.com/account/info](https://api.serphouse.com/account/info)
[https://api.serpstack.com/search](https://api.serpstack.com/search)
[https://api.sheety.co/](https://api.sheety.co/)
[https://api.sherpadesk.com/organizations/https](https://api.sherpadesk.com/organizations/https)
[https://api.shipday.com/carriers](https://api.shipday.com/carriers)
[https://api.shodan.io/api](https://api.shodan.io/api)
[https://api.shotstack.io/stage/renderhttps](https://api.shotstack.io/stage/renderhttps)
[https://api.shutterstock.com/v2/images/searchhttps](https://api.shutterstock.com/v2/images/searchhttps)
[https://api.shutterstock.com/v2/userhelper](https://api.shutterstock.com/v2/userhelper)
[https://api.signable.co.uk/v1/templates](https://api.signable.co.uk/v1/templates)
[https://api.signupgenius.com/v2/k/user/profile/](https://api.signupgenius.com/v2/k/user/profile/)
[https://api.sigopt.com/v1/experimentshttps](https://api.sigopt.com/v1/experimentshttps)
[https://api.simplesat.io/api/answers/](https://api.simplesat.io/api/answers/)
[https://api.simplynoted.com/api/productsfakeTruffleHogAccessTokenForVerificationhttps](https://api.simplynoted.com/api/productsfakeTruffleHogAccessTokenForVerificationhttps)
[https://api.sirv.com/v2/tokenSlack](https://api.sirv.com/v2/tokenSlack)
[https://api.siteleaf.com/v2/siteshttps](https://api.siteleaf.com/v2/siteshttps)
[https://api.skrapp.io/api/v2/accounthttps](https://api.skrapp.io/api/v2/accounthttps)
[https://api.skybiometry.com/fc/account/authenticate](https://api.skybiometry.com/fc/account/authenticate)
[https://api.smartsheet.com/2.0/sheetshttps](https://api.smartsheet.com/2.0/sheetshttps)
[https://api.smooch.io/v2/appsunable](https://api.smooch.io/v2/appsunable)
[https://api.speechtext.ai/recognize](https://api.speechtext.ai/recognize)
[https://api.spoonacular.com/recipes/random](https://api.spoonacular.com/recipes/random)
[https://api.squarespace.com/1.0/profiles](https://api.squarespace.com/1.0/profiles)
[https://api.statuscake.com/v1/sslhttps](https://api.statuscake.com/v1/sslhttps)
[https://api.statuspage.io/v1/pageshttps](https://api.statuspage.io/v1/pageshttps)
[https://api.stitchdata.com/v4/sourceshttps](https://api.stitchdata.com/v4/sourceshttps)
[https://api.stockdata.org/v1/data/quote](https://api.stockdata.org/v1/data/quote)
[https://api.storecove.com/api/v2/discovery/identifiershttps](https://api.storecove.com/api/v2/discovery/identifiershttps)
[https://api.stormboard.com/users/profileapplication/vnd.timecamp](https://api.stormboard.com/users/profileapplication/vnd.timecamp)
[https://api.stormglass.io/v2/weather/point](https://api.stormglass.io/v2/weather/point)
[https://api.storyblok.com/v1/cdn/spaces/me/](https://api.storyblok.com/v1/cdn/spaces/me/)
[https://api.storychief.io/1.0/users](https://api.storychief.io/1.0/users)
[https://api.stripe.com/v1/account/login_links](https://api.stripe.com/v1/account/login_links)
[https://api.stripe.com/v1/account_links](https://api.stripe.com/v1/account_links)
[https://api.stripe.com/v1/apple_pay/domains](https://api.stripe.com/v1/apple_pay/domains)
[https://api.stripe.com/v1/application_fees/nowaythiscanexist/refunds](https://api.stripe.com/v1/application_fees/nowaythiscanexist/refunds)
[https://api.stripe.com/v1/balance](https://api.stripe.com/v1/balance)
[https://api.stripe.com/v1/billing/meter_event_adjustments](https://api.stripe.com/v1/billing/meter_event_adjustments)
[https://api.stripe.com/v1/billing/meter_events](https://api.stripe.com/v1/billing/meter_events)
[https://api.stripe.com/v1/billing/meters/nowaythiscanexist/event_summaries](https://api.stripe.com/v1/billing/meters/nowaythiscanexist/event_summaries)
[https://api.stripe.com/v1/billing_portal/sessions](https://api.stripe.com/v1/billing_portal/sessions)
[https://api.stripe.com/v1/chargesx509](https://api.stripe.com/v1/chargesx509)
[https://api.stripe.com/v1/checkout/sessions](https://api.stripe.com/v1/checkout/sessions)
[https://api.stripe.com/v1/climate/orders](https://api.stripe.com/v1/climate/orders)
[https://api.stripe.com/v1/confirmation_tokens/nowaythiscanexist](https://api.stripe.com/v1/confirmation_tokens/nowaythiscanexist)
[https://api.stripe.com/v1/coupons](https://api.stripe.com/v1/coupons)
[https://api.stripe.com/v1/credit_notes/nowaythiscanexsit](https://api.stripe.com/v1/credit_notes/nowaythiscanexsit)
[https://api.stripe.com/v1/customer_sessions](https://api.stripe.com/v1/customer_sessions)
[https://api.stripe.com/v1/customers/nowaythiscanexist](https://api.stripe.com/v1/customers/nowaythiscanexist)
[https://api.stripe.com/v1/disputes/nowaycanthisexist](https://api.stripe.com/v1/disputes/nowaycanthisexist)
[https://api.stripe.com/v1/ephemeral_keys](https://api.stripe.com/v1/ephemeral_keys)
[https://api.stripe.com/v1/events](https://api.stripe.com/v1/events)
[https://api.stripe.com/v1/files](https://api.stripe.com/v1/files)
[https://api.stripe.com/v1/identity/verification_sessions](https://api.stripe.com/v1/identity/verification_sessions)
[https://api.stripe.com/v1/invoices](https://api.stripe.com/v1/invoices)
[https://api.stripe.com/v1/issuing/authorizations/nowaythiscanexist](https://api.stripe.com/v1/issuing/authorizations/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/cardholders/nowaythiscanexist](https://api.stripe.com/v1/issuing/cardholders/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/cards/nowaythiscanexist](https://api.stripe.com/v1/issuing/cards/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/disputes/nowaythiscanexist](https://api.stripe.com/v1/issuing/disputes/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/funding_instructions](https://api.stripe.com/v1/issuing/funding_instructions)
[https://api.stripe.com/v1/issuing/tokens/nowaythiscanexist](https://api.stripe.com/v1/issuing/tokens/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/transactions/nowaythiscanexist](https://api.stripe.com/v1/issuing/transactions/nowaythiscanexist)
[https://api.stripe.com/v1/orders](https://api.stripe.com/v1/orders)
[https://api.stripe.com/v1/payment_intents](https://api.stripe.com/v1/payment_intents)
[https://api.stripe.com/v1/payment_links](https://api.stripe.com/v1/payment_links)
[https://api.stripe.com/v1/payment_method_domains](https://api.stripe.com/v1/payment_method_domains)
[https://api.stripe.com/v1/payment_methods/nowaycanthisexist](https://api.stripe.com/v1/payment_methods/nowaycanthisexist)
[https://api.stripe.com/v1/payouts](https://api.stripe.com/v1/payouts)
[https://api.stripe.com/v1/prices](https://api.stripe.com/v1/prices)
[https://api.stripe.com/v1/products](https://api.stripe.com/v1/products)
[https://api.stripe.com/v1/promotion_codes](https://api.stripe.com/v1/promotion_codes)
[https://api.stripe.com/v1/quotes/nowaythiscanexist](https://api.stripe.com/v1/quotes/nowaythiscanexist)
[https://api.stripe.com/v1/reporting/report_runs](https://api.stripe.com/v1/reporting/report_runs)
[https://api.stripe.com/v1/reviews/nowaycanthisexist/approve](https://api.stripe.com/v1/reviews/nowaycanthisexist/approve)
[https://api.stripe.com/v1/setup_intents/nowaycanthisexist](https://api.stripe.com/v1/setup_intents/nowaycanthisexist)
[https://api.stripe.com/v1/shipping_rates](https://api.stripe.com/v1/shipping_rates)
[https://api.stripe.com/v1/skus](https://api.stripe.com/v1/skus)
[https://api.stripe.com/v1/sources/nowaycanthisexist](https://api.stripe.com/v1/sources/nowaycanthisexist)
[https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_record_summaries](https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_record_summaries)
[https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_records](https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_records)
[https://api.stripe.com/v1/subscriptions](https://api.stripe.com/v1/subscriptions)
[https://api.stripe.com/v1/tax/calculations/nowaycanthisexist/line_items](https://api.stripe.com/v1/tax/calculations/nowaycanthisexist/line_items)
[https://api.stripe.com/v1/tax/registrations/nowaycanthisexist](https://api.stripe.com/v1/tax/registrations/nowaycanthisexist)
[https://api.stripe.com/v1/tax/settings](https://api.stripe.com/v1/tax/settings)
[https://api.stripe.com/v1/tax_ids](https://api.stripe.com/v1/tax_ids)
[https://api.stripe.com/v1/tax_rates](https://api.stripe.com/v1/tax_rates)
[https://api.stripe.com/v1/terminal/configurations/nowaythiscanexist](https://api.stripe.com/v1/terminal/configurations/nowaythiscanexist)
[https://api.stripe.com/v1/terminal/locations](https://api.stripe.com/v1/terminal/locations)
[https://api.stripe.com/v1/terminal/readers](https://api.stripe.com/v1/terminal/readers)
[https://api.stripe.com/v1/test_helpers/confirmation_tokens](https://api.stripe.com/v1/test_helpers/confirmation_tokens)
[https://api.stripe.com/v1/test_helpers/test_clocks](https://api.stripe.com/v1/test_helpers/test_clocks)
[https://api.stripe.com/v1/tokens/nowaycanthisexist](https://api.stripe.com/v1/tokens/nowaycanthisexist)
[https://api.stripe.com/v1/topups](https://api.stripe.com/v1/topups)
[https://api.stripe.com/v1/transfers](https://api.stripe.com/v1/transfers)
[https://api.stripe.com/v1/webhook_endpoints](https://api.stripe.com/v1/webhook_endpoints)
[https://api.stytch.com/v1/users/pendingapplication/vnd.tatumio](https://api.stytch.com/v1/users/pendingapplication/vnd.tatumio)
[https://api.supabase.com/v1/projectshttps](https://api.supabase.com/v1/projectshttps)
[https://api.supernotes.app/v1/userhttps](https://api.supernotes.app/v1/userhttps)
[https://api.surveyanyplace.com/v1/surveys/https](https://api.surveyanyplace.com/v1/surveys/https)
[https://api.surveysparrow.com/v1/contactshttps](https://api.surveysparrow.com/v1/contactshttps)
[https://api.swell.store/products](https://api.swell.store/products)
[https://api.tailscale.com/api/v2/secret](https://api.tailscale.com/api/v2/secret)
[https://api.tallyfy.com/me](https://api.tallyfy.com/me)
[https://api.taxjar.com/v2/categorieshttps](https://api.taxjar.com/v2/categorieshttps)
[https://api.teamgate.com/v4/usershttps](https://api.teamgate.com/v4/usershttps)
[https://api.telegram.org/bot](https://api.telegram.org/bot)
[https://api.teletype.app/public/api/v1/messageshttps](https://api.teletype.app/public/api/v1/messageshttps)
[https://api.telnyx.com/v2/messaging_profilesapplication/vnd.tickettailor](https://api.telnyx.com/v2/messaging_profilesapplication/vnd.tickettailor)
[https://api.testingbot.com/v1/userhttps](https://api.testingbot.com/v1/userhttps)
[https://api.textanywhere.com/API/v1.0/REST/statushttps](https://api.textanywhere.com/API/v1.0/REST/statushttps)
[https://api.thinkific.com/api/public/v1/collectionshttps](https://api.thinkific.com/api/public/v1/collectionshttps)
[https://api.thousandeyes.com/v6/endpoint](https://api.thousandeyes.com/v6/endpoint)
[https://api.tickettailor.com/v1/ordershttps](https://api.tickettailor.com/v1/ordershttps)
[https://api.tiingo.com/tiingo/fundamentals/definitionshttps](https://api.tiingo.com/tiingo/fundamentals/definitionshttps)
[https://api.todoist.com/rest/v2/projectshttps](https://api.todoist.com/rest/v2/projectshttps)
[https://api.tomorrow.io/v4/alerts](https://api.tomorrow.io/v4/alerts)
[https://api.tomtom.com/map/1/tile/basic/main/0/0/0.png](https://api.tomtom.com/map/1/tile/basic/main/0/0/0.png)
[https://api.tradier.com/v1/watchlistshttps](https://api.tradier.com/v1/watchlistshttps)
[https://api.transferwise.com/v2/profileshttps](https://api.transferwise.com/v2/profileshttps)
[https://api.travelpayouts.com/v2/prices/latest](https://api.travelpayouts.com/v2/prices/latest)
[https://api.travis](https://api.travis)
[https://api.trello.com/1/members/me](https://api.trello.com/1/members/me)
[https://api.twelvedata.com/earliest_timestamp](https://api.twelvedata.com/earliest_timestamp)
[https://api.twilio.com/2010](https://api.twilio.com/2010)
[https://api.twist.com/api/v3/users/get_session_userhttps](https://api.twist.com/api/v3/users/get_session_userhttps)
[https://api.twitter.com/2/tweets/20https](https://api.twitter.com/2/tweets/20https)
[https://api.twitter.com/oauth2/tokenapplication/vnd.uploadcare](https://api.twitter.com/oauth2/tokenapplication/vnd.uploadcare)
[https://api.tyntec.com/2fa/v1/applicationerror](https://api.tyntec.com/2fa/v1/applicationerror)
[https://api.typeform.com/me](https://api.typeform.com/me)
[https://api.uclassify.com/v1/uClassify/Sentiment/classifyReceived](https://api.uclassify.com/v1/uClassify/Sentiment/classifyReceived)
[https://api.unify.id/v1/humandetect/verifyhttps](https://api.unify.id/v1/humandetect/verifyhttps)
[https://api.unplu.gg/forecasthttps](https://api.unplu.gg/forecasthttps)
[https://api.unsplash.com/photos/](https://api.unsplash.com/photos/)
[https://api.upcdatabase.org/product/0111222333446](https://api.upcdatabase.org/product/0111222333446)
[https://api.uplead.com/v2/creditshttps](https://api.uplead.com/v2/creditshttps)
[https://api.uploadcare.com/files/https](https://api.uploadcare.com/files/https)
[https://api.uptimerobot.com/v2/getMonitors](https://api.uptimerobot.com/v2/getMonitors)
[https://api.upwave.io/workspaces/https](https://api.upwave.io/workspaces/https)
[https://api.us1.signalfx.com/v2/dashboard](https://api.us1.signalfx.com/v2/dashboard)
[https://api.us2.sumologic.com/api/v1/users](https://api.us2.sumologic.com/api/v1/users)
[https://api.userflow.com/users](https://api.userflow.com/users)
[https://api.userstack.com/detect](https://api.userstack.com/detect)
[https://api.vbout.com/1/app/me.json](https://api.vbout.com/1/app/me.json)
[https://api.vercel.com/www/userenumerating](https://api.vercel.com/www/userenumerating)
[https://api.verimail.io/v3/verify](https://api.verimail.io/v3/verify)
[https://api.veriphone.io/v2/verify](https://api.veriphone.io/v2/verify)
[https://api.voicegain.ai/v1/sa/confighttps](https://api.voicegain.ai/v1/sa/confighttps)
[https://api.voodoosms.com/creditsError](https://api.voodoosms.com/creditsError)
[https://api.vultr.com/v2/accounterror](https://api.vultr.com/v2/accounterror)
[https://api.vyte.in/v2/events](https://api.vyte.in/v2/events)
[https://api.weatherbit.io/v2.0/history/airquality](https://api.weatherbit.io/v2.0/history/airquality)
[https://api.weatherstack.com/current](https://api.weatherstack.com/current)
[https://api.web3.storage/user/uploadshttps](https://api.web3.storage/user/uploadshttps)
[https://api.webflow.com/info](https://api.webflow.com/info)
[https://api.webscraper.io/api/v1/sitemaps](https://api.webscraper.io/api/v1/sitemaps)
[https://api.webscrapingapi.com/v1](https://api.webscrapingapi.com/v1)
[https://api.websitepulse.com/textserver.php](https://api.websitepulse.com/textserver.php)
[https://api.whoxy.com/](https://api.whoxy.com/)
[https://api.wistia.com/v1/stats/account.json](https://api.wistia.com/v1/stats/account.json)
[https://api.worksnaps.com/api/projects.xmlunable](https://api.worksnaps.com/api/projects.xmlunable)
[https://api.worldweatheronline.com/premium/v1/search.ashx](https://api.worldweatheronline.com/premium/v1/search.ashx)
[https://api.yelp.com/v3/businesses/search](https://api.yelp.com/v3/businesses/search)
[https://api.youneedabudget.com/v1/user](https://api.youneedabudget.com/v1/user)
[https://api.zenrows.com/v1/](https://api.zenrows.com/v1/)
[https://api.zeplin.dev/v1/users/meerror](https://api.zeplin.dev/v1/users/meerror)
[https://api.zerobounce.net/v1/activity](https://api.zerobounce.net/v1/activity)
[https://api.zerotier.com/api/v1/networkBranch](https://api.zerotier.com/api/v1/networkBranch)
[https://api.zipbooks.com/v2/auth/loginTotal](https://api.zipbooks.com/v2/auth/loginTotal)
[https://api2.autopilothq.com/v1/account](https://api2.autopilothq.com/v1/account)
[https://api2.frontapp.com/accountshttps](https://api2.frontapp.com/accountshttps)
[https://api4.nozbe.com/v1/api/usershttps](https://api4.nozbe.com/v1/api/usershttps)
[https://apilayer.net/api/check](https://apilayer.net/api/check)
[https://apilayer.net/api/validate](https://apilayer.net/api/validate)
[https://apis.paralleldots.com/v4/intenterror](https://apis.paralleldots.com/v4/intenterror)
[https://apiv2.allsportsapi.com/football/](https://apiv2.allsportsapi.com/football/)
[https://apiv2.bitcoinaverage.com/websocket/v3/get_tickethttps](https://apiv2.bitcoinaverage.com/websocket/v3/get_tickethttps)
[https://apiv4.reallysimplesystems.com/accountshttps](https://apiv4.reallysimplesystems.com/accountshttps)
[https://app.apacta.com/api/v1/time_entries](https://app.apacta.com/api/v1/time_entries)
[https://app.asana.com/api/1.0/users/meRead](https://app.asana.com/api/1.0/users/meRead)
[https://app.atera.com/api/v3/alertshttps](https://app.atera.com/api/v3/alertshttps)
[https://app.ayrshare.com/api/analytics/links](https://app.ayrshare.com/api/analytics/links)
[https://app.besnappy.com/api/v1/accountshttps](https://app.besnappy.com/api/v1/accountshttps)
[https://app.caflou.com/api/v1/accounts.currencycloud.com/v2/authenticate/apihttps](https://app.caflou.com/api/v1/accounts.currencycloud.com/v2/authenticate/apihttps)
[https://app.circleci.com/pipelines/](https://app.circleci.com/pipelines/)
[https://app.codacy.com/api/v3/user](https://app.codacy.com/api/v3/user)
[https://app.eraser.io/api/render/elements](https://app.eraser.io/api/render/elements)
[https://app.goflightlabs.com/airports](https://app.goflightlabs.com/airports)
[https://app.karmacrm.com/api/v3/contacts.json](https://app.karmacrm.com/api/v3/contacts.json)
[https://app.klipfolio.com/api/1.0/users](https://app.klipfolio.com/api/1.0/users)
[https://app.launchdarkly.com/api/v2/caller](https://app.launchdarkly.com/api/v2/caller)
[https://app.lendflow.io/api/v1/deals](https://app.lendflow.io/api/v1/deals)
[https://app.loadmill.com/api/v1/labels](https://app.loadmill.com/api/v1/labels)
[https://app.magnetichq.com/Magnetic/rest/accountsAPI/itemTypes](https://app.magnetichq.com/Magnetic/rest/accountsAPI/itemTypes)
[https://app.nimble.com/api/v1/myselfhttps](https://app.nimble.com/api/v1/myselfhttps)
[https://app.onedesk.com/rest/2.0/login/loginUserhttps](https://app.onedesk.com/rest/2.0/login/loginUserhttps)
[https://app.onepagecrm.com/api/v3/contacts.json](https://app.onepagecrm.com/api/v3/contacts.json)
[https://app.paymoapp.com/api/me](https://app.paymoapp.com/api/me)
[https://app.posthog.com/api/event/](https://app.posthog.com/api/event/)
[https://app.revampcrm.com/api/1.0/User/WhoAmIhttps](https://app.revampcrm.com/api/1.0/User/WhoAmIhttps)
[https://app.satismeter.com/api/users](https://app.satismeter.com/api/users)
[https://app.scrapingbee.com/api/v1/](https://app.scrapingbee.com/api/v1/)
[https://app.snipcart.com/api/ordersgrant_type=refresh_token&client_id=](https://app.snipcart.com/api/ordersgrant_type=refresh_token&client_id=)
[https://app.surveybot.io/api/v1/surveys](https://app.surveybot.io/api/v1/surveys)
[https://app.terraform.io/api/v2/account/detailshttps](https://app.terraform.io/api/v2/account/detailshttps)
[https://app.ticketmaster.com/discovery/v2/events.json](https://app.ticketmaster.com/discovery/v2/events.json)
[https://app.timecamp.com/third_party/api/user](https://app.timecamp.com/third_party/api/user)
[https://app.tmetric.com/api/v3/userhttps](https://app.tmetric.com/api/v3/userhttps)
[https://app.travis](https://app.travis)
[https://app.vagrantup.com/api/v2/authenticateunexpected](https://app.vagrantup.com/api/v2/authenticateunexpected)
[https://app.workstack.io/api/team](https://app.workstack.io/api/team)
[https://app.zenscrape.com/api/v1/statushttps](https://app.zenscrape.com/api/v1/statushttps)
[https://app.zenserp.com/api/v2/search](https://app.zenserp.com/api/v2/search)
[https://app.zipcodebase.com/api/v1/search](https://app.zipcodebase.com/api/v1/search)
[https://apple.comhttps](https://apple.comhttps)
[https://auth.app.wiz.io/oauth/tokenerror](https://auth.app.wiz.io/oauth/tokenerror)
[https://auth.dfuse.io/v1/auth/issuehttps](https://auth.dfuse.io/v1/auth/issuehttps)
[https://auth.freshbooks.com/oauth/authorize](https://auth.freshbooks.com/oauth/authorize)
[https://authn.nvidia.com/token](https://authn.nvidia.com/token)
[https://axonaut.com/api/v2/companies](https://axonaut.com/api/v2/companies)
[https://backboard.railway.app/graphql/v2application/vnd.sugester](https://backboard.railway.app/graphql/v2application/vnd.sugester)
[https://base.zenkit.com/api/v1/users/mehttps](https://base.zenkit.com/api/v1/users/mehttps)
[https://batch.chinacloudapi.cn/mysql.database.chinacloudapi.cnhttps](https://batch.chinacloudapi.cn/mysql.database.chinacloudapi.cnhttps)
[https://batch.cloudapi.de/mysql.database.cloudapi.decloudapp.microsoftazure.denegative](https://batch.cloudapi.de/mysql.database.cloudapi.decloudapp.microsoftazure.denegative)
[https://batch.core.usgovcloudapi.net/https](https://batch.core.usgovcloudapi.net/https)
[https://batch.core.windows.net/https](https://batch.core.windows.net/https)
[https://besttime.app/api/v1/keys/https](https://besttime.app/api/v1/keys/https)
[https://blitapp.com/api/apps/allhttps](https://blitapp.com/api/apps/allhttps)
[https://boostnote.io/api/docshttps](https://boostnote.io/api/docshttps)
[https://budibase.app/api/public/v1/applications/searchhttps](https://budibase.app/api/public/v1/applications/searchhttps)
[https://calendarific.com/api/v2/holidays](https://calendarific.com/api/v2/holidays)
[https://campayn.com/api/v1/lists](https://campayn.com/api/v1/lists)
[https://canny.io/api/v1/boards/listhttps](https://canny.io/api/v1/boards/listhttps)
[https://capi.tokeet.com/v1/user](https://capi.tokeet.com/v1/user)
[https://cex.io/api/balance/](https://cex.io/api/balance/)
[https://checkvist.com/auth/login.json](https://checkvist.com/auth/login.json)
[https://cicero.azavea.com/v3.1/account/credits_remaining](https://cicero.azavea.com/v3.1/account/credits_remaining)
[https://circleci.com/api/v1.1/invalid](https://circleci.com/api/v1.1/invalid)
[https://circleci.com/api/v2/mehttps](https://circleci.com/api/v2/mehttps)
[https://cloud.bitbar.com/api/mehttps](https://cloud.bitbar.com/api/mehttps)
[https://cloud.digitalocean.com/v1/oauth/token](https://cloud.digitalocean.com/v1/oauth/token)
[https://cloud.drone.io/api/userhttps](https://cloud.drone.io/api/userhttps)
[https://cloud.google.com/docs/authentication/external/set](https://cloud.google.com/docs/authentication/external/set)
[https://cloud.iexapis.com/stable/stock/aapl/quote](https://cloud.iexapis.com/stable/stock/aapl/quote)
[https://cloud.iexapis.com/v1/stock/aapl/quote](https://cloud.iexapis.com/v1/stock/aapl/quote)
[https://cloud.viewneo.com/api/v1.0/playlistapplication/vnd.zipcodebase](https://cloud.viewneo.com/api/v1.0/playlistapplication/vnd.zipcodebase)
[https://clustdoc.com/api/usershttps](https://clustdoc.com/api/usershttps)
[https://coda.io/apis/v1/whoami](https://coda.io/apis/v1/whoami)
[https://codequiry.com/api/v1/checks](https://codequiry.com/api/v1/checks)
[https://coinlib.io/api/v1/global](https://coinlib.io/api/v1/global)
[https://collect2.com/api/](https://collect2.com/api/)
[https://commodities](https://commodities)
[https://connect.squareup.com/oauth2/authorize](https://connect.squareup.com/oauth2/authorize)
[https://connect.squareup.com/oauth2/token/statusx509](https://connect.squareup.com/oauth2/token/statusx509)
[https://connect.squareup.com/v2/team](https://connect.squareup.com/v2/team)
[https://connect.squareupsandbox.com/oauth2/revokehttps](https://connect.squareupsandbox.com/oauth2/revokehttps)
[https://connect.squareupsandbox.com/v2/merchantshttps](https://connect.squareupsandbox.com/v2/merchantshttps)
[https://console.jumpcloud.com/api/v2/systemgroupshttps](https://console.jumpcloud.com/api/v2/systemgroupshttps)
[https://content.guardianapis.com/search](https://content.guardianapis.com/search)
[https://convier.me/api/eventhttps](https://convier.me/api/eventhttps)
[https://cosmos.azure.comfailed](https://cosmos.azure.comfailed)
[https://coveralls.io/api/repos/github/secretscanner02/scanner](https://coveralls.io/api/repos/github/secretscanner02/scanner)
[https://customer.guru/export/customers](https://customer.guru/export/customers)
[https://dash.readme.com/api/v1https](https://dash.readme.com/api/v1https)
[https://dashboard.chatfuel.com/api/botshttps](https://dashboard.chatfuel.com/api/botshttps)
[https://data.fixer.io/api/latest](https://data.fixer.io/api/latest)
[https://database.chinacloudapi.cn/expected](https://database.chinacloudapi.cn/expected)
[https://database.cloudapi.de/not](https://database.cloudapi.de/not)
[https://database.usgovcloudapi.net/data](https://database.usgovcloudapi.net/data)
[https://database.windows.net/postgres.database.cloudapi.dehttps](https://database.windows.net/postgres.database.cloudapi.dehttps)
[https://datalake.azure.net/https](https://datalake.azure.net/https)
[https://dataservice.accuweather.com/locations/v1/cities/autocomplete](https://dataservice.accuweather.com/locations/v1/cities/autocomplete)
[https://deliver.kontent.ai/](https://deliver.kontent.ai/)
[https://dev.azure.com/](https://dev.azure.com/)
[https://dev.azuresynapse.nethttps](https://dev.azuresynapse.nethttps)
[https://dev.azuresynapse.usgovcloudapi.netdata](https://dev.azuresynapse.usgovcloudapi.netdata)
[https://dev.lunchmoney.app/v1/categories](https://dev.lunchmoney.app/v1/categories)
[https://developer.api.autodesk.com/authentication/v1/authenticateimage](https://developer.api.autodesk.com/authentication/v1/authenticateimage)
[https://dictionary.yandex.net/api/v1/dicservice.json/getLangs](https://dictionary.yandex.net/api/v1/dicservice.json/getLangs)
[https://discord.com/api/v8/users/https](https://discord.com/api/v8/users/https)
[https://discord.com/api/webhooks/https](https://discord.com/api/webhooks/https)
[https://disqus.com/api/3.0/trends/listThreads.json](https://disqus.com/api/3.0/trends/listThreads.json)
[https://docs.airbrake.io/docs/devops](https://docs.airbrake.io/docs/devops)
[https://docs.stripe.com/api/account_links](https://docs.stripe.com/api/account_links)
[https://docs.stripe.com/api/application_fees/list](https://docs.stripe.com/api/application_fees/list)
[https://docs.stripe.com/api/balance](https://docs.stripe.com/api/balance)
[https://docs.stripe.com/api/billing/meter/create](https://docs.stripe.com/api/billing/meter/create)
[https://docs.stripe.com/api/billing/meter/list](https://docs.stripe.com/api/billing/meter/list)
[https://docs.stripe.com/api/charges/list](https://docs.stripe.com/api/charges/list)
[https://docs.stripe.com/api/charges/update](https://docs.stripe.com/api/charges/update)
[https://docs.stripe.com/api/checkout/sessions/create](https://docs.stripe.com/api/checkout/sessions/create)
[https://docs.stripe.com/api/checkout/sessions/list](https://docs.stripe.com/api/checkout/sessions/list)
[https://docs.stripe.com/api/climate/order/create](https://docs.stripe.com/api/climate/order/create)
[https://docs.stripe.com/api/climate/order/list](https://docs.stripe.com/api/climate/order/list)
[https://docs.stripe.com/api/confirmation_tokens/retrieve](https://docs.stripe.com/api/confirmation_tokens/retrieve)
[https://docs.stripe.com/api/confirmation_tokens/test_create](https://docs.stripe.com/api/confirmation_tokens/test_create)
[https://docs.stripe.com/api/coupons/create](https://docs.stripe.com/api/coupons/create)
[https://docs.stripe.com/api/coupons/list](https://docs.stripe.com/api/coupons/list)
[https://docs.stripe.com/api/credit_notes/list](https://docs.stripe.com/api/credit_notes/list)
[https://docs.stripe.com/api/credit_notes/update](https://docs.stripe.com/api/credit_notes/update)
[https://docs.stripe.com/api/customer_portal/sessions/create](https://docs.stripe.com/api/customer_portal/sessions/create)
[https://docs.stripe.com/api/customer_sessions/create](https://docs.stripe.com/api/customer_sessions/create)
[https://docs.stripe.com/api/customers/list](https://docs.stripe.com/api/customers/list)
[https://docs.stripe.com/api/customers/update](https://docs.stripe.com/api/customers/update)
[https://docs.stripe.com/api/disputes/list](https://docs.stripe.com/api/disputes/list)
[https://docs.stripe.com/api/disputes/update](https://docs.stripe.com/api/disputes/update)
[https://docs.stripe.com/api/events/list](https://docs.stripe.com/api/events/list)
[https://docs.stripe.com/api/fee_refunds/create](https://docs.stripe.com/api/fee_refunds/create)
[https://docs.stripe.com/api/identity/verification_sessions/create](https://docs.stripe.com/api/identity/verification_sessions/create)
[https://docs.stripe.com/api/identity/verification_sessions/list](https://docs.stripe.com/api/identity/verification_sessions/list)
[https://docs.stripe.com/api/invoices/create](https://docs.stripe.com/api/invoices/create)
[https://docs.stripe.com/api/invoices/list](https://docs.stripe.com/api/invoices/list)
[https://docs.stripe.com/api/issuing/authorizations/retrieve](https://docs.stripe.com/api/issuing/authorizations/retrieve)
[https://docs.stripe.com/api/issuing/authorizations/update](https://docs.stripe.com/api/issuing/authorizations/update)
[https://docs.stripe.com/api/issuing/cardholders/create](https://docs.stripe.com/api/issuing/cardholders/create)
[https://docs.stripe.com/api/issuing/cardholders/retrieve](https://docs.stripe.com/api/issuing/cardholders/retrieve)
[https://docs.stripe.com/api/issuing/cards/create](https://docs.stripe.com/api/issuing/cards/create)
[https://docs.stripe.com/api/issuing/cards/retrieve](https://docs.stripe.com/api/issuing/cards/retrieve)
[https://docs.stripe.com/api/issuing/disputes/retrieve](https://docs.stripe.com/api/issuing/disputes/retrieve)
[https://docs.stripe.com/api/issuing/disputes/update](https://docs.stripe.com/api/issuing/disputes/update)
[https://docs.stripe.com/api/issuing/funding_instructions/create](https://docs.stripe.com/api/issuing/funding_instructions/create)
[https://docs.stripe.com/api/issuing/funding_instructions/list](https://docs.stripe.com/api/issuing/funding_instructions/list)
[https://docs.stripe.com/api/issuing/tokens/retrieve](https://docs.stripe.com/api/issuing/tokens/retrieve)
[https://docs.stripe.com/api/issuing/tokens/update](https://docs.stripe.com/api/issuing/tokens/update)
[https://docs.stripe.com/api/issuing/transactions/retrieve](https://docs.stripe.com/api/issuing/transactions/retrieve)
[https://docs.stripe.com/api/issuing/transactions/update](https://docs.stripe.com/api/issuing/transactions/update)
[https://docs.stripe.com/api/payment_intents/create](https://docs.stripe.com/api/payment_intents/create)
[https://docs.stripe.com/api/payment_intents/list](https://docs.stripe.com/api/payment_intents/list)
[https://docs.stripe.com/api/payment_links/payment_links/create](https://docs.stripe.com/api/payment_links/payment_links/create)
[https://docs.stripe.com/api/payment_links/payment_links/list](https://docs.stripe.com/api/payment_links/payment_links/list)
[https://docs.stripe.com/api/payment_method_domains/create](https://docs.stripe.com/api/payment_method_domains/create)
[https://docs.stripe.com/api/payment_method_domains/list](https://docs.stripe.com/api/payment_method_domains/list)
[https://docs.stripe.com/api/payouts/create](https://docs.stripe.com/api/payouts/create)
[https://docs.stripe.com/api/payouts/list](https://docs.stripe.com/api/payouts/list)
[https://docs.stripe.com/api/prices/create](https://docs.stripe.com/api/prices/create)
[https://docs.stripe.com/api/prices/list](https://docs.stripe.com/api/prices/list)
[https://docs.stripe.com/api/products/create](https://docs.stripe.com/api/products/create)
[https://docs.stripe.com/api/products/list](https://docs.stripe.com/api/products/list)
[https://docs.stripe.com/api/promotion_codes/create](https://docs.stripe.com/api/promotion_codes/create)
[https://docs.stripe.com/api/promotion_codes/list](https://docs.stripe.com/api/promotion_codes/list)
[https://docs.stripe.com/api/quotes/list](https://docs.stripe.com/api/quotes/list)
[https://docs.stripe.com/api/quotes/update](https://docs.stripe.com/api/quotes/update)
[https://docs.stripe.com/api/radar/reviews/approve](https://docs.stripe.com/api/radar/reviews/approve)
[https://docs.stripe.com/api/radar/reviews/list](https://docs.stripe.com/api/radar/reviews/list)
[https://docs.stripe.com/api/reporting/report_run/list](https://docs.stripe.com/api/reporting/report_run/list)
[https://docs.stripe.com/api/setup_intents/create](https://docs.stripe.com/api/setup_intents/create)
[https://docs.stripe.com/api/setup_intents/list](https://docs.stripe.com/api/setup_intents/list)
[https://docs.stripe.com/api/shipping_rates/create](https://docs.stripe.com/api/shipping_rates/create)
[https://docs.stripe.com/api/shipping_rates/list](https://docs.stripe.com/api/shipping_rates/list)
[https://docs.stripe.com/api/sources/retrieve](https://docs.stripe.com/api/sources/retrieve)
[https://docs.stripe.com/api/sources/update](https://docs.stripe.com/api/sources/update)
[https://docs.stripe.com/api/subscriptions/create](https://docs.stripe.com/api/subscriptions/create)
[https://docs.stripe.com/api/subscriptions/list](https://docs.stripe.com/api/subscriptions/list)
[https://docs.stripe.com/api/tax/calculations/create](https://docs.stripe.com/api/tax/calculations/create)
[https://docs.stripe.com/api/tax/calculations/line_items](https://docs.stripe.com/api/tax/calculations/line_items)
[https://docs.stripe.com/api/tax/registrations/update](https://docs.stripe.com/api/tax/registrations/update)
[https://docs.stripe.com/api/tax/settings/retrieve](https://docs.stripe.com/api/tax/settings/retrieve)
[https://docs.stripe.com/api/tax_ids/create](https://docs.stripe.com/api/tax_ids/create)
[https://docs.stripe.com/api/tax_ids/list](https://docs.stripe.com/api/tax_ids/list)
[https://docs.stripe.com/api/tax_rates/create](https://docs.stripe.com/api/tax_rates/create)
[https://docs.stripe.com/api/tax_rates/list](https://docs.stripe.com/api/tax_rates/list)
[https://docs.stripe.com/api/terminal/configuration/list](https://docs.stripe.com/api/terminal/configuration/list)
[https://docs.stripe.com/api/terminal/configuration/update](https://docs.stripe.com/api/terminal/configuration/update)
[https://docs.stripe.com/api/terminal/locations/create](https://docs.stripe.com/api/terminal/locations/create)
[https://docs.stripe.com/api/terminal/locations/list](https://docs.stripe.com/api/terminal/locations/list)
[https://docs.stripe.com/api/terminal/readers/create](https://docs.stripe.com/api/terminal/readers/create)
[https://docs.stripe.com/api/terminal/readers/list](https://docs.stripe.com/api/terminal/readers/list)
[https://docs.stripe.com/api/test_clocks/create](https://docs.stripe.com/api/test_clocks/create)
[https://docs.stripe.com/api/test_clocks/list](https://docs.stripe.com/api/test_clocks/list)
[https://docs.stripe.com/api/tokens/create_card](https://docs.stripe.com/api/tokens/create_card)
[https://docs.stripe.com/api/tokens/retrieve](https://docs.stripe.com/api/tokens/retrieve)
[https://docs.stripe.com/api/topups/create](https://docs.stripe.com/api/topups/create)
[https://docs.stripe.com/api/topups/list](https://docs.stripe.com/api/topups/list)
[https://docs.stripe.com/api/transfers/create](https://docs.stripe.com/api/transfers/create)
[https://docs.stripe.com/api/transfers/list](https://docs.stripe.com/api/transfers/list)
[https://docs.stripe.com/api/usage_records/create](https://docs.stripe.com/api/usage_records/create)
[https://docs.stripe.com/api/usage_records/subscription_item_summary_list](https://docs.stripe.com/api/usage_records/subscription_item_summary_list)
[https://docs.stripe.com/api/webhook_endpoints/create](https://docs.stripe.com/api/webhook_endpoints/create)
[https://docs.stripe.com/api/webhook_endpoints/list](https://docs.stripe.com/api/webhook_endpoints/list)
[https://docsapi.helpscout.net/v1/collectionshttps](https://docsapi.helpscout.net/v1/collectionshttps)
[https://dummysite.com](https://dummysite.com)
[https://dynalist.io/api/v1/file/listhttps](https://dynalist.io/api/v1/file/listhttps)
[https://ecs.aliyuncs.com](https://ecs.aliyuncs.com)
[https://eu.posthog.com/api/event/](https://eu.posthog.com/api/event/)
[https://example.teamwork.com/crm/api/v2/users.jsonhttps](https://example.teamwork.com/crm/api/v2/users.jsonhttps)
[https://example.teamwork.com/desk/api/v2/me.jsonRepository](https://example.teamwork.com/desk/api/v2/me.jsonRepository)
[https://example.teamwork.com/spaces/api/v1/users.jsonhttps](https://example.teamwork.com/spaces/api/v1/users.jsonhttps)
[https://extractorapi.com/api/v1/extractor](https://extractorapi.com/api/v1/extractor)
[https://fetchrss.com/api/v1/feed/list](https://fetchrss.com/api/v1/feed/list)
[https://file.io/](https://file.io/)
[https://files.stripe.com/v1/files](https://files.stripe.com/v1/files)
[https://financialmodelingprep.com/api/v3/financial](https://financialmodelingprep.com/api/v3/financial)
[https://finnhub.io/api/v1/calendar/economic](https://finnhub.io/api/v1/calendar/economic)
[https://foo.com/bar](https://foo.com/bar)
[https://formcrafts.com/api/v1/https](https://formcrafts.com/api/v1/https)
[https://formio.form.io/currentapplication/vnd.github.v3](https://formio.form.io/currentapplication/vnd.github.v3)
[https://fxmarketapi.com/apilive](https://fxmarketapi.com/apilive)
[https://gallery.azure.com/https](https://gallery.azure.com/https)
[https://gallery.chinacloudapi.cn/mariadb.database.chinacloudapi.cnhttps](https://gallery.chinacloudapi.cn/mariadb.database.chinacloudapi.cnhttps)
[https://gallery.cloudapi.de/mariadb.database.cloudapi.defailed](https://gallery.cloudapi.de/mariadb.database.cloudapi.defailed)
[https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.netpostgres.database.chinacloudapi.cnhttps](https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.netpostgres.database.chinacloudapi.cnhttps)
[https://gate.sendbird.com/api/v2/applicationshttps](https://gate.sendbird.com/api/v2/applicationshttps)
[https://gen.duply.co/v1/usagegrant_type=client_credentials](https://gen.duply.co/v1/usagegrant_type=client_credentials)
[https://geo.ipify.org/api/v2/country](https://geo.ipify.org/api/v2/country)
[https://geocode.xyz/51.4647](https://geocode.xyz/51.4647)
[https://geoip.maxmind.com/geoip/v2.1/country/8.8.8.8https](https://geoip.maxmind.com/geoip/v2.1/country/8.8.8.8https)
[https://getsandbox.com/api/1/sandboxes/](https://getsandbox.com/api/1/sandboxes/)
[https://gist.github.comMetaDataValidationErrorunable](https://gist.github.comMetaDataValidationErrorunable)
[https://github.com/airbrake/airbrake](https://github.com/airbrake/airbrake)
[https://github.com/dustin](https://github.com/dustin)
[https://github.com/golang/protobuf/issues/1609](https://github.com/golang/protobuf/issues/1609)
[https://github.com/google/go](https://github.com/google/go)
[https://github.com/llvm/llvm](https://github.com/llvm/llvm)
[https://github.com/login/device/codeDiff](https://github.com/login/device/codeDiff)
[https://github.com/login/oauth/access_tokenexpected](https://github.com/login/oauth/access_tokenexpected)
[https://github.com/login/oauth/authorizekey](https://github.com/login/oauth/authorizekey)
[https://github.com/pygments/pygments/blob/15f222adefd2bf7835bfd74a12d720028ae68d29/pygments/lexers/dalvik.py.](https://github.com/pygments/pygments/blob/15f222adefd2bf7835bfd74a12d720028ae68d29/pygments/lexers/dalvik.py.)
[https://github.com/trufflesecurity/test_keyscannot](https://github.com/trufflesecurity/test_keyscannot)
[https://github.com/trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog)
[https://gitlab.com/Skipping](https://gitlab.com/Skipping)
[https://gitlab.com/api/v4/metadatahttps](https://gitlab.com/api/v4/metadatahttps)
[https://gitlab.com/api/v4/personal_access_tokens/self](https://gitlab.com/api/v4/personal_access_tokens/self)
[https://gitlab.com/api/v4/projectshttps](https://gitlab.com/api/v4/projectshttps)
[https://gitlab.com/org/repo.gitAWS](https://gitlab.com/org/repo.gitAWS)
[https://gitlab.com/org/repo.gitNumber](https://gitlab.com/org/repo.gitNumber)
[https://gitlab.comScan](https://gitlab.comScan)
[https://go.postman.co/collection/tls](https://go.postman.co/collection/tls)
[https://go.postman.co/environments/could](https://go.postman.co/environments/could)
[https://go.postman.co/example/error](https://go.postman.co/example/error)
[https://go.postman.co/folder/TLS](https://go.postman.co/folder/TLS)
[https://go.postman.co/request/https](https://go.postman.co/request/https)
[https://go.postman.co/workspace/could](https://go.postman.co/workspace/could)
[https://go.postman.co/workspaces/mail_settings.bounce_purge.updatemail_settings.forward_bounce.readmail_settings.forward_spam.updatepartner_settings.new_relic.updatesubusers](https://go.postman.co/workspaces/mail_settings.bounce_purge.updatemail_settings.forward_bounce.readmail_settings.forward_spam.updatepartner_settings.new_relic.updatesubusers)
[https://go.urbanairship.com/api/schedules](https://go.urbanairship.com/api/schedules)
[https://google.com&width=1920&height=1080xoxb](https://google.com&width=1920&height=1080xoxb)
[https://google.comcrypto/ecdh](https://google.comcrypto/ecdh)
[https://google.comhttps](https://google.comhttps)
[https://grafana.com/api/v1/tokens](https://grafana.com/api/v1/tokens)
[https://graph.chinacloudapi.cn/https](https://graph.chinacloudapi.cn/https)
[https://graph.cloudapi.de/https](https://graph.cloudapi.de/https)
[https://graph.facebook.com/me](https://graph.facebook.com/me)
[https://graph.microsoft.com/https](https://graph.microsoft.com/https)
[https://graph.microsoft.us/https](https://graph.microsoft.us/https)
[https://graph.windows.net/mariadb.database.azure.comhttps](https://graph.windows.net/mariadb.database.azure.comhttps)
[https://graphhopper.com/api/1/geocode](https://graphhopper.com/api/1/geocode)
[https://graphql.us.jupiterone.io/https](https://graphql.us.jupiterone.io/https)
[https://gtmetrix.com/api/2.0/statushttps](https://gtmetrix.com/api/2.0/statushttps)
[https://hg.mozilla.org/releases/mozilla](https://hg.mozilla.org/releases/mozilla)
[https://holidayapi.com/v1/holidays](https://holidayapi.com/v1/holidays)
[https://hooman.pipedrive.com/api/v1/users](https://hooman.pipedrive.com/api/v1/users)
[https://host.io/api/domains/ip/8.8.8.8](https://host.io/api/domains/ip/8.8.8.8)
[https://howtorotate.com/docs/tutorials/airbrake/https](https://howtorotate.com/docs/tutorials/airbrake/https)
[https://howtorotate.com/docs/tutorials/atlassian/https](https://howtorotate.com/docs/tutorials/atlassian/https)
[https://howtorotate.com/docs/tutorials/aws/request](https://howtorotate.com/docs/tutorials/aws/request)
[https://howtorotate.com/docs/tutorials/azure/https](https://howtorotate.com/docs/tutorials/azure/https)
[https://howtorotate.com/docs/tutorials/elevenlabs/https](https://howtorotate.com/docs/tutorials/elevenlabs/https)
[https://howtorotate.com/docs/tutorials/eraser/https](https://howtorotate.com/docs/tutorials/eraser/https)
[https://howtorotate.com/docs/tutorials/gcp/https](https://howtorotate.com/docs/tutorials/gcp/https)
[https://howtorotate.com/docs/tutorials/github/https](https://howtorotate.com/docs/tutorials/github/https)
[https://howtorotate.com/docs/tutorials/gitlab/https](https://howtorotate.com/docs/tutorials/gitlab/https)
[https://howtorotate.com/docs/tutorials/groq/https](https://howtorotate.com/docs/tutorials/groq/https)
[https://howtorotate.com/docs/tutorials/mailchimp/https](https://howtorotate.com/docs/tutorials/mailchimp/https)
[https://howtorotate.com/docs/tutorials/maxmind/https](https://howtorotate.com/docs/tutorials/maxmind/https)
[https://howtorotate.com/docs/tutorials/microsoftteams/.myfreshworks.com/crm/sales/api/sales_accounts/filtershttps](https://howtorotate.com/docs/tutorials/microsoftteams/.myfreshworks.com/crm/sales/api/sales_accounts/filtershttps)
[https://howtorotate.com/docs/tutorials/mongo/https](https://howtorotate.com/docs/tutorials/mongo/https)
[https://howtorotate.com/docs/tutorials/netlify//services/rest/record/v1/metadata](https://howtorotate.com/docs/tutorials/netlify//services/rest/record/v1/metadata)
[https://howtorotate.com/docs/tutorials/npm/](https://howtorotate.com/docs/tutorials/npm/)
[https://howtorotate.com/docs/tutorials/railwayapp/https](https://howtorotate.com/docs/tutorials/railwayapp/https)
[https://howtorotate.com/docs/tutorials/sendbird/https](https://howtorotate.com/docs/tutorials/sendbird/https)
[https://howtorotate.com/docs/tutorials/sendgrid/https](https://howtorotate.com/docs/tutorials/sendgrid/https)
[https://howtorotate.com/docs/tutorials/slack/](https://howtorotate.com/docs/tutorials/slack/)
[https://howtorotate.com/docs/tutorials/sourcegraph/https](https://howtorotate.com/docs/tutorials/sourcegraph/https)
[https://howtorotate.com/docs/tutorials/square/https](https://howtorotate.com/docs/tutorials/square/https)
[https://howtorotate.com/docs/tutorials/stripe/https](https://howtorotate.com/docs/tutorials/stripe/https)
[https://howtorotate.com/docs/tutorials/sumologic/https](https://howtorotate.com/docs/tutorials/sumologic/https)
[https://howtorotate.com/docs/tutorials/twilio/](https://howtorotate.com/docs/tutorials/twilio/)
[https://httpbin.org/anythingAPI](https://httpbin.org/anythingAPI)
[https://httpbin.org/status/200https](https://httpbin.org/status/200https)
[https://hub.docker.com/v2/users/loginapplication/vnd.dyspatch.2020.11](https://hub.docker.com/v2/users/loginapplication/vnd.dyspatch.2020.11)
[https://huggingface.co/api/modelsparsing](https://huggingface.co/api/modelsparsing)
[https://huggingface.co/api/whoami](https://huggingface.co/api/whoami)
[https://huggingface.cofailed](https://huggingface.cofailed)
[https://iam.googleapis.com/v1/roleshttps](https://iam.googleapis.com/v1/roleshttps)
[https://iamcredentials..](https://iamcredentials..)
[https://iamcredentials.UNIVERSE_DOMAIN/failed](https://iamcredentials.UNIVERSE_DOMAIN/failed)
[https://iamcredentials.googleapis.com/openpgp](https://iamcredentials.googleapis.com/openpgp)
[https://iamcredentials.googleapis.com/v1/](https://iamcredentials.googleapis.com/v1/)
[https://iamcredentials.mtls.googleapis.com/buffered_file_writer_total_write_size_byteshash/adler32](https://iamcredentials.mtls.googleapis.com/buffered_file_writer_total_write_size_byteshash/adler32)
[https://id.twitch.tv/oauth2/token](https://id.twitch.tv/oauth2/token)
[https://index.docker.io/v1/Unreachable](https://index.docker.io/v1/Unreachable)
[https://industrial.api.ubidots.com/api/v1.6/variables/https](https://industrial.api.ubidots.com/api/v1.6/variables/https)
[https://interseller.io/api/campaigns/listhttps](https://interseller.io/api/campaigns/listhttps)
[https://io.adafruit.com/api/v2/ladybugtest/feeds/](https://io.adafruit.com/api/v2/ladybugtest/feeds/)
[https://jenkins.example.com](https://jenkins.example.com)
[https://keychecker.trufflesecurity.com/fingerprint/](https://keychecker.trufflesecurity.com/fingerprint/)
[https://learning.postman.com/docs/collaborating](https://learning.postman.com/docs/collaborating)
[https://linkedin.com/in/williamhgates](https://linkedin.com/in/williamhgates)
[https://localhost/deprecated_featureconnection_failureprotocol_violationindicator_overflowrestrict_violationnot_null_violationcollation_mismatchundefined_functionduplicate_databaseduplicate_functionam](https://localhost/deprecated_featureconnection_failureprotocol_violationindicator_overflowrestrict_violationnot_null_violationcollation_mismatchundefined_functionduplicate_databaseduplicate_functionam)
[https://login.chinacloudapi.cn/https](https://login.chinacloudapi.cn/https)
[https://login.eagleeyenetworks.com/g/aaa/authenticatehttps](https://login.eagleeyenetworks.com/g/aaa/authenticatehttps)
[https://login.microsoftonline.com/semaphore](https://login.microsoftonline.com/semaphore)
[https://login.microsoftonline.de/2006](https://login.microsoftonline.de/2006)
[https://login.microsoftonline.us/https](https://login.microsoftonline.us/https)
[https://mailsac.com/api/addresseshttps](https://mailsac.com/api/addresseshttps)
[https://mainnet.infura.io/v3/KNAPSACK](https://mainnet.infura.io/v3/KNAPSACK)
[https://manage.chinacloudapi.com/https](https://manage.chinacloudapi.com/https)
[https://manage.chinacloudapi.com/publishsettings/indexhttps](https://manage.chinacloudapi.com/publishsettings/indexhttps)
[https://manage.microsoftazure.de/publishsettings/indexhttp](https://manage.microsoftazure.de/publishsettings/indexhttp)
[https://manage.windowsazure.com/https](https://manage.windowsazure.com/https)
[https://manage.windowsazure.com/publishsettings/indexraw](https://manage.windowsazure.com/publishsettings/indexraw)
[https://manage.windowsazure.us/https](https://manage.windowsazure.us/https)
[https://manage.windowsazure.us/publishsettings/indexunrecognized](https://manage.windowsazure.us/publishsettings/indexunrecognized)
[https://managedhsm.azure.net/https](https://managedhsm.azure.net/https)
[https://managedhsm.azure.netservicebus.usgovcloudapi.nethttps](https://managedhsm.azure.netservicebus.usgovcloudapi.nethttps)
[https://management.azure.com/https](https://management.azure.com/https)
[https://management.chinacloudapi.cn/https](https://management.chinacloudapi.cn/https)
[https://management.core.chinacloudapi.cn/https](https://management.core.chinacloudapi.cn/https)
[https://management.core.cloudapi.de/data](https://management.core.cloudapi.de/data)
[https://management.core.usgovcloudapi.net/https](https://management.core.usgovcloudapi.net/https)
[https://management.core.windows.net/https](https://management.core.windows.net/https)
[https://management.microsoftazure.de/expected](https://management.microsoftazure.de/expected)
[https://management.usgovcloudapi.net/https](https://management.usgovcloudapi.net/https)
[https://mandrillapp.com/api/1.0/users/infohttps](https://mandrillapp.com/api/1.0/users/infohttps)
[https://microsoftgraph.chinacloudapi.cn/server_duration](https://microsoftgraph.chinacloudapi.cn/server_duration)
[https://microsoftgraph.chinacloudapi.cngo](https://microsoftgraph.chinacloudapi.cngo)
[https://mltb8350.hiveage.com/api/networkapplication/vnd.hybiscus](https://mltb8350.hiveage.com/api/networkapplication/vnd.hybiscus)
[https://moderationapi.com/api/v1/analyze/languagePostgres](https://moderationapi.com/api/v1/analyze/languagePostgres)
[https://mrticktock.com/app/api/is_timer_active](https://mrticktock.com/app/api/is_timer_active)
[https://my.demio.com/api/v1/ping/query](https://my.demio.com/api/v1/ping/query)
[https://nethunt.com/api/v1/zapier/triggers/readable](https://nethunt.com/api/v1/zapier/triggers/readable)
[https://neutrinoapi.net/url](https://neutrinoapi.net/url)
[https://newsapi.org/v2/everything](https://newsapi.org/v2/everything)
[https://oauth2.googleapis.com/device/codemssql](https://oauth2.googleapis.com/device/codemssql)
[https://oauth2.googleapis.com/tokenoauth2/google](https://oauth2.googleapis.com/tokenoauth2/google)
[https://oauth2.mtls.googleapis.com/tokengrpc.io/server/received_messages_per_rpcgrpc.io/client/received_messages_per_rpcgrpclb](https://oauth2.mtls.googleapis.com/tokengrpc.io/server/received_messages_per_rpcgrpc.io/client/received_messages_per_rpcgrpclb)
[https://onesignal.com/api/v1/appshttps](https://onesignal.com/api/v1/appshttps)
[https://onfleet.com/api/v2/organizationhttps](https://onfleet.com/api/v2/organizationhttps)
[https://open.larksuite.com/open](https://open.larksuite.com/open)
[https://opentelemetry.io/schemas/1.17.0grpclb](https://opentelemetry.io/schemas/1.17.0grpclb)
[https://oss.trufflehog.org/updatesillegal](https://oss.trufflehog.org/updatesillegal)
[https://ossrdbms](https://ossrdbms)
[https://otx.alienvault.com/api/v1/users/mehttps](https://otx.alienvault.com/api/v1/users/mehttps)
[https://owlbot.info/api/v4/dictionary/securityhttps](https://owlbot.info/api/v4/dictionary/securityhttps)
[https://packagecloud.io/api/v1/reposhttps](https://packagecloud.io/api/v1/reposhttps)
[https://partner_settingscategories.statsGoogle](https://partner_settingscategories.statsGoogle)
[https://pastebin.com/api/api_post.phpapplication/vnd.percy](https://pastebin.com/api/api_post.phpapplication/vnd.percy)
[https://paydirtapp.com/api/v1/clients](https://paydirtapp.com/api/v1/clients)
[https://payments.braintree](https://payments.braintree)
[https://payments.sandbox.braintree](https://payments.sandbox.braintree)
[https://pdflayer.com/downloads/invoice.htmlPlanetScale](https://pdflayer.com/downloads/invoice.htmlPlanetScale)
[https://percy.io/api/v1/projectshttps](https://percy.io/api/v1/projectshttps)
[https://person.clearbit.com/v1/people/email/alex](https://person.clearbit.com/v1/people/email/alex)
[https://pixabay.com/api/](https://pixabay.com/api/)
[https://pkg.go.dev/cloud.google.com/go/storage](https://pkg.go.dev/cloud.google.com/go/storage)
[https://pkg.go.dev/go.mongodb.org/mongo](https://pkg.go.dev/go.mongodb.org/mongo)
[https://platform.devtest.ringcentral.com/restapi/oauth/authorize](https://platform.devtest.ringcentral.com/restapi/oauth/authorize)
[https://platform.segmentapis.com/v1beta/workspaceshttps](https://platform.segmentapis.com/v1beta/workspaceshttps)
[https://plugin.api.dronahq.com/users/](https://plugin.api.dronahq.com/users/)
[https://poloniex.com/tradingApihttps](https://poloniex.com/tradingApihttps)
[https://powrbot.com/api/v1/search/single/](https://powrbot.com/api/v1/search/single/)
[https://protobuf.dev/reference/go/faq](https://protobuf.dev/reference/go/faq)
[https://ps.pndsn.com/signal/https](https://ps.pndsn.com/signal/https)
[https://ps.pndsn.com/v2/objects/https](https://ps.pndsn.com/v2/objects/https)
[https://push.databox.com](https://push.databox.com)
[https://registry.npmjs.org/](https://registry.npmjs.org/)
[https://rendyplayground.simvoly.com/api/site/members](https://rendyplayground.simvoly.com/api/site/members)
[https://rest.clicksend.com/v3/accounthttps](https://rest.clicksend.com/v3/accounthttps)
[https://rest.coinapi.io/v1/exchangeshttps](https://rest.coinapi.io/v1/exchangeshttps)
[https://rest.messagebird.com/messageshttps](https://rest.messagebird.com/messageshttps)
[https://rest.nexmo.com/account/get](https://rest.nexmo.com/account/get)
[https://rest.textmagic.com/api/v2/userhttps](https://rest.textmagic.com/api/v2/userhttps)
[https://restpack.io/api/html2pdf/usagehttps](https://restpack.io/api/html2pdf/usagehttps)
[https://restpack.io/api/screenshot/usagehttps](https://restpack.io/api/screenshot/usagehttps)
[https://rubygems.org/api/v1/gems.jsonerror](https://rubygems.org/api/v1/gems.jsonerror)
[https://run.salesblink.io/api/public/listshttps](https://run.salesblink.io/api/public/listshttps)
[https://runrun.it/api/v1.0/users](https://runrun.it/api/v1.0/users)
[https://salescookie.com/app/Api/CreateTransaction](https://salescookie.com/app/Api/CreateTransaction)
[https://sandbox.impala.travel/v1/bookings](https://sandbox.impala.travel/v1/bookings)
[https://scrutinizer](https://scrutinizer)
[https://search.censys.io/api/v1/accounthttps](https://search.censys.io/api/v1/accounthttps)
[https://selectpdf.com/api2/convert/](https://selectpdf.com/api2/convert/)
[https://sentry.io/api/0/projects/https](https://sentry.io/api/0/projects/https)
[https://service.zipapi.us/zipcode/90210/](https://service.zipapi.us/zipcode/90210/)
[https://servicebus.azure.net/https](https://servicebus.azure.net/https)
[https://servicebus.chinacloudapi.cn/https](https://servicebus.chinacloudapi.cn/https)
[https://servicebus.cloudapi.de/https](https://servicebus.cloudapi.de/https)
[https://servicebus.usgovcloudapi.net/https](https://servicebus.usgovcloudapi.net/https)
[https://servicebus.windows.net/https](https://servicebus.windows.net/https)
[https://services.reachmail.net/administration/users/current](https://services.reachmail.net/administration/users/current)
[https://shot.screenshotapi.net/screenshot](https://shot.screenshotapi.net/screenshot)
[https://simfin.com/api/v2/companies/list](https://simfin.com/api/v2/companies/list)
[https://slack.com/api/auth.testCreateCustomerCard](https://slack.com/api/auth.testCreateCustomerCard)
[https://sms.8x8.com/api/v1/subaccounts/](https://sms.8x8.com/api/v1/subaccounts/)
[https://sms.api.sinch.com/xms/v1/https](https://sms.api.sinch.com/xms/v1/https)
[https://snyk.io/api/v1/user/mefailed](https://snyk.io/api/v1/user/mefailed)
[https://soccer.sportmonks.com/api/v2.0/leagues](https://soccer.sportmonks.com/api/v2.0/leagues)
[https://sourcegraph.com/.api/graphql](https://sourcegraph.com/.api/graphql)
[https://sslmate.com/api/v2/certs/example.com](https://sslmate.com/api/v2/certs/example.com)
[https://staging.cloud](https://staging.cloud)
[https://statuspal.io/api/v1/status_pages/secretscanner/subscriptionshttps](https://statuspal.io/api/v1/status_pages/secretscanner/subscriptionshttps)
[https://storage.UNIVERSE_DOMAIN/storage/v1/gccl](https://storage.UNIVERSE_DOMAIN/storage/v1/gccl)
[https://storage.azure.com/database.usgovcloudapi.netcloudapp.usgovcloudapi.nethttps](https://storage.azure.com/database.usgovcloudapi.netcloudapp.usgovcloudapi.nethttps)
[https://storage.googleapis.com/storage/v1/b/](https://storage.googleapis.com/storage/v1/b/)
[https://storage.mtls.googleapis.com/storage/v1/storage](https://storage.mtls.googleapis.com/storage/v1/storage)
[https://stripo.email/emailgeneration/v1/emails](https://stripo.email/emailgeneration/v1/emails)
[https://sts.UNIVERSE_DOMAIN/v1/tokenurn](https://sts.UNIVERSE_DOMAIN/v1/tokenurn)
[https://sts.amazonaws.com/](https://sts.amazonaws.com/)
[https://sts.amazonaws.comnot](https://sts.amazonaws.comnot)
[https://technical](https://technical)
[https://test.api.amadeus.com/v1/security/oauth2/tokenhttps](https://test.api.amadeus.com/v1/security/oauth2/tokenhttps)
[https://timezoneapi.io/api/ip/](https://timezoneapi.io/api/ip/)
[https://track.customer.io/api/v1/customers/5/eventshttps](https://track.customer.io/api/v1/customers/5/eventshttps)
[https://trackapi.nutritionix.com/v2/natural/nutrients](https://trackapi.nutritionix.com/v2/natural/nutrients)
[https://trading.robinhood.com/https](https://trading.robinhood.com/https)
[https://transit.walkscore.com/transit/search/stops/](https://transit.walkscore.com/transit/search/stops/)
[https://trk.mtrl.me/categoryunexpected](https://trk.mtrl.me/categoryunexpected)
[https://trufflesecurity.com/canariesDefaultEndpointsProtocol=https](https://trufflesecurity.com/canariesDefaultEndpointsProtocol=https)
[https://trufflesecurity.com/canariesGetGeoAPI](https://trufflesecurity.com/canariesGetGeoAPI)
[https://trufflesecurity.com/contacted25519](https://trufflesecurity.com/contacted25519)
[https://trufflesecurity.com/trufflehogmax](https://trufflesecurity.com/trufflehogmax)
[https://typetalk.com/oauth2/access_token](https://typetalk.com/oauth2/access_token)
[https://unify.apideck.com/vault/consumerscouldn](https://unify.apideck.com/vault/consumerscouldn)
[https://upload.pypi.org/legacy/](https://upload.pypi.org/legacy/)
[https://uploads.github.com//dependency](https://uploads.github.com//dependency)
[https://uptime.betterstack.com/api/v2/monitorshttps](https://uptime.betterstack.com/api/v2/monitorshttps)
[https://urlscan.io/user/quotashttps](https://urlscan.io/user/quotashttps)
[https://us.qubole.com/api/v1.2/accounthttps](https://us.qubole.com/api/v1.2/accounthttps)
[https://us1.locationiq.com/v1/reverse.php](https://us1.locationiq.com/v1/reverse.php)
[https://v2.convertapi.com/user](https://v2.convertapi.com/user)
[https://v3.api.hypertrack.com/trips/expected](https://v3.api.hypertrack.com/trips/expected)
[https://v6.exchangerate](https://v6.exchangerate)
[https://vault.azure.cn/vault.microsoftazure.denot](https://vault.azure.cn/vault.microsoftazure.denot)
[https://vault.azure.cnazuretrafficmanager.deservicebus.cloudapi.deAZUREUSGOVERNMENTCLOUDAZURE_GO_SDK_LOG_LEVELnot](https://vault.azure.cnazuretrafficmanager.deservicebus.cloudapi.deAZUREUSGOVERNMENTCLOUDAZURE_GO_SDK_LOG_LEVELnot)
[https://vault.azure.net/mysql.database.azure.comhttps](https://vault.azure.net/mysql.database.azure.comhttps)
[https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps](https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps)
[https://vault.microsoftazure.de/specific](https://vault.microsoftazure.de/specific)
[https://vault.microsoftazure.dedata](https://vault.microsoftazure.dedata)
[https://vault.usgovcloudapi.net/mysql.database.usgovcloudapi.nethttp](https://vault.usgovcloudapi.net/mysql.database.usgovcloudapi.nethttp)
[https://vault.usgovcloudapi.nethttps](https://vault.usgovcloudapi.nethttps)
[https://verifier.meetchopra.com/verify/](https://verifier.meetchopra.com/verify/)
[https://verify.twilio.com/v2/Servicesif](https://verify.twilio.com/v2/Servicesif)
[https://vpnapi.io/api/8.8.8.8](https://vpnapi.io/api/8.8.8.8)
[https://weather.ls.hereapi.com/weather/1.0/report.json](https://weather.ls.hereapi.com/weather/1.0/report.json)
[https://weather.visualcrossing.com/VisualCrossingWebServices/rest/services/timeline/LA](https://weather.visualcrossing.com/VisualCrossingWebServices/rest/services/timeline/LA)
[https://webexapis.com/v1/access_tokenhttps](https://webexapis.com/v1/access_tokenhttps)
[https://ws.detectlanguage.com/0.2/user/statushttps](https://ws.detectlanguage.com/0.2/user/statushttps)
[https://www.World](https://www.World)
[https://www.apilayer.net/api/validate](https://www.apilayer.net/api/validate)
[https://www.apimatic.io/api/code](https://www.apimatic.io/api/code)
[https://www.appsynergy.com/api](https://www.appsynergy.com/api)
[https://www.bitmex.com](https://www.bitmex.com)
[https://www.browserstack.com/automate/plan.jsonhttps](https://www.browserstack.com/automate/plan.jsonhttps)
[https://www.buddyns.com/api/v2/zone/https](https://www.buddyns.com/api/v2/zone/https)
[https://www.bugherd.com/api_v2/projects.jsonhttps](https://www.bugherd.com/api_v2/projects.jsonhttps)
[https://www.carboninterface.com/api/v1/estimateshttps](https://www.carboninterface.com/api/v1/estimateshttps)
[https://www.clinchpad.com/api/v1/pipelines](https://www.clinchpad.com/api/v1/pipelines)
[https://www.diggernaut.com/api/projectshttps](https://www.diggernaut.com/api/projectshttps)
[https://www.dnscheck.co/api/v1/groups/https](https://www.dnscheck.co/api/v1/groups/https)
[https://www.easy](https://www.easy)
[https://www.eventbriteapi.com/v3/users/me/](https://www.eventbriteapi.com/v3/users/me/)
[https://www.flickr.com/services/rest/](https://www.flickr.com/services/rest/)
[https://www.formbucket.com/v1/profilehttps](https://www.formbucket.com/v1/profilehttps)
[https://www.gocanvas.com/apiv2/forms.xml](https://www.gocanvas.com/apiv2/forms.xml)
[https://www.googleapis.com/auth/cloud](https://www.googleapis.com/auth/cloud)
[https://www.googleapis.com/auth/devstorage.full_controlstorage](https://www.googleapis.com/auth/devstorage.full_controlstorage)
[https://www.googleapis.com/auth/devstorage.read_onlywildcards](https://www.googleapis.com/auth/devstorage.read_onlywildcards)
[https://www.googleapis.com/auth/devstorage.read_writeB](https://www.googleapis.com/auth/devstorage.read_writeB)
[https://www.googleapis.com/auth/devstorage.read_writecredentials](https://www.googleapis.com/auth/devstorage.read_writecredentials)
[https://www.googleapis.com/blogger/v3/blogs/2399953](https://www.googleapis.com/blogger/v3/blogs/2399953)
[https://www.googleapis.com/oauth2/v3/tokeninfo](https://www.googleapis.com/oauth2/v3/tokeninfo)
[https://www.googleapis.com/youtube/v3/channelSections](https://www.googleapis.com/youtube/v3/channelSections)
[https://www.happyscribe.com/api/v1/transcriptionshttps](https://www.happyscribe.com/api/v1/transcriptionshttps)
[https://www.humanity.com/api/v2/me](https://www.humanity.com/api/v2/me)
[https://www.ipqualityscore.com/api/json/account/](https://www.ipqualityscore.com/api/json/account/)
[https://www.mapquestapi.com/datamanager/v2/get](https://www.mapquestapi.com/datamanager/v2/get)
[https://www.meistertask.com/api/projectsapplication/vnd.moonclerk](https://www.meistertask.com/api/projectsapplication/vnd.moonclerk)
[https://www.mindmeister.com/services/rest/oauth2](https://www.mindmeister.com/services/rest/oauth2)
[https://www.mongodb.com/supportability/cosmosdb](https://www.mongodb.com/supportability/cosmosdb)
[https://www.mongodb.com/supportability/documentdbAzure](https://www.mongodb.com/supportability/documentdbAzure)
[https://www.nuget.org/api/v2/packagehttps](https://www.nuget.org/api/v2/packagehttps)
[https://www.parsehub.com/api/v2/projects](https://www.parsehub.com/api/v2/projects)
[https://www.pivotaltracker.com/services/v5/mehttps](https://www.pivotaltracker.com/services/v5/mehttps)
[https://www.planyo.com/rest/](https://www.planyo.com/rest/)
[https://www.postman.com/_api/workspace/](https://www.postman.com/_api/workspace/)
[https://www.protocols.io/api/v3/session/profilerequest](https://www.protocols.io/api/v3/session/profilerequest)
[https://www.recent](https://www.recent)
[https://www.strava.com/oauth/tokenhttps](https://www.strava.com/oauth/tokenhttps)
[https://www.streak.com/api/v1/pipelineshttps](https://www.streak.com/api/v1/pipelineshttps)
[https://www.tefter.io/api/bookmarks](https://www.tefter.io/api/bookmarks)
[https://www.versioneye.com/api/v1/scanshttps](https://www.versioneye.com/api/v1/scanshttps)
[https://www.virustotal.com/api/v3/metadatahttps](https://www.virustotal.com/api/v3/metadatahttps)
[https://www.worldcoinindex.com/apiservice/ticker](https://www.worldcoinindex.com/apiservice/ticker)
[https://www.zipcodeapi.com/rest/](https://www.zipcodeapi.com/rest/)
[https://yourdomain.com/samplecallback](https://yourdomain.com/samplecallback)
[https://yourwebsite.com/callbacks_handler/BuddyNS](https://yourwebsite.com/callbacks_handler/BuddyNS) | | LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [AMD64](https://github.com/search?q=AMD64&type=code)
[amd64](https://github.com/search?q=amd64&type=code)
[arm64](https://github.com/search?q=arm64&type=code)
[http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | | LOW | [collect/code/github_api](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/code/github_api.yara#github_api_user) | access GitHub API | [api.github.com](https://github.com/search?q=api.github.com&type=code)
[google/go-github](https://github.com/search?q=google%2Fgo-github&type=code) | | LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [- pairs with password](https://github.com/search?q=-+pairs+with+password&type=code)
[AllowCleartextPasswords](https://github.com/search?q=AllowCleartextPasswords&type=code)
[AllowEmptyPassword](https://github.com/search?q=AllowEmptyPassword&type=code)
[AllowNativePasswords](https://github.com/search?q=AllowNativePasswords&type=code)
[AllowOldPasswords](https://github.com/search?q=AllowOldPasswords&type=code)
[Attribute SyntaxPassword must be changed](https://github.com/search?q=Attribute+SyntaxPassword+must+be+changed&type=code)
[CertificatePasswordvprotobuf](https://github.com/search?q=CertificatePasswordvprotobuf&type=code)
[ChangePasswordLength](https://github.com/search?q=ChangePasswordLength&type=code)
[ChangePasswordOffset](https://github.com/search?q=ChangePasswordOffset&type=code)
[ChangePasswordOptions](https://github.com/search?q=ChangePasswordOptions&type=code)
[ControlVChuPasswordMustChange](https://github.com/search?q=ControlVChuPasswordMustChange&type=code)
[ControlVChuPasswordWarning](https://github.com/search?q=ControlVChuPasswordWarning&type=code)
[Elasticsearch password](https://github.com/search?q=Elasticsearch+password&type=code)
[FilePasswordFunc](https://github.com/search?q=FilePasswordFunc&type=code)
[GetCertificatePassword](https://github.com/search?q=GetCertificatePassword&type=code)
[GetPassword](https://github.com/search?q=GetPassword&type=code)
[GetVCSPassword](https://github.com/search?q=GetVCSPassword&type=code)
[GetVerifiablePasswordAuthentication](https://github.com/search?q=GetVerifiablePasswordAuthentication&type=code)
[KeychainPasswordFunc](https://github.com/search?q=KeychainPasswordFunc&type=code)
[NewChangePasswordFunc](https://github.com/search?q=NewChangePasswordFunc&type=code)
[NewControlBeheraPasswordPolicy](https://github.com/search?q=NewControlBeheraPasswordPolicy&type=code)
[NewReaderWithPassword](https://github.com/search?q=NewReaderWithPassword&type=code)
[Pairs with password](https://github.com/search?q=Pairs+with+password&type=code)
[PasscodeInPassword](https://github.com/search?q=PasscodeInPassword&type=code)
[Password from](https://github.com/search?q=Password+from&type=code)
[PasswordAuthenticator](https://github.com/search?q=PasswordAuthenticator&type=code)
[PasswordChanged](https://github.com/search?q=PasswordChanged&type=code)
[PasswordCredentialsToken](https://github.com/search?q=PasswordCredentialsToken&type=code)
[PasswordEprotobuf](https://github.com/search?q=PasswordEprotobuf&type=code)
[PasswordHashIterations](https://github.com/search?q=PasswordHashIterations&type=code)
[PasswordModify](https://github.com/search?q=PasswordModify&type=code)
[PasswordRegexCheck](https://github.com/search?q=PasswordRegexCheck&type=code)
[PasswordSet](https://github.com/search?q=PasswordSet&type=code)
[SASLprepping password](https://github.com/search?q=SASLprepping+password&type=code)
[SecureSettingsPassword](https://github.com/search?q=SecureSettingsPassword&type=code)
[allowCleartextPasswords](https://github.com/search?q=allowCleartextPasswords&type=code)
[allowOldPasswords](https://github.com/search?q=allowOldPasswords&type=code)
[authRequiresPassword](https://github.com/search?q=authRequiresPassword&type=code)
[certificatePassword](https://github.com/search?q=certificatePassword&type=code)
[certificate_password](https://github.com/search?q=certificate_password&type=code)
[change_passwordsecurity](https://github.com/search?q=change_passwordsecurity&type=code)
[changepassword](https://github.com/search?q=changepassword&type=code)
[dPassword Policy - Behera](https://github.com/search?q=dPassword+Policy+-+Behera&type=code)
[empty password](https://github.com/search?q=empty+password&type=code)
[encryptPassword](https://github.com/search?q=encryptPassword&type=code)
[errEmptyPassword](https://github.com/search?q=errEmptyPassword&type=code)
[for ChangePassword](https://github.com/search?q=for+ChangePassword&type=code)
[in list of old passwordsldap](https://github.com/search?q=in+list+of+old+passwordsldap&type=code)
[incorrect passwordrardecode](https://github.com/search?q=incorrect+passwordrardecode&type=code)
[json into Changepassword request](https://github.com/search?q=json+into+Changepassword+request&type=code)
[key is not password protectedssh](https://github.com/search?q=key+is+not+password+protectedssh&type=code)
[manglePassword](https://github.com/search?q=manglePassword&type=code)
[meetsCouchbasePasswordRequirements](https://github.com/search?q=meetsCouchbasePasswordRequirements&type=code)
[meetsSnowflakePasswordRequirements](https://github.com/search?q=meetsSnowflakePasswordRequirements&type=code)
[mongoPasswordDigest](https://github.com/search?q=mongoPasswordDigest&type=code)
[native_passwordinvalid dbname](https://github.com/search?q=native_passwordinvalid+dbname&type=code)
[nil ValueWriterpassword must not be set](https://github.com/search?q=nil+ValueWriterpassword+must+not+be+set&type=code)
[no username and password are provided](https://github.com/search?q=no+username+and+password+are+provided&type=code)
[old_passwordsRepositories to](https://github.com/search?q=old_passwordsRepositories+to&type=code)
[parseUserPassword](https://github.com/search?q=parseUserPassword&type=code)
[password-store](https://github.com/search?q=password-store&type=code)
[passwordFunc](https://github.com/search?q=passwordFunc&type=code)
[passwordSet](https://github.com/search?q=passwordSet&type=code)
[password_change_date](https://github.com/search?q=password_change_date&type=code)
[password_hash](https://github.com/search?q=password_hash&type=code)
[passwordattachment](https://github.com/search?q=passwordattachment&type=code)
[passwordf](https://github.com/search?q=passwordf&type=code)
[passworduser](https://github.com/search?q=passworduser&type=code)
[qunexpected password response](https://github.com/search?q=qunexpected+password+response&type=code)
[requires old password authentication](https://github.com/search?q=requires+old+password+authentication&type=code)
[saltPassword](https://github.com/search?q=saltPassword&type=code)
[scrambleOldPassword](https://github.com/search?q=scrambleOldPassword&type=code)
[scramblePassword](https://github.com/search?q=scramblePassword&type=code)
[secure_settings_password](https://github.com/search?q=secure_settings_password&type=code)
[sendEncryptedPassword](https://github.com/search?q=sendEncryptedPassword&type=code)
[socksUsernamePassword](https://github.com/search?q=socksUsernamePassword&type=code)
[stripPassword](https://github.com/search?q=stripPassword&type=code)
[the ChangePassword query execution](https://github.com/search?q=the+ChangePassword+query+execution&type=code)
[username AND password](https://github.com/search?q=username+AND+password&type=code)
[username or password was specified](https://github.com/search?q=username+or+password+was+specified&type=code)
[vcs_password](https://github.com/search?q=vcs_password&type=code)
[verifiable_password_authentication](https://github.com/search?q=verifiable_password_authentication&type=code)
[winvalid password](https://github.com/search?q=winvalid+password&type=code) | diff --git a/tests/linux/clean/x11vnc.simple b/tests/linux/clean/x11vnc.simple new file mode 100644 index 00000000..1252c964 --- /dev/null +++ b/tests/linux/clean/x11vnc.simple @@ -0,0 +1,103 @@ +# linux/clean/x11vnc: medium +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/url: low +c2/client: medium +c2/refs: medium +c2/tool_transfer/arch: low +c2/tool_transfer/os: medium +credential/os/shadow: medium +credential/password: low +credential/ssh/d: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/decrypt: low +crypto/openssl: medium +crypto/public_key: low +crypto/rc4: low +data/embedded/pem_certificate: low +data/random/insecure: low +discover/group/lookup: medium +discover/network/netstat: medium +discover/processes/list: medium +discover/system/hostname: low +discover/system/platform: low +discover/user/HOME: low +discover/user/USER: low +discover/user/name_get: medium +evasion/file/location/var_run: medium +evasion/file/location/x11_unix: medium +evasion/file/prefix: medium +exec/conditional/LANG: low +exec/plugin: low +exec/program: medium +exec/program/background: low +exec/shell/SHELL: low +exec/shell/TERM: low +exec/shell/background_sleep: medium +exec/shell/echo: medium +exec/shell/exec: medium +exec/shell/ignore_output: medium +exec/shell/nohup: medium +exfil/upload: low +fs/directory/create: low +fs/directory/remove: low +fs/file/delete: medium +fs/file/delete_forcibly: medium +fs/file/times_set: medium +fs/link_read: low +fs/node_create: low +fs/path/bin_su: low +fs/path/etc: low +fs/path/home: low +fs/path/home_library: low +fs/path/tmp: medium +fs/path/usr_bin: low +fs/path/usr_local: medium +fs/path/usr_sbin: low +fs/path/var: low +fs/permission/modify: medium +fs/proc/arbitrary_pid: medium +fs/proc/pid_fd: medium +fs/tempfile: low +impact/remote_access/agent: medium +impact/remote_access/crypto_listen_socks: medium +impact/remote_access/heartbeat: medium +impact/remote_access/kill_rm: medium +impact/remote_access/pseudo_terminal: medium +impact/remote_access/reverse_shell: medium +impact/ui/screensaver: medium +impact/ui/x11_auth: medium +impact/ui/xsession: medium +lateral/scan/tool: medium +net/http/post: medium +net/http/request: low +net/http/server: medium +net/ip/addr: medium +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/parse: medium +net/ip/resolve: low +net/ip/string: medium +net/proxy/socks5: medium +net/proxy/tunnel: medium +net/remote_control/vnc: medium +net/resolve/hostname: low +net/resolve/hostport_parse: low +net/socket/filter: medium +net/socket/listen: medium +net/socket/local_addr: low +net/socket/peer_address: low +net/socket/receive: low +net/socket/reuseport: medium +net/socket/send: low +net/tcp/ssh: medium +net/url/embedded: low +persist/daemon: medium +privesc/setuid: low +process/chdir: low +process/executable_path: low +process/groupid_set: low +process/terminate/kill_multiple: medium +sus/exclamation: medium +sus/malicious: medium diff --git a/tests/linux/synthetic/cnc-dns-over-https.aarch64.simple b/tests/linux/synthetic/cnc-dns-over-https.aarch64.simple new file mode 100644 index 00000000..52135451 --- /dev/null +++ b/tests/linux/synthetic/cnc-dns-over-https.aarch64.simple @@ -0,0 +1,71 @@ +# linux/synthetic/cnc-dns-over-https.aarch64: high +c2/addr/ip: high +c2/addr/url: low +c2/discovery/ip_dns_resolver: medium +c2/tool_transfer/arch: low +c2/tool_transfer/os: low +collect/archives/zip: medium +credential/keylogger: medium +credential/password: low +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/encrypt: medium +crypto/public_key: low +crypto/tls: low +data/compression/gzip: low +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/hash/md5: low +discover/system/cpu: low +discover/system/hostname: low +discover/system/platform: low +exec/plugin: low +exec/program: medium +fs/directory/list: low +fs/file/open: low +fs/file/read: low +fs/link_read: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/home: low +fs/path/relative: medium +fs/permission/chown: medium +fs/permission/modify: medium +fs/tempfile: low +net/dns: low +net/dns/over_https: medium +net/dns/servers: low +net/dns/txt: low +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/content_length: medium +net/http/cookies: medium +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/ip/host_port: medium +net/ip/parse: medium +net/resolve/hostname: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +net/tcp/connect: medium +net/udp/receive: low +net/udp/send: low +net/url/embedded: low +net/url/encode: medium +net/url/parse: low +net/url/request: medium +os/fd/sendfile: low +os/kernel/netlink: low +process/chdir: low diff --git a/tests/npm/2024.depe-tool/package.json.simple b/tests/npm/2024.depe-tool/package.json.simple new file mode 100644 index 00000000..a085d698 --- /dev/null +++ b/tests/npm/2024.depe-tool/package.json.simple @@ -0,0 +1,5 @@ +# npm/2024.depe-tool/package.json: critical +data/encoding/json_decode: low +exec/cmd/npm_preinstall: high +exec/remote_commands/code_eval: critical +fs/file/read: low diff --git a/tests/npm/2024.depe-tool/preinstall.json.simple b/tests/npm/2024.depe-tool/preinstall.json.simple new file mode 100644 index 00000000..e69de29b diff --git a/tests/php/2024.malcure/simple.php.simple b/tests/php/2024.malcure/simple.php.simple index 599ab6bf..b3ee0195 100644 --- a/tests/php/2024.malcure/simple.php.simple +++ b/tests/php/2024.malcure/simple.php.simple @@ -4,5 +4,6 @@ data/base64/decode: medium data/encoding/base64: low exec/remote_commands/code_eval: high +impact/remote_access/backdoor: medium impact/remote_access/remote_eval: critical net/url/embedded: low diff --git a/tests/python/2024.coloredtxt/base64_payload3.py.simple b/tests/python/2024.coloredtxt/base64_payload3.py.simple index 0c217902..3a290cc7 100644 --- a/tests/python/2024.coloredtxt/base64_payload3.py.simple +++ b/tests/python/2024.coloredtxt/base64_payload3.py.simple @@ -1,6 +1,5 @@ # python/2024.coloredtxt/base64_payload3.py: critical c2/addr/url: high -c2/tool_transfer/python: high data/base64/decode: medium data/encoding/base64: low discover/system/platform: medium diff --git a/tests/python/2024.obfuscation/066ebdd750911c0209f31499ffe672ff29c3ea4ec1c660f441729efdb7f2d5a4.py.simple b/tests/python/2024.obfuscation/066ebdd750911c0209f31499ffe672ff29c3ea4ec1c660f441729efdb7f2d5a4.py.simple index 778afeb6..47c2d996 100644 --- a/tests/python/2024.obfuscation/066ebdd750911c0209f31499ffe672ff29c3ea4ec1c660f441729efdb7f2d5a4.py.simple +++ b/tests/python/2024.obfuscation/066ebdd750911c0209f31499ffe672ff29c3ea4ec1c660f441729efdb7f2d5a4.py.simple @@ -1,4 +1,3 @@ # python/2024.obfuscation/066ebdd750911c0209f31499ffe672ff29c3ea4ec1c660f441729efdb7f2d5a4.py: critical anti-static/obfuscation/hex: medium -anti-static/obfuscation/python: low anti-static/packer/py_kramer: critical diff --git a/tests/python/clean/versioneer/versioneer.py.simple b/tests/python/clean/versioneer/versioneer.py.simple index d36e3bdd..08ebb261 100644 --- a/tests/python/clean/versioneer/versioneer.py.simple +++ b/tests/python/clean/versioneer/versioneer.py.simple @@ -1,10 +1,9 @@ -# python/clean/versioneer/versioneer.py: high +# python/clean/versioneer/versioneer.py: medium anti-static/base64/eval: medium data/base64/decode: medium data/embedded/base64_terms: medium data/embedded/base64_url: medium data/encoding/base64: low -exec/remote_commands/code_eval: high fs/file/open: low fs/path/usr_bin: low os/fd/write: low diff --git a/tests/ruby/clean/homebrew/homebrew_no_overrides_spec.rb.simple b/tests/ruby/clean/homebrew/homebrew_no_overrides_spec.rb.simple new file mode 100644 index 00000000..a649555c --- /dev/null +++ b/tests/ruby/clean/homebrew/homebrew_no_overrides_spec.rb.simple @@ -0,0 +1,4 @@ +# ruby/clean/homebrew/homebrew_no_overrides_spec.rb: low +c2/tool_transfer/arch: low +c2/tool_transfer/os: low +net/url/embedded: low diff --git a/tests/ruby/clean/homebrew/homebrew_test.pdf.simple b/tests/ruby/clean/homebrew/homebrew_test.pdf.simple new file mode 100644 index 00000000..e69de29b diff --git a/tests/samples_test.go b/tests/samples_test.go index eb6b09db..23753728 100644 --- a/tests/samples_test.go +++ b/tests/samples_test.go @@ -125,6 +125,15 @@ func TestJSON(t *testing.T) { if diff := cmp.Diff(want, got); diff != "" { t.Errorf("json output mismatch: (-want +got):\n%s", diff) } + + res.Files.Range(func(_, value any) bool { + if r, ok := value.(*malcontent.FileReport); ok { + if strings.Contains(binPath, "/clean/") && r.RiskScore > 2 { + t.Errorf("%s score too high for a 'clean' sample: %s [%d]:\n%s", binPath, r.RiskLevel, r.RiskScore, got) + } + } + return true + }) }) return nil }) @@ -195,6 +204,16 @@ func TestSimple(t *testing.T) { if diff := cmp.Diff(want, got); diff != "" { t.Errorf("Simple output mismatch: (-want +got):\n%s", diff) } + + // Eeek. We shouldn't be returning such an awkward object in a public interface + res.Files.Range(func(_, value any) bool { + if r, ok := value.(*malcontent.FileReport); ok { + if strings.Contains(binPath, "/clean/") && r.RiskScore > 2 { + t.Errorf("%s score too high for a 'clean' sample: %s [%d]:\n%s", binPath, r.RiskLevel, r.RiskScore, got) + } + } + return true + }) }) return nil }) @@ -501,6 +520,15 @@ func TestMarkdown(t *testing.T) { if diff := cmp.Diff(want, got); diff != "" { t.Errorf("markdown output mismatch: (-want +got):\n%s", diff) } + + res.Files.Range(func(_, value any) bool { + if r, ok := value.(*malcontent.FileReport); ok { + if strings.Contains(binPath, "/clean/") && r.RiskScore > 2 { + t.Errorf("%s score too high for a 'clean' sample: %s [%d]:\n%s", binPath, r.RiskLevel, r.RiskScore, got) + } + } + return true + }) }) return nil }) diff --git a/tests/windows/clean/make-win.ps1.simple b/tests/windows/clean/make-win.ps1.simple index ee1f4d43..c673d974 100644 --- a/tests/windows/clean/make-win.ps1.simple +++ b/tests/windows/clean/make-win.ps1.simple @@ -1,5 +1,5 @@ -# windows/clean/make-win.ps1: high -3P/InQuest-VT/base64_powershell_directives: high +# windows/clean/make-win.ps1: medium +3P/InQuest-VT/base64_powershell_directives: medium data/base64/decode: medium data/embedded/base64_terms: medium exec/shell/pipe_sh: medium