Skip to content

Commit

Permalink
yara fmt
Browse files Browse the repository at this point in the history
  • Loading branch information
tstromberg committed Dec 17, 2024
1 parent a6b38fe commit b0aa34b
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 17 deletions.
4 changes: 2 additions & 2 deletions rules/exfil/stealer/keylogger.yara
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,8 @@ rule py_keykeyboard_exfil: high {
$http_Discord = "Discord"
$http_keylogger = /[kK]eylogger/
$http_Telegram = "Telegram"
$f_pynput = "pynput" fullword
$f_keyboard = "keyboard" fullword
$f_pynput = "pynput" fullword
$f_keyboard = "keyboard" fullword
$f_key = ".name"
$f_listener = "on_release"
Expand Down
2 changes: 1 addition & 1 deletion rules/false_positives/py_hatch.yara
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
rule migrate_py: override {
meta:
description = "migrate.py"
description = "migrate.py"
setuptools_eval_high = "medium"

strings:
Expand Down
6 changes: 3 additions & 3 deletions rules/false_positives/setuptools.yara
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
rule setuptools_namespaces: override {
meta:
description = "namespaces.py"
description = "namespaces.py"
setuptools_exec_high = "low"

strings:
Expand All @@ -18,7 +18,7 @@ rule setuptools_namespaces: override {

rule numba_support: override {
meta:
description = "support.py"
description = "support.py"
setuptools_exec_high = "low"

strings:
Expand All @@ -33,7 +33,7 @@ rule numba_support: override {

rule setup_pydevd_cython: override {
meta:
description = "setup_pydevd_cython.py"
description = "setup_pydevd_cython.py"
setuptools_exec_high = "low"

strings:
Expand Down
24 changes: 13 additions & 11 deletions rules/impact/remote_access/py_setuptools.yara
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,9 @@ rule setuptools_cmd_exec: high {
$not_comment = "Editable install to a prefix should be discoverable."
$not_egg_info_requires = "os.path.join(egg_info_dir, 'requires.txt')"
$not_requests = "'Documentation': 'https://requests.readthedocs.io'"
$not_sdist_publish = "python setup.py sdist bdist_wheel"
$not_twine_upload = "twine upload dist/*"
$not_sdist_publish = "python setup.py sdist bdist_wheel"
$not_twine_upload = "twine upload dist/*"
condition:
remote_access_pythonSetup and any of ($f*) and none of ($not*)
}
Expand All @@ -71,25 +72,25 @@ rule setuptools_cmd_exec_start: critical {
remote_access_pythonSetup and any of ($f*)
}


rule setuptools_eval: medium {
meta:
description = "Python library installer that evaluates arbitrary code"

strings:
$f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
$f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
condition:
remote_access_pythonSetup and any of ($f*)
}


rule setuptools_eval_high: high {
meta:
description = "Python library installer that evaluates arbitrary code"

strings:
$f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
$not_namespaced = /eval\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/
$f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
$not_namespaced = /eval\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/
condition:
remote_access_pythonSetup and any of ($f*) and none of ($not*)
}
Expand All @@ -99,7 +100,8 @@ rule setuptools_exec: medium {
description = "Python library installer that executes arbitrary code"

strings:
$f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
$f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
condition:
remote_access_pythonSetup and any of ($f*)
}
Expand All @@ -109,7 +111,7 @@ rule setuptools_exec_high: high {
description = "Python library installer that evaluates arbitrary code"

strings:
$f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
$f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
$not_apache = "# Licensed under the Apache License, Version 2.0 (the \"License\")"
$not_comment = "Editable install to a prefix should be discoverable."
$not_google = /# Copyright [1-2][0-9]{3} Google Inc/
Expand All @@ -119,12 +121,12 @@ rule setuptools_exec_high: high {
$not_pyspark_ioerror = "\"Failed to load PySpark version file for packaging. You must be in Spark's python dir.\""
$not_requests = "'Documentation': 'https://requests.readthedocs.io'"
$not_test_egg_class = "class TestEggInfo"
$not_namespaced = /exec\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/
$not_namespaced = /exec\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/
condition:
remote_access_pythonSetup and any of ($f*) and none of ($not*)
}


rule setuptools_b64decode: suspicious {
meta:
description = "Python library installer that does base64 decoding"
Expand Down

0 comments on commit b0aa34b

Please sign in to comment.