From b195a51e92e11a087ed64e9ed76c0bfc180cc86c Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sun, 3 Mar 2024 09:59:40 -0500 Subject: [PATCH] Update testdata --- testdata/Linux/libnss_db.so.json | 34 ++++ testdata/Linux/roothelper_uselvjf23.json | 30 +++ testdata/Python/valryian_debug_setup.py.json | 125 ++++++++++++ testdata/does-nothing/does-nothing.go.json | 5 + testdata/macOS/SpectralBlur-macshare.json | 199 +++++++++++++++++++ 5 files changed, 393 insertions(+) create mode 100644 testdata/Linux/libnss_db.so.json create mode 100644 testdata/Linux/roothelper_uselvjf23.json create mode 100644 testdata/Python/valryian_debug_setup.py.json create mode 100644 testdata/does-nothing/does-nothing.go.json create mode 100644 testdata/macOS/SpectralBlur-macshare.json diff --git a/testdata/Linux/libnss_db.so.json b/testdata/Linux/libnss_db.so.json new file mode 100644 index 000000000..df2442843 --- /dev/null +++ b/testdata/Linux/libnss_db.so.json @@ -0,0 +1,34 @@ +{ + "Files": { + "./Linux/libnss_db.so": { + "Behaviors": { + "group/lookup": { + "Description": "get entry from group database", + "Strings": [ + "endgrent", + "getgrent", + "setgrent" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "ref/path/var": { + "Description": "References paths within /var", + "Strings": [ + "/var/db/ethers.db", + "/var/db/group.db", + "/var/db/gshadow.db", + "/var/db/netgroup.db", + "/var/db/passwd.db", + "/var/db/protocols.db", + "/var/db/rpc.db", + "/var/db/services.db", + "/var/db/shadow.db" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + } + } + } + } +} diff --git a/testdata/Linux/roothelper_uselvjf23.json b/testdata/Linux/roothelper_uselvjf23.json new file mode 100644 index 000000000..97f446b01 --- /dev/null +++ b/testdata/Linux/roothelper_uselvjf23.json @@ -0,0 +1,30 @@ +{ + "Files": { + "./Linux/roothelper_uselvjf23": { + "Syscalls": [ + "execve" + ], + "Pledge": [ + "exec" + ], + "Behaviors": { + "evasion/packer/shc": { + "Description": "Binary generated with SHC (Shell Script Compiler)", + "Strings": [ + "argv[0] nor $_" + ], + "RiskScore": 3, + "RiskLevel": "HIGH" + }, + "exec/program": { + "Description": "executes another program", + "Strings": [ + "execvp" + ], + "RiskScore": 2, + "RiskLevel": "MED" + } + } + } + } +} diff --git a/testdata/Python/valryian_debug_setup.py.json b/testdata/Python/valryian_debug_setup.py.json new file mode 100644 index 000000000..bb98ed860 --- /dev/null +++ b/testdata/Python/valryian_debug_setup.py.json @@ -0,0 +1,125 @@ +{ + "Files": { + "./Python/valryian_debug_setup.py": { + "Syscalls": [ + "execve", + "getuid", + "pipe", + "sysctl" + ], + "Pledge": [ + "exec", + "sysctl" + ], + "Behaviors": { + "combo/router/recon": { + "Description": "recon commands", + "Strings": [ + "hostname", + "ifconfig", + "uname -a", + "whoami" + ], + "RiskScore": 3, + "RiskLevel": "HIGH" + }, + "exec/pipe": { + "Description": "Uses popen to launch a program and pipe output to/from it", + "Strings": [ + "os.popen" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "exec/program": { + "Description": "executes another program", + "Strings": [ + "system(" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "exec/shell_command": { + "Description": "execute a shell command", + "Strings": [ + "system" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "fs/file/times/set": { + "Description": "change file timestamps", + "Strings": [ + "touch /tmp/.ttp-python-ran" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "kernel/uname/get": { + "Description": "get system identification (uname)", + "Strings": [ + "uname" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "net/fetch": { + "Description": "executable calls fetch tool", + "Strings": [ + "curl -" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + }, + "net/interface/list": { + "Description": "list network interfaces and their associated addresses", + "Strings": [ + "ifconfig" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + }, + "net/ip/external_address/query": { + "Description": "public service to discover external IP address", + "Strings": [ + "ifconfig.me" + ], + "RiskScore": 3, + "RiskLevel": "HIGH" + }, + "process/current/whoami": { + "Description": "returns the user name running this process", + "Strings": [ + "whoami" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "ref/path/hidden": { + "Description": "Hidden file path in a system directory", + "Strings": [ + "/tmp/.ttp-python-ran" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + }, + "ref/path/tmp": { + "Description": "References paths within /tmp", + "Strings": [ + "/tmp/.ttp-python-ran" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "ref/site/url": { + "Description": "contains embedded HTTPS URLs", + "Strings": [ + "https://hooks.slack.com/services/__FAKE__/__TTP_BENCH__" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + } + } + } + } +} diff --git a/testdata/does-nothing/does-nothing.go.json b/testdata/does-nothing/does-nothing.go.json new file mode 100644 index 000000000..589ecf121 --- /dev/null +++ b/testdata/does-nothing/does-nothing.go.json @@ -0,0 +1,5 @@ +{ + "Files": { + "./does-nothing/does-nothing.go": {} + } +} diff --git a/testdata/macOS/SpectralBlur-macshare.json b/testdata/macOS/SpectralBlur-macshare.json new file mode 100644 index 000000000..f01b3f04f --- /dev/null +++ b/testdata/macOS/SpectralBlur-macshare.json @@ -0,0 +1,199 @@ +{ + "Files": { + "./macOS/SpectralBlur-macshare": { + "Syscalls": [ + "connect", + "execve", + "fork", + "getlogin", + "pthread_create", + "recv", + "send", + "sendmsg", + "sendto", + "sysctl", + "unlink" + ], + "Pledge": [ + "exec", + "id", + "inet", + "rpath", + "sysctl", + "wpath" + ], + "Behaviors": { + "combo/backdoor/generic/upload_terminal_exec": { + "Description": "Uploads, provides a terminal, runs program", + "Strings": [ + "_uname", + "_unlink", + "_waitpid", + "execve", + "shell", + "tcsetattr", + "upload" + ], + "RiskScore": 3, + "RiskLevel": "HIGH" + }, + "device/pseudo_terminal": { + "Description": "pseudo-terminal access functions", + "Strings": [ + "grantpt", + "posix_openpt", + "ptsname", + "unlockpt" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "env/SHELL": { + "Description": "SHELL", + "Strings": [ + "SHELL" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + }, + "exec/program": { + "Description": "executes another program", + "Strings": [ + "execve" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "exec/program/background": { + "Description": "Waits for a process to exit", + "Strings": [ + "waitpid" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + }, + "fs/file/delete": { + "Description": "deletes files", + "Strings": [ + "unlink" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + }, + "fs/symlink/resolve": { + "Description": "resolves symbolic links", + "Strings": [ + "realpath" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + }, + "kernel/uname/get": { + "Description": "get system identification (uname)", + "Strings": [ + "uname" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "net/download": { + "Description": "Downloads files", + "Strings": [ + "download" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "net/hostname/resolve": { + "Description": "resolves network hosts via name", + "Strings": [ + "gethostbyname" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + }, + "net/ip/parse": { + "Description": "Parse an IP address", + "Strings": [ + "inet_addr" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "net/ip/string": { + "Description": "converts IP address from byte to string", + "Strings": [ + "inet_ntoa" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "net/socket/connect": { + "Description": "initiate a connection on a socket", + "Strings": [ + "_connect" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + }, + "net/socket/receive": { + "Description": "receive a message from a socket", + "Strings": [ + "_recv" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + }, + "net/socket/send": { + "Description": "send a message to a socket", + "Strings": [ + "_send" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + }, + "net/upload": { + "Description": "Uploads files", + "Strings": [ + "upload" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "process/create": { + "Description": "Create a new child process using fork", + "Strings": [ + "_fork" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + }, + "process/current/username/get": { + "Description": "get login name", + "Strings": [ + "getlogin" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + }, + "process/thread/create": { + "Description": "create a new thread", + "Strings": [ + "pthread_create" + ], + "RiskScore": 2, + "RiskLevel": "MED" + }, + "random/insecure": { + "Description": "generate random numbers insecurely", + "Strings": [ + "_rand", + "srand" + ], + "RiskScore": 1, + "RiskLevel": "LOW" + } + } + } + } +}