{ "version": "1.0", "description": "Small, high-confidence known-bad-identity signatures grouped by family. Patterns are case-insensitive JS regex source strings. Kept deliberately tight to minimize false positives; obfuscated variants are caught because the SIG scanner runs each pattern against the normalizeForScan/foldHomoglyphs/rot13 decode pipeline, not just raw bytes.", "rules": [ { "id": "SIG-WEBSHELL-001", "family": "webshell", "severity": "critical", "pattern": "(?:eval|assert|system|exec|passthru|shell_exec|popen|proc_open)\\s*\\(\\s*\\$_(?:POST|GET|REQUEST|COOKIE|SERVER)", "description": "PHP webshell: executes attacker-controlled request data", "provenance": "Classic PHP webshell pattern (c99/r57/b374k families)" }, { "id": "SIG-WEBSHELL-002", "family": "webshell", "severity": "high", "pattern": "\\$_(?:POST|GET|REQUEST|COOKIE)\\s*\\[[^\\]]*\\]\\s*\\(", "description": "PHP variable-function call on request data (obfuscated webshell)", "provenance": "Variable-function webshell obfuscation" }, { "id": "SIG-REVSHELL-001", "family": "reverse_shell", "severity": "critical", "pattern": "(?:bash|sh)\\s+-i\\s*>&?\\s*/dev/tcp/", "description": "Bash /dev/tcp reverse shell", "provenance": "PentestMonkey reverse-shell cheat sheet" }, { "id": "SIG-REVSHELL-002", "family": "reverse_shell", "severity": "critical", "pattern": "\\bnc\\s+-[a-z]*e[a-z]*\\s+/(?:bin|usr/bin)/(?:sh|bash)\\b", "description": "Netcat -e reverse shell", "provenance": "Netcat reverse-shell one-liner" }, { "id": "SIG-MINER-001", "family": "cryptominer", "severity": "high", "pattern": "stratum\\+(?:tcp|ssl)://", "description": "Cryptominer stratum pool URL", "provenance": "Stratum mining protocol" }, { "id": "SIG-MINER-002", "family": "cryptominer", "severity": "high", "pattern": "\\b(?:xmrig|minerd|cgminer|ccminer|cpuminer)\\b", "description": "Known cryptominer binary reference", "provenance": "Common CPU/GPU miner binaries" }, { "id": "SIG-HACKTOOL-001", "family": "hacktool", "severity": "high", "pattern": "\\b(?:mimikatz|meterpreter|sekurlsa::|lsadump::)\\b", "description": "Offensive-security tooling reference", "provenance": "Mimikatz / Metasploit Meterpreter" } ] }