Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
62 lines
2.4 KiB
JSON
62 lines
2.4 KiB
JSON
{
|
|
"version": "1.0",
|
|
"description": "Small, high-confidence known-bad-identity signatures grouped by family. Patterns are case-insensitive JS regex source strings. Kept deliberately tight to minimize false positives; obfuscated variants are caught because the SIG scanner runs each pattern against the normalizeForScan/foldHomoglyphs/rot13 decode pipeline, not just raw bytes.",
|
|
"rules": [
|
|
{
|
|
"id": "SIG-WEBSHELL-001",
|
|
"family": "webshell",
|
|
"severity": "critical",
|
|
"pattern": "(?:eval|assert|system|exec|passthru|shell_exec|popen|proc_open)\\s*\\(\\s*\\$_(?:POST|GET|REQUEST|COOKIE|SERVER)",
|
|
"description": "PHP webshell: executes attacker-controlled request data",
|
|
"provenance": "Classic PHP webshell pattern (c99/r57/b374k families)"
|
|
},
|
|
{
|
|
"id": "SIG-WEBSHELL-002",
|
|
"family": "webshell",
|
|
"severity": "high",
|
|
"pattern": "\\$_(?:POST|GET|REQUEST|COOKIE)\\s*\\[[^\\]]*\\]\\s*\\(",
|
|
"description": "PHP variable-function call on request data (obfuscated webshell)",
|
|
"provenance": "Variable-function webshell obfuscation"
|
|
},
|
|
{
|
|
"id": "SIG-REVSHELL-001",
|
|
"family": "reverse_shell",
|
|
"severity": "critical",
|
|
"pattern": "(?:bash|sh)\\s+-i\\s*>&?\\s*/dev/tcp/",
|
|
"description": "Bash /dev/tcp reverse shell",
|
|
"provenance": "PentestMonkey reverse-shell cheat sheet"
|
|
},
|
|
{
|
|
"id": "SIG-REVSHELL-002",
|
|
"family": "reverse_shell",
|
|
"severity": "critical",
|
|
"pattern": "\\bnc\\s+-[a-z]*e[a-z]*\\s+/(?:bin|usr/bin)/(?:sh|bash)\\b",
|
|
"description": "Netcat -e reverse shell",
|
|
"provenance": "Netcat reverse-shell one-liner"
|
|
},
|
|
{
|
|
"id": "SIG-MINER-001",
|
|
"family": "cryptominer",
|
|
"severity": "high",
|
|
"pattern": "stratum\\+(?:tcp|ssl)://",
|
|
"description": "Cryptominer stratum pool URL",
|
|
"provenance": "Stratum mining protocol"
|
|
},
|
|
{
|
|
"id": "SIG-MINER-002",
|
|
"family": "cryptominer",
|
|
"severity": "high",
|
|
"pattern": "\\b(?:xmrig|minerd|cgminer|ccminer|cpuminer)\\b",
|
|
"description": "Known cryptominer binary reference",
|
|
"provenance": "Common CPU/GPU miner binaries"
|
|
},
|
|
{
|
|
"id": "SIG-HACKTOOL-001",
|
|
"family": "hacktool",
|
|
"severity": "high",
|
|
"pattern": "\\b(?:mimikatz|meterpreter|sekurlsa::|lsadump::)\\b",
|
|
"description": "Offensive-security tooling reference",
|
|
"provenance": "Mimikatz / Metasploit Meterpreter"
|
|
}
|
|
]
|
|
}
|