llm-security/knowledge/signatures.json
2026-06-20 09:28:52 +02:00

62 lines
2.4 KiB
JSON

{
"version": "1.0",
"description": "Small, high-confidence known-bad-identity signatures grouped by family. Patterns are case-insensitive JS regex source strings. Kept deliberately tight to minimize false positives; obfuscated variants are caught because the SIG scanner runs each pattern against the normalizeForScan/foldHomoglyphs/rot13 decode pipeline, not just raw bytes.",
"rules": [
{
"id": "SIG-WEBSHELL-001",
"family": "webshell",
"severity": "critical",
"pattern": "(?:eval|assert|system|exec|passthru|shell_exec|popen|proc_open)\\s*\\(\\s*\\$_(?:POST|GET|REQUEST|COOKIE|SERVER)",
"description": "PHP webshell: executes attacker-controlled request data",
"provenance": "Classic PHP webshell pattern (c99/r57/b374k families)"
},
{
"id": "SIG-WEBSHELL-002",
"family": "webshell",
"severity": "high",
"pattern": "\\$_(?:POST|GET|REQUEST|COOKIE)\\s*\\[[^\\]]*\\]\\s*\\(",
"description": "PHP variable-function call on request data (obfuscated webshell)",
"provenance": "Variable-function webshell obfuscation"
},
{
"id": "SIG-REVSHELL-001",
"family": "reverse_shell",
"severity": "critical",
"pattern": "(?:bash|sh)\\s+-i\\s*>&?\\s*/dev/tcp/",
"description": "Bash /dev/tcp reverse shell",
"provenance": "PentestMonkey reverse-shell cheat sheet"
},
{
"id": "SIG-REVSHELL-002",
"family": "reverse_shell",
"severity": "critical",
"pattern": "\\bnc\\s+-[a-z]*e[a-z]*\\s+/(?:bin|usr/bin)/(?:sh|bash)\\b",
"description": "Netcat -e reverse shell",
"provenance": "Netcat reverse-shell one-liner"
},
{
"id": "SIG-MINER-001",
"family": "cryptominer",
"severity": "high",
"pattern": "stratum\\+(?:tcp|ssl)://",
"description": "Cryptominer stratum pool URL",
"provenance": "Stratum mining protocol"
},
{
"id": "SIG-MINER-002",
"family": "cryptominer",
"severity": "high",
"pattern": "\\b(?:xmrig|minerd|cgminer|ccminer|cpuminer)\\b",
"description": "Known cryptominer binary reference",
"provenance": "Common CPU/GPU miner binaries"
},
{
"id": "SIG-HACKTOOL-001",
"family": "hacktool",
"severity": "high",
"pattern": "\\b(?:mimikatz|meterpreter|sekurlsa::|lsadump::)\\b",
"description": "Offensive-security tooling reference",
"provenance": "Mimikatz / Metasploit Meterpreter"
}
]
}