add new type of bash special obfuscation detect rules

We5ter · May 7, 2019 · 942ab5f · 942ab5f
1 parent ac83974
commit 942ab5f
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/flerken/config/rules/linux_rule.json b/flerken/config/rules/linux_rule.json
@@ -56,7 +56,8 @@
         "file_io": {
             "0": {"regex": "((eval|(bash\\s+-c)|(sh\\s+-c))[^\\x7c\\x3c\\x3e]*?(\\x22\\$\\x28)(.*?)(\\x29\\x22))|(eval|(bash\\s+-c)|(sh\\s+-c))[^\\x7c\\x3c\\x3e]*?(\\x27\\$\\x28)(.*?)(\\x29\\x27)"},
             "1": {"regex": "(printf|echo)[^\\x7c\\x3c\\x3e]*?((\\x22.*?\\x22)|(\\x27.*?\\x27))\\x3e.*?\/(\\w+.*?\\x3b)"},
-            "2": {"regex": "[\\x3b](cat|tail|head).*?\/\\w+.*?"}
+            "2": {"regex": "[\\x3b](cat|tail|head).*?\/\\w+.*?"},
+            "3": {"regex": "(echo|printf)[^\\x7c]*?((\\x22.*?\\x24\\x7b[^~]*?~{2}\\x7d.*?\\x22)|(\\x27.*?\\x24\\x7b[^~]*?~{2}\\x7d.*?\\x27))"}
         }
     }
 }
diff --git a/flerken/control/plugins/linux_special_detect_plugin.py b/flerken/control/plugins/linux_special_detect_plugin.py
@@ -70,6 +70,8 @@ def _check_file_io(self):
             variable_name = fi_rules_compiled[0].search(self.cmd).group(5)
             if fi_rules_compiled[1].search(self.cmd) != None and fi_rules_compiled[2].search(self.cmd) != None:
                 return True
+            elif fi_rules_compiled[3].search(self.cmd) != None:
+                return True
             else:
                 return False