- Original path:
profiles/base/malware.toml
# Malware Detection Profile
# Detects suspicious patterns commonly found in malware
decode = ["base64", "hex", "unicode-escape-sequences"]
[[patterns]]
name = "Reverse Shell Command"
pattern = "(?:/bin/(?:ba)?sh|cmd\\.exe)\\s+-[ic]\\s+.*(?:/dev/tcp|nc|netcat)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "PowerShell Download Execute"
pattern = "(?:powershell|pwsh).*(?:Invoke-WebRequest|IWR|wget|curl|DownloadString|DownloadFile).*(?:Invoke-Expression|IEX)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "PowerShell Base64 Encoded Command"
pattern = "powershell.*-(?:enc|encodedcommand|e)\\s+[A-Za-z0-9+/=]{20,}"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Meterpreter Payload"
pattern = "meterpreter|msf(?:venom|payload)|reverse_(?:tcp|https?)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Suspicious Python Socket"
pattern = "socket\\.socket.*socket\\.AF_INET.*socket\\.SOCK_STREAM.*connect\\("
type = "regex"
[[patterns]]
name = "Suspicious Bash Network"
pattern = "/dev/tcp/[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/[0-9]+"
type = "regex"
[[patterns]]
name = "Common C2 Callback"
pattern = "(?:POST|GET)\\s+/[a-z0-9]{32,}\\s+HTTP"
type = "regex"
[[patterns]]
name = "Encoded PowerShell"
pattern = "(?:FromBase64String|[System.Convert]::FromBase64String)"
type = "regex"
[[patterns]]
name = "WScript Shell"
pattern = "(?:WScript\\.Shell|Shell\\.Application)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Suspicious Registry Autorun"
pattern = "(?:HKCU|HKLM)\\\\(?:Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\(?:Run|RunOnce)|System\\\\CurrentControlSet\\\\Services)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Anti-Debugging"
pattern = "(?:IsDebuggerPresent|CheckRemoteDebuggerPresent|NtQueryInformationProcess|OutputDebugString)"
type = "regex"
[[patterns]]
name = "Anti-VM"
pattern = "(?:VMware|VirtualBox|VBOX|Virtual HD|QEMU|Xen|Hyper-V)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "DLL Injection"
pattern = "(?:LoadLibrary|GetProcAddress|VirtualAllocEx|WriteProcessMemory|CreateRemoteThread)"
type = "regex"
[[patterns]]
name = "Privilege Escalation"
pattern = "(?:SeDebugPrivilege|SeImpersonatePrivilege|SeTcbPrivilege|SeBackupPrivilege|SeRestorePrivilege)"
type = "regex"
[[patterns]]
name = "Persistence Mechanism"
pattern = "(?:schtasks|at\\.exe|wmic.*process|sc\\.exe.*create)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Credential Dumping"
pattern = "(?:mimikatz|lsass\\.exe|procdump|pwdump|gsecdump)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Suspicious Obfuscation"
pattern = "(?:eval|exec|compile|importlib|__import__)\\s*\\("
type = "regex"
[[patterns]]
name = "PE Executable Header"
pattern = "4D:5A"
type = "bytes"
[[patterns]]
name = "ELF Executable Header"
pattern = "7F:45:4C:46"
type = "bytes"
[[patterns]]
name = "Mach-O Executable Header (32-bit)"
pattern = "FE:ED:FA:CE"
type = "bytes"
[[patterns]]
name = "Mach-O Executable Header (64-bit)"
pattern = "FE:ED:FA:CF"
type = "bytes"
[[signatures]]
name = "High Entropy Suspicious Files"
query = "SELECT sha256 FROM unique_files WHERE shannon_entropy > 7.8"
[[signatures]]
name = "Files with Multiple Malware Indicators"
query = "SELECT sha256, COUNT(*) as indicator_count FROM pattern_matches WHERE pattern_name LIKE '%Shell%' OR pattern_name LIKE '%Injection%' OR pattern_name LIKE '%Anti-%' GROUP BY sha256 HAVING indicator_count > 2"