Skip to content

Commit

Permalink
Update testdata
Browse files Browse the repository at this point in the history
  • Loading branch information
@tstromberg
tstromberg committed Mar 3, 2024
1 parent df12068 commit b195a51
Show file tree
Hide file tree
Showing 5 changed files with 393 additions and 0 deletions.
34 changes: 34 additions & 0 deletions testdata/Linux/libnss_db.so.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{
"Files": {
"./Linux/libnss_db.so": {
"Behaviors": {
"group/lookup": {
"Description": "get entry from group database",
"Strings": [
"endgrent",
"getgrent",
"setgrent"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"ref/path/var": {
"Description": "References paths within /var",
"Strings": [
"/var/db/ethers.db",
"/var/db/group.db",
"/var/db/gshadow.db",
"/var/db/netgroup.db",
"/var/db/passwd.db",
"/var/db/protocols.db",
"/var/db/rpc.db",
"/var/db/services.db",
"/var/db/shadow.db"
],
"RiskScore": 1,
"RiskLevel": "LOW"
}
}
}
}
}
30 changes: 30 additions & 0 deletions testdata/Linux/roothelper_uselvjf23.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
"Files": {
"./Linux/roothelper_uselvjf23": {
"Syscalls": [
"execve"
],
"Pledge": [
"exec"
],
"Behaviors": {
"evasion/packer/shc": {
"Description": "Binary generated with SHC (Shell Script Compiler)",
"Strings": [
"argv[0] nor $_"
],
"RiskScore": 3,
"RiskLevel": "HIGH"
},
"exec/program": {
"Description": "executes another program",
"Strings": [
"execvp"
],
"RiskScore": 2,
"RiskLevel": "MED"
}
}
}
}
}
125 changes: 125 additions & 0 deletions testdata/Python/valryian_debug_setup.py.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
{
"Files": {
"./Python/valryian_debug_setup.py": {
"Syscalls": [
"execve",
"getuid",
"pipe",
"sysctl"
],
"Pledge": [
"exec",
"sysctl"
],
"Behaviors": {
"combo/router/recon": {
"Description": "recon commands",
"Strings": [
"hostname",
"ifconfig",
"uname -a",
"whoami"
],
"RiskScore": 3,
"RiskLevel": "HIGH"
},
"exec/pipe": {
"Description": "Uses popen to launch a program and pipe output to/from it",
"Strings": [
"os.popen"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"exec/program": {
"Description": "executes another program",
"Strings": [
"system("
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"exec/shell_command": {
"Description": "execute a shell command",
"Strings": [
"system"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"fs/file/times/set": {
"Description": "change file timestamps",
"Strings": [
"touch /tmp/.ttp-python-ran"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"kernel/uname/get": {
"Description": "get system identification (uname)",
"Strings": [
"uname"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"net/fetch": {
"Description": "executable calls fetch tool",
"Strings": [
"curl -"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"net/interface/list": {
"Description": "list network interfaces and their associated addresses",
"Strings": [
"ifconfig"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"net/ip/external_address/query": {
"Description": "public service to discover external IP address",
"Strings": [
"ifconfig.me"
],
"RiskScore": 3,
"RiskLevel": "HIGH"
},
"process/current/whoami": {
"Description": "returns the user name running this process",
"Strings": [
"whoami"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"ref/path/hidden": {
"Description": "Hidden file path in a system directory",
"Strings": [
"/tmp/.ttp-python-ran"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"ref/path/tmp": {
"Description": "References paths within /tmp",
"Strings": [
"/tmp/.ttp-python-ran"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"ref/site/url": {
"Description": "contains embedded HTTPS URLs",
"Strings": [
"https://hooks.slack.com/services/__FAKE__/__TTP_BENCH__"
],
"RiskScore": 1,
"RiskLevel": "LOW"
}
}
}
}
}
5 changes: 5 additions & 0 deletions testdata/does-nothing/does-nothing.go.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"Files": {
"./does-nothing/does-nothing.go": {}
}
}
199 changes: 199 additions & 0 deletions testdata/macOS/SpectralBlur-macshare.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,199 @@
{
"Files": {
"./macOS/SpectralBlur-macshare": {
"Syscalls": [
"connect",
"execve",
"fork",
"getlogin",
"pthread_create",
"recv",
"send",
"sendmsg",
"sendto",
"sysctl",
"unlink"
],
"Pledge": [
"exec",
"id",
"inet",
"rpath",
"sysctl",
"wpath"
],
"Behaviors": {
"combo/backdoor/generic/upload_terminal_exec": {
"Description": "Uploads, provides a terminal, runs program",
"Strings": [
"_uname",
"_unlink",
"_waitpid",
"execve",
"shell",
"tcsetattr",
"upload"
],
"RiskScore": 3,
"RiskLevel": "HIGH"
},
"device/pseudo_terminal": {
"Description": "pseudo-terminal access functions",
"Strings": [
"grantpt",
"posix_openpt",
"ptsname",
"unlockpt"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"env/SHELL": {
"Description": "SHELL",
"Strings": [
"SHELL"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"exec/program": {
"Description": "executes another program",
"Strings": [
"execve"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"exec/program/background": {
"Description": "Waits for a process to exit",
"Strings": [
"waitpid"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"fs/file/delete": {
"Description": "deletes files",
"Strings": [
"unlink"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"fs/symlink/resolve": {
"Description": "resolves symbolic links",
"Strings": [
"realpath"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"kernel/uname/get": {
"Description": "get system identification (uname)",
"Strings": [
"uname"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"net/download": {
"Description": "Downloads files",
"Strings": [
"download"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"net/hostname/resolve": {
"Description": "resolves network hosts via name",
"Strings": [
"gethostbyname"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"net/ip/parse": {
"Description": "Parse an IP address",
"Strings": [
"inet_addr"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"net/ip/string": {
"Description": "converts IP address from byte to string",
"Strings": [
"inet_ntoa"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"net/socket/connect": {
"Description": "initiate a connection on a socket",
"Strings": [
"_connect"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"net/socket/receive": {
"Description": "receive a message from a socket",
"Strings": [
"_recv"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"net/socket/send": {
"Description": "send a message to a socket",
"Strings": [
"_send"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"net/upload": {
"Description": "Uploads files",
"Strings": [
"upload"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"process/create": {
"Description": "Create a new child process using fork",
"Strings": [
"_fork"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"process/current/username/get": {
"Description": "get login name",
"Strings": [
"getlogin"
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"process/thread/create": {
"Description": "create a new thread",
"Strings": [
"pthread_create"
],
"RiskScore": 2,
"RiskLevel": "MED"
},
"random/insecure": {
"Description": "generate random numbers insecurely",
"Strings": [
"_rand",
"srand"
],
"RiskScore": 1,
"RiskLevel": "LOW"
}
}
}
}
}

0 comments on commit b195a51

Please sign in to comment.