Skip to content

Latest commit

 

History

History
91 lines (81 loc) · 15.9 KB

File metadata and controls

91 lines (81 loc) · 15.9 KB

GuardDog Rules Reference

This document lists all detection rules available in GuardDog, organized by ecosystem.

Rules are categorized by their identifies field which determines how they participate in risk scoring:

  • capability.* - Detects what code can do (function calls, APIs). Requires a matching threat to form a risk.
  • threat.* - Detects suspicious indicators. Forms risks when paired with matching capabilities.
  • threat.runtime.* - Standalone threats that auto-form risks without needing a capability.
  • threat.metadata.* - Package metadata threats that auto-form risks without needing a capability.

Capability rules

Rule Identifies Description Severity PyPI npm go GitHub Action Extension RubyGems
capability-process-schedule capability.process.schedule Detects ability to create scheduled tasks (cron, at, schtasks) medium
capability-network-outbound capability.network.outbound Detects network request capabilities (HTTP, sockets, etc.) low
capability-network-download capability.network.download Detects downloading files from network low
capability-network-lolbas capability.network Detects usage of LOLBAS network tools (curl, wget, nc, etc.) low
capability-filesystem-write-executable capability.filesystem.write.executable Detects writing executable files or changing file permissions to executable medium
capability-filesystem-read capability.filesystem.read Detects filesystem read capabilities low
capability-process-spawn capability.process.spawn Detects process execution and spawning low
capability-filesystem-delete capability.filesystem.delete Detects file/directory deletion capabilities low
capability-filesystem-browser capability.filesystem.browser Detects browser credential and cookie access capabilities medium
capability-process-hooks capability.process.hooks Detects install hooks that can execute code during package installation low
capability-runtime-clipboard capability.runtime.clipboard Detects clipboard access operations low

Threat rules (source code)

Rule Identifies Description Severity PyPI npm go GitHub Action Extension RubyGems
threat-filesystem-read threat.filesystem.read Detects access to sensitive files (credentials, configs, keys) high
threat-runtime-obfuscation-chr threat.runtime.obfuscation Detects chr-based code obfuscation: exec/eval of chr() sequences high
threat-runtime-obfuscation-dynamic-eval threat.runtime.obfuscation.dynamic-eval Detects JavaScript payloads executed through eval/Function over a self-decoding wrapper or character-code/base64 decoded data high
threat-npm-preinstall-script threat.process.hooks Detects npm preinstall scripts, which are almost exclusively used for malware delivery high
threat-runtime-obfuscation-steganography threat.runtime.obfuscation.steganography Detects steganography decode followed by code execution high
threat-runtime-keylogging threat.runtime.keylogging Detects keylogging and input capture patterns high
threat-runtime-dynamic-loader threat.runtime.obfuscation Detects dynamic code loading: downloading and importing/executing code at runtime high
threat-process-cryptomining threat.process.cryptomining Detects cryptocurrency mining activity high
threat-runtime-self-propagation threat.runtime.self-propagation Detects worm/self-propagating behavior: package code that rewrites its own manifest and programmatically publishes copies to a package registry to spread high
threat-process-powershell-encoded threat.process.spawn Detects PowerShell encoded commands, hidden windows, and download cradles high
threat-network-reverse-shell threat.network.outbound Detects reverse shell patterns and remote access tools high
threat-runtime-obfuscation-general threat.runtime.obfuscation.general Detects heavy code obfuscation techniques medium
threat-runtime-obfuscation-hidden-code threat.runtime.obfuscation Detects a payload hidden by excessive whitespace or require aliased through a global to evade static analysis high
threat-filesystem-destruction threat.filesystem.destruction Detects destructive operations (recursive deletion, wiping) high
threat-setup-suspicious-imports threat.setup.import.aliasing Detects suspicious imports in setup.py: network, system, or crypto libraries that have no place in a build script high
threat-runtime-obfuscation-pyarmor threat.runtime.obfuscation.pyarmor Detects PyArmor obfuscation, a commercial tool commonly used to hide malicious code in Python packages medium
threat-network-exfiltration threat.network.outbound Detects URLs to suspicious domains often used for exfiltration or C2 high
threat-runtime-enumeration threat.runtime.enumeration Detects extensive system/network enumeration activities medium
threat-runtime-environment-read threat.runtime.environment.read Detects reading of environment variables (credential access, often contains secrets) low
threat-process-memory threat.process.memory Detects memory scraping and credential dumping from process memory high
threat-process-hooks threat.process.hooks Detects LOLBAS usage in install hooks (execution and network tools) medium
threat-runtime-obfuscation threat.runtime.obfuscation Detects heavy obfuscation techniques commonly used by malware low
threat-npm-http-dependency threat.npm.http.dependency Detects HTTP/HTTPS URL dependencies in package.json (dependency confusion, untrusted sources) high
threat-network-outbound-shady-links threat.network.outbound.shady_links Detects URLs to URL shorteners, file sharing, and suspicious services medium
threat-runtime-obfuscation-unicode threat.runtime.obfuscation.unicode Detects unicode homoglyphs and uncommon characters used for obfuscation medium
threat-process-sysinfo threat.process.spawn.sysinfo Detects LOLBAS usage in process spawning medium
threat-runtime-obfuscation-log-suppress threat.runtime.obfuscation Detects log/console suppression combined with obfuscated code, a common malware evasion pattern medium
threat-network-exfil-messenger threat.network.outbound Detects hardcoded messaging platform tokens/webhooks used for data exfiltration high
threat-network-dns-exfil threat.network.outbound Detects DNS-based data exfiltration: encoding data in DNS queries high
threat-setup-import-aliasing threat.setup.import.aliasing Detects suspicious import aliasing of dangerous functions in setup.py high
threat-runtime-obfuscation-import-exec threat.runtime.obfuscation Detects dynamic import chains used to obfuscate code execution high
threat-setup-network-in-install threat.network.outbound Detects network operations or hostname/system info collection in setup.py, which is suspicious at install time high
threat-runtime-obfuscation-api threat.runtime.obfuscation.api Detects advanced API call obfuscation using introspection and reflection techniques medium
threat-filesystem-autostart threat.filesystem.autostart Detects suspicious autostart persistence mechanisms high
threat-npm-dependency-confusion threat.npm.http.dependency Detects dependency confusion indicators: self-referencing dependencies or DNS exfil in scripts high
threat-process-download-exec threat.process.spawn Detects download-and-execute patterns: fetching a remote file then executing it high
threat-runtime-obfuscation-base64exec threat.runtime.obfuscation.base64exec Detects base64 decoding followed by code execution high
threat-network-exfil-sysinfo threat.network.outbound Detects system info collection combined with network exfiltration (hostname/user in HTTP requests) high
threat-runtime-obfuscation-js-mangling threat.runtime.obfuscation.js.mangling Detects JavaScript variable name mangling (_0x pattern) used by obfuscation tools medium
threat-process-spawn-silent threat.process.spawn.silent Detects fully silent process execution (suppressing all output channels) low
threat-runtime-system-info threat.runtime.system.info Detects active collection of system information (hostname, platform, architecture, user) low
threat-process-injection-dll threat.process.injection.dll Detects DLL injection and process injection techniques high
threat-runtime-screencapture threat.runtime.screencapture medium

Threat rules (metadata)

Rule Identifies Description Severity MITRE Tactic PyPI npm go GitHub Action Extension RubyGems
typosquatting threat.metadata.typosquatting Identify packages that are named closely to an highly popular package high initial-access
potentially_compromised_email_domain threat.metadata.compromised-email Identify when a package maintainer e-mail domain (and therefore package manager account) might have been compromised high initial-access
unclaimed_maintainer_email_domain threat.metadata.unclaimed-email Identify when a package maintainer e-mail domain (and therefore npm account) is unclaimed and can be registered by an attacker high initial-access
repository_integrity_mismatch threat.metadata.integrity-mismatch Identify packages with a linked GitHub repository where the package has extra unexpected files high initial-access
bundled_binary threat.metadata.bundled-binary Identify packages bundling binaries medium defense-evasion
deceptive_author threat.metadata.deceptive-author This heuristic detects when an author is using a disposable email medium initial-access
metadata_mismatch threat.metadata.manifest-mismatch Identify packages with mismatches between registry metadata and the actual package manifest medium execution
direct_url_dependency threat.metadata.direct-url-dep Identify packages with direct URL dependencies. Dependencies fetched this way are not immutable and can be used to inject untrusted code or reduce the likelihood of a reproducible install. medium initial-access
risky_new_dependency threat.npm.risky-new-dependency Identify newly added dependencies that are themselves risky. A dependency introduced in this version but absent from the previous one is scanned as a package; it is flagged when its risk score is high. high initial-access