Make lolbas-sysinfo detection language-agnostic#773
Conversation
PR #769 narrowed the whoami/hostname patterns to require a Python exec wrapper (popen, check_call, Popen, ...) to kill false positives from dict keys, XML lookups and API paths. That fixed the FPs but, as noted in review, made the rule Python-dependent and drifted from the LOLBAS spirit: the OS command itself is the indicator, independent of the host language. This adds language-agnostic invocation patterns alongside the exec wrapper, matching the approach already used by lolbas-proc.meta and lolbas-net.meta: - tool-specific flags (whoami /all, hostname -I, ...) - absolute binary paths (/usr/bin/whoami, /bin/hostname) The exec-wrapper patterns are kept unchanged so the no-argument invocation is still caught and PR #769's false-positive fixes are preserved. Extends the positive fixture to cover the new flag/path detections.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 00becd83a6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| $hostname = /\b(popen|system|getoutput|getstatusoutput|check_output|check_call|Popen|run|call|spawn\w*|execl?p?e?|exec_command)\s*\(\s*\[?\s*['"]hostname\b/ nocase | ||
| // Invoked as an OS command with tool-specific flags (language-agnostic) | ||
| $whoami_flag = /\bwhoami\s+\/(all|user|groups|priv|fqdn|upn|logonid)\b/ nocase | ||
| $hostname_flag = /\bhostname\s+(--fqdn|-[AdfiIsy])\b/ |
There was a problem hiding this comment.
The new language-agnostic hostname detection omits the lowercase -a display flag even though hostname --help lists -a, --alias with the other information-gathering options. As a result, code that builds or stores hostname -a outside one of the recognized exec-wrapper call sites still evades this rule, while the adjacent -A/-d/-f/-i/-I/-s/-y variants are detected.
Useful? React with 👍 / 👎.
1 participant
What
Makes the
lolbas-sysinfodetection (whoami/hostname) language-agnostic, addressing review feedback on PR #769 (comment).Why
PR #769 narrowed the
whoami/hostnamepatterns to require a Python exec wrapper (popen,check_call,Popen, ...) in order to kill false positives where these words appear as dict keys (result['hostname']), XML element lookups (findall("hostname")) or API path segments (/workers/whoami).That fixed the FPs, but as @sobregosodd pointed out in review, it made the rule Python-dependent and drifted from the spirit of the
.metarule: in LOLBAS detection the OS command itself is the indicator, independent of the host language. The sibling helperslolbas-proc.metaandlolbas-net.metaalready follow that spirit by matching commands via intrinsic invocation context (flags, paths, pipes, URLs) rather than a language-specific wrapper.How
Adds language-agnostic invocation patterns alongside the existing exec wrapper:
whoami /all,hostname -I, etc./usr/bin/whoami,/bin/hostnameThe exec-wrapper patterns are kept unchanged, so:
subprocess.run(["whoami"])) is still caught, andThe positive fixture is extended to cover the new flag/path detections, which would not have matched under #769's Python-exec-only regex.
Testing
All 132 cases pass, including the positive and benign regression fixtures for
threat-process-sysinfo.