Skip to content

Make lolbas-sysinfo detection language-agnostic#773

Open
christophetd wants to merge 1 commit into
v3from
christophe.tafanidereeper/v3-lolbas-sysinfo-language-agnostic
Open

Make lolbas-sysinfo detection language-agnostic#773
christophetd wants to merge 1 commit into
v3from
christophe.tafanidereeper/v3-lolbas-sysinfo-language-agnostic

Conversation

@christophetd

Copy link
Copy Markdown
Contributor

What

Makes the lolbas-sysinfo detection (whoami / hostname) language-agnostic, addressing review feedback on PR #769 (comment).

Why

PR #769 narrowed the whoami/hostname patterns to require a Python exec wrapper (popen, check_call, Popen, ...) in order to kill false positives where these words appear as dict keys (result['hostname']), XML element lookups (findall("hostname")) or API path segments (/workers/whoami).

That fixed the FPs, but as @sobregosodd pointed out in review, it made the rule Python-dependent and drifted from the spirit of the .meta rule: in LOLBAS detection the OS command itself is the indicator, independent of the host language. The sibling helpers lolbas-proc.meta and lolbas-net.meta already follow that spirit by matching commands via intrinsic invocation context (flags, paths, pipes, URLs) rather than a language-specific wrapper.

How

Adds language-agnostic invocation patterns alongside the existing exec wrapper:

  • tool-specific flagswhoami /all, hostname -I, etc.
  • absolute binary paths/usr/bin/whoami, /bin/hostname

The exec-wrapper patterns are kept unchanged, so:

The positive fixture is extended to cover the new flag/path detections, which would not have matched under #769's Python-exec-only regex.

Testing

uv run pytest tests/analyzer/sourcecode/test_sourcecode_yara.py

All 132 cases pass, including the positive and benign regression fixtures for threat-process-sysinfo.

PR #769 narrowed the whoami/hostname patterns to require a Python exec
wrapper (popen, check_call, Popen, ...) to kill false positives from dict
keys, XML lookups and API paths. That fixed the FPs but, as noted in review,
made the rule Python-dependent and drifted from the LOLBAS spirit: the OS
command itself is the indicator, independent of the host language.

This adds language-agnostic invocation patterns alongside the exec wrapper,
matching the approach already used by lolbas-proc.meta and lolbas-net.meta:
- tool-specific flags (whoami /all, hostname -I, ...)
- absolute binary paths (/usr/bin/whoami, /bin/hostname)

The exec-wrapper patterns are kept unchanged so the no-argument invocation
is still caught and PR #769's false-positive fixes are preserved. Extends
the positive fixture to cover the new flag/path detections.
@christophetd christophetd requested a review from a team as a code owner June 16, 2026 15:53

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 00becd83a6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

$hostname = /\b(popen|system|getoutput|getstatusoutput|check_output|check_call|Popen|run|call|spawn\w*|execl?p?e?|exec_command)\s*\(\s*\[?\s*['"]hostname\b/ nocase
// Invoked as an OS command with tool-specific flags (language-agnostic)
$whoami_flag = /\bwhoami\s+\/(all|user|groups|priv|fqdn|upn|logonid)\b/ nocase
$hostname_flag = /\bhostname\s+(--fqdn|-[AdfiIsy])\b/

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Include the hostname alias flag

The new language-agnostic hostname detection omits the lowercase -a display flag even though hostname --help lists -a, --alias with the other information-gathering options. As a result, code that builds or stores hostname -a outside one of the recognized exec-wrapper call sites still evades this rule, while the adjacent -A/-d/-f/-i/-I/-s/-y variants are detected.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant