feat: Obfuscated exfiltration detection, WebSocket C2, FP reduction, GitLab CI (closes #1, #2, #3, #5)#78
Open
ezzy1630 wants to merge 1 commit into
Conversation
…ab CI template, and context-aware FP reduction (closes counterspec#1, counterspec#2, counterspec#3, counterspec#5) Obfuscated Credential Exfiltration Detection (counterspec#1 - tier:critical, 1000 ): - New obfuscated-exfil.ts module with 8 detection patterns - Base64-encoded exfiltration URLs - Hex/charcode-constructed API endpoints - String reversal and concatenation obfuscation - Environment variable harvesting with obfuscated transmission - Template literal URL assembly - Decode-then-send patterns - Decoded sample extraction (base64, hex, charcode, reversed strings) - 11 test cases with real-world malware encoding patterns Malicious WebSocket Handler Detection (counterspec#3 - tier:rule, 200 ): - New websocket-c2.ts module with 6 detection patterns - WebSocket C2 connection detection (hardcoded and dynamic URLs) - Message handler exfiltration (onmessage accessing env/files) - Reverse shell pattern (WebSocket + child_process) - Data exfiltration channel detection (sensitive data over ws.send) - Binary payload transfer detection - Suspicious URL indicators (ngrok, Tor, raw IP, Discord webhooks) - 10 test cases Reduce False Positives on Legitimate HTTP Clients (counterspec#2 - tier:improvement, 500 ): - HTTP_CLIENT_PATTERNS for common legitimate libraries - LEGITIMATE_HTTP_CONTEXT for test/framework files - KNOWN_SAFE_ENDPOINTS allowlist - Context-aware detection distinguishing legitimate from malicious usage GitLab CI Integration Template (counterspec#5 - tier:improvement, 750 ): - .gitlab-ci/isnad-gitlab-ci.yml with full, quick, and flag-submission jobs - SARIF output for GitLab Security Dashboard integration - Configurable severity thresholds and scan targets - Documentation with setup, configuration, and usage examples All 21 tests passing. Closes counterspec#1, closes counterspec#2, closes counterspec#3, closes counterspec#5
|
@ezzy1630 is attempting to deploy a commit to the Rapi's projects Team on Vercel. A member of the Team first needs to authorize it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bounty Issues Addressed
This PR addresses 4 bounty issues in a single submission:
#1 - Detect Obfuscated Credential Exfiltration (1,000 $ISNAD, tier:critical)
New
obfuscated-exfil.tsdetection module:atob()/Buffer.from()decoding with network calls\\x68\\x74\\x74\\x70style obfuscated URLsString.fromCharCode(104,116,116,112...)patterns.split("").reverse().join("")to hide URLs"https:" + "//evil.com"evade detection`https://${subdomain}.evil.com/${path}`process.env→ obfuscated transmissionfetch/axios/requestAll 8 detection patterns + decoder with 11 test cases.
#3 - Scanner Rule for Malicious WebSocket Handlers (200 $ISNAD, tier:rule)
New
websocket-c2.tsdetection module:onmessagehandlers accessingprocess.env/fschild_process/execSynccombos.send()with sensitive dataArrayBuffer/Uint8Arrayhandling#2 - Reduce False Positives on Legitimate HTTP Clients (500 $ISNAD, tier:improvement)
Context-aware detection patterns:
HTTP_CLIENT_PATTERNS— Allowlist for axios, node-fetch, got, superagent, needle, urllib3LEGITIMATE_HTTP_CONTEXT— Test file detection (jest, mocha, vitest, cypress)KNOWN_SAFE_ENDPOINTS— Allowlist for GitHub API, npm registry, PyPI, OpenAI, Anthropic APIs#5 - GitLab CI Integration Template (750 $ISNAD, tier:improvement)
.gitlab-ci/isnad-gitlab-ci.yml:ISNAD_FAIL_ON_CRITICAL,ISNAD_FAIL_ON_HIGH,ISNAD_FAIL_ON_MEDIUMTesting
All 21 tests passing:
Closes #1, closes #2, closes #3, closes #5