agent-security-scanner-mcp 1.1.2 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/README.md +145 -15
  2. package/analyzer.py +7 -0
  3. package/index.js +508 -1
  4. package/package.json +7 -3
  5. package/rules/agent-attacks.security.yaml +791 -0
  6. package/rules/c.security.yaml +459 -0
  7. package/rules/php.security.yaml +461 -0
  8. package/rules/prompt-injection.security.yaml +684 -0
  9. package/rules/ruby.security.yaml +400 -0
  10. package/rules/terraform.security.yaml +505 -0
package/rules/agent-attacks.security.yaml ADDED
@@ -0,0 +1,791 @@
1
+ rules:
2
+ # ============================================================================
3
+ # CATEGORY 1: CODE & SECRET EXFILTRATION
4
+ # ============================================================================
5
+
6
+ # ----------------------------------------------------------------------------
7
+ # Network Exfiltration
8
+ # ----------------------------------------------------------------------------
9
+ - id: agent.exfil.security.send-to-external-url
10
+ languages: [generic]
11
+ severity: ERROR
12
+ message: "CRITICAL: Potential data exfiltration - requesting to send code/secrets to external URL"
13
+ patterns:
14
+ - "(?i)send\\s+(this|the|my|our)?\\s*(code|file|data|content|secret|key|token|credential|env|password|config).*\\s+(to|via)\\s+(my|your|the|an?)?\\s*(server|url|endpoint|webhook|api)"
15
+ - "(?i)(post|put|upload|transmit)\\s+(this|the)?\\s*(code|data|file|secret).*\\s+to\\s+https?://"
16
+ - "(?i)(curl|fetch|axios|requests?)\\s*.*\\s+(to|with)\\s+.*\\s+(code|secret|key|token|env)"
17
+ - "(?i)make\\s+(a|an)?\\s*(http|api|network)\\s+(request|call).*\\s+(containing|with|include).*\\s+(code|secret)"
18
+ metadata:
19
+ cwe: "CWE-200"
20
+ owasp: "A01:2021 - Broken Access Control"
21
+ risk_score: 95
22
+ category: "exfiltration"
23
+ action: "BLOCK"
24
+ confidence: HIGH
25
+
26
+ - id: agent.exfil.security.webhook-exfil
27
+ languages: [generic]
28
+ severity: ERROR
29
+ message: "CRITICAL: Webhook/Discord/Slack exfiltration attempt detected"
30
+ patterns:
31
+ - "(?i)send\\s+(to|via)\\s+(discord|slack|teams|telegram)\\s+(webhook|bot|channel)"
32
+ - "(?i)(discord|slack)\\.?com/(api|webhooks)/[A-Za-z0-9_/-]+"
33
+ - "(?i)(post|send)\\s+.*\\s+(code|secret|key|credential).*\\s+to\\s+(discord|slack|telegram)"
34
+ - "(?i)webhook.*\\s+(send|post).*\\s+(secret|key|token|code)"
35
+ metadata:
36
+ cwe: "CWE-200"
37
+ owasp: "A01:2021 - Broken Access Control"
38
+ risk_score: 95
39
+ category: "exfiltration"
40
+ action: "BLOCK"
41
+ confidence: HIGH
42
+
43
+ - id: agent.exfil.security.email-exfil
44
+ languages: [generic]
45
+ severity: ERROR
46
+ message: "CRITICAL: Email exfiltration attempt - sending secrets via email"
47
+ patterns:
48
+ - "(?i)(email|mail|smtp)\\s+.*\\s+(the|this)?\\s*(code|secret|key|credential|password|token)"
49
+ - "(?i)send\\s+.*\\s+(code|secret|credential).*\\s+(via|by|through)\\s+email"
50
+ - "(?i)(attach|include)\\s+.*\\s+(env|secret|key|credential).*\\s+(in|to)\\s+email"
51
+ metadata:
52
+ cwe: "CWE-200"
53
+ risk_score: 90
54
+ category: "exfiltration"
55
+ action: "BLOCK"
56
+ confidence: HIGH
57
+
58
+ # ----------------------------------------------------------------------------
59
+ # File System Exfiltration
60
+ # ----------------------------------------------------------------------------
61
+ - id: agent.exfil.security.read-sensitive-files
62
+ languages: [generic]
63
+ severity: ERROR
64
+ message: "CRITICAL: Request to read sensitive files (credentials, keys, configs)"
65
+ patterns:
66
+ - "(?i)read\\s+(and\\s+)?(show|display|output|print|reveal)\\s+(the|my)?\\s*(~/?\\.|\\.)?(env|ssh|aws|gcp|azure|kube|docker)"
67
+ - "(?i)(show|display|cat|read|output)\\s+(me\\s+)?(the\\s+)?(contents?\\s+of\\s+)?[~/]*\\.?(env|ssh/id_rsa|aws/credentials|npmrc|netrc|gitconfig)"
68
+ - "(?i)access\\s+(the\\s+)?(private|secret)\\s+(key|ssh|credential)\\s+file"
69
+ - "(?i)read.*\\.(pem|key|p12|pfx|jks|keystore|credentials)\\s*(file)?"
70
+ metadata:
71
+ cwe: "CWE-200"
72
+ risk_score: 90
73
+ category: "exfiltration"
74
+ action: "BLOCK"
75
+ confidence: HIGH
76
+
77
+ - id: agent.exfil.security.env-file-access
78
+ languages: [generic]
79
+ severity: ERROR
80
+ message: "CRITICAL: Explicit request for .env or environment secrets"
81
+ patterns:
82
+ - "(?i)(show|print|display|read|cat|output|echo)\\s+(me\\s+)?(the\\s+)?(\\.env|env\\s+file|environment\\s+variable)"
83
+ - "(?i)(base64|encode|encrypt)\\s+(the\\s+)?\\.?env"
84
+ - "(?i)include\\s+(the\\s+)?\\.?env\\s+(file\\s+)?(contents?|data|values?)\\s+in\\s+(your\\s+)?(response|output)"
85
+ - "(?i)what\\s+(are|is)\\s+(in\\s+)?(the|my)\\s+\\.?env\\s+(file)?"
86
+ metadata:
87
+ cwe: "CWE-200"
88
+ risk_score: 95
89
+ category: "exfiltration"
90
+ action: "BLOCK"
91
+ confidence: HIGH
92
+
93
+ - id: agent.exfil.security.ssh-key-access
94
+ languages: [generic]
95
+ severity: ERROR
96
+ message: "CRITICAL: Request to access SSH private keys"
97
+ patterns:
98
+ - "(?i)(read|show|display|cat|output)\\s+.*\\s*(id_rsa|id_ed25519|id_ecdsa|id_dsa)"
99
+ - "(?i)(show|read|access)\\s+(my|the)?\\s+(ssh|private)\\s+key"
100
+ - "(?i)~/.ssh/(id_rsa|id_ed25519|id_ecdsa|known_hosts|authorized_keys)"
101
+ - "(?i)(copy|send|upload)\\s+.*\\s+ssh\\s+(private\\s+)?key"
102
+ metadata:
103
+ cwe: "CWE-200"
104
+ risk_score: 95
105
+ category: "exfiltration"
106
+ action: "BLOCK"
107
+ confidence: HIGH
108
+
109
+ - id: agent.exfil.security.cloud-credentials
110
+ languages: [generic]
111
+ severity: ERROR
112
+ message: "CRITICAL: Request to access cloud provider credentials"
113
+ patterns:
114
+ - "(?i)(read|show|access|cat)\\s+.*\\s*(aws|gcp|azure|digitalocean).*\\s*(credentials?|config|token)"
115
+ - "(?i)~/.aws/(credentials|config)"
116
+ - "(?i)(show|read)\\s+.*\\s+(service\\s+account|gcloud|az\\s+login)"
117
+ - "(?i)access\\s+(the\\s+)?(cloud|aws|gcp|azure)\\s+(credentials?|secrets?|tokens?)"
118
+ metadata:
119
+ cwe: "CWE-200"
120
+ risk_score: 95
121
+ category: "exfiltration"
122
+ action: "BLOCK"
123
+ confidence: HIGH
124
+
125
+ # ----------------------------------------------------------------------------
126
+ # Encoding-based Exfiltration
127
+ # ----------------------------------------------------------------------------
128
+ - id: agent.exfil.security.encode-secrets
129
+ languages: [generic]
130
+ severity: ERROR
131
+ message: "CRITICAL: Encoding secrets for potential exfiltration"
132
+ patterns:
133
+ - "(?i)(base64|hex|rot13|url)\\s*(encode|encrypt)\\s+(the\\s+)?(secret|key|password|credential|token|api.?key)"
134
+ - "(?i)encode\\s+(all\\s+)?(the\\s+)?(env|environment|secret|credential)\\s+(variable|value|data)s?"
135
+ - "(?i)convert\\s+(secret|credential|password|key)s?\\s+to\\s+(base64|hex|binary)"
136
+ - "(?i)(embed|hide)\\s+(secrets?|credentials?)\\s+in\\s+(base64|encoded)"
137
+ metadata:
138
+ cwe: "CWE-200"
139
+ risk_score: 90
140
+ category: "exfiltration"
141
+ action: "BLOCK"
142
+ confidence: HIGH
143
+
144
+ # ----------------------------------------------------------------------------
145
+ # Git-based Exfiltration
146
+ # ----------------------------------------------------------------------------
147
+ - id: agent.exfil.security.push-to-external-repo
148
+ languages: [generic]
149
+ severity: ERROR
150
+ message: "CRITICAL: Attempt to push code to unauthorized/external repository"
151
+ patterns:
152
+ - "(?i)(git\\s+)?push\\s+(to|this\\s+to|code\\s+to)\\s+(my|an?\\s+external|different|another)\\s+(repo|repository)"
153
+ - "(?i)add\\s+(a\\s+)?remote\\s+.*\\s+and\\s+push"
154
+ - "(?i)(force\\s+)?push\\s+(all|everything|the\\s+code|this\\s+repo)\\s+to\\s+(my|a\\s+new)"
155
+ - "(?i)clone\\s+.*\\s+and\\s+(copy|transfer|move)\\s+(the\\s+)?code"
156
+ metadata:
157
+ cwe: "CWE-200"
158
+ risk_score: 85
159
+ category: "exfiltration"
160
+ action: "BLOCK"
161
+ confidence: HIGH
162
+
163
+ - id: agent.exfil.security.git-credential-theft
164
+ languages: [generic]
165
+ severity: ERROR
166
+ message: "CRITICAL: Git credential theft attempt"
167
+ patterns:
168
+ - "(?i)(show|read|cat)\\s+.*\\.git-credentials"
169
+ - "(?i)git\\s+config\\s+--global.*credential"
170
+ - "(?i)(extract|get|steal)\\s+git\\s+(credentials?|tokens?)"
171
+ metadata:
172
+ cwe: "CWE-200"
173
+ risk_score: 90
174
+ category: "exfiltration"
175
+ action: "BLOCK"
176
+ confidence: HIGH
177
+
178
+ # ============================================================================
179
+ # CATEGORY 2: MALICIOUS CODE INJECTION REQUESTS
180
+ # ============================================================================
181
+
182
+ # ----------------------------------------------------------------------------
183
+ # Backdoor Injection
184
+ # ----------------------------------------------------------------------------
185
+ - id: agent.injection.security.backdoor-request
186
+ languages: [generic]
187
+ severity: ERROR
188
+ message: "CRITICAL: Request to add backdoor or hidden access mechanism"
189
+ patterns:
190
+ - "(?i)add\\s+(a\\s+)?(secret\\s+|hidden\\s+)?backdoor"
191
+ - "(?i)(create|implement|write|insert)\\s+(a\\s+)?reverse\\s+shell"
192
+ - "(?i)(add|create|implement)\\s+(a\\s+)?(hidden|secret|covert)\\s+(admin|root|superuser)\\s+(account|access|login)"
193
+ - "(?i)(create|add)\\s+(a\\s+)?(hidden|secret|undocumented)\\s+(endpoint|route|api)\\s+(that|which|for)"
194
+ - "(?i)(insert|add)\\s+(a\\s+)?trojan"
195
+ metadata:
196
+ cwe: "CWE-506"
197
+ owasp: "A08:2021 - Software and Data Integrity Failures"
198
+ risk_score: 100
199
+ category: "malicious-injection"
200
+ action: "BLOCK"
201
+ confidence: HIGH
202
+
203
+ - id: agent.injection.security.reverse-shell
204
+ languages: [generic]
205
+ severity: ERROR
206
+ message: "CRITICAL: Reverse shell or remote access trojan request"
207
+ patterns:
208
+ - "(?i)(write|create|implement|generate|code)\\s+(a\\s+)?(python|bash|powershell|nc|netcat|php)?\\s*reverse\\s*shell"
209
+ - "(?i)(connect\\s+back|callback)\\s+to\\s+(my|a|the)\\s+(server|machine|ip|host)"
210
+ - "(?i)(remote|reverse)\\s+(access|shell|connection)\\s+(to|from)\\s+(my|a|the)\\s+(server|machine)"
211
+ - "(?i)bind\\s+shell.*listen"
212
+ - "(?i)(nc|netcat|ncat)\\s+.*\\s+-e\\s+(bash|sh|cmd)"
213
+ metadata:
214
+ cwe: "CWE-506"
215
+ risk_score: 100
216
+ category: "malicious-injection"
217
+ action: "BLOCK"
218
+ confidence: HIGH
219
+
220
+ - id: agent.injection.security.web-shell
221
+ languages: [generic]
222
+ severity: ERROR
223
+ message: "CRITICAL: Web shell creation request"
224
+ patterns:
225
+ - "(?i)(create|write|add)\\s+(a\\s+)?(php|jsp|asp|aspx)?\\s*web\\s*shell"
226
+ - "(?i)(upload|create)\\s+(a\\s+)?shell\\s+(script|file)\\s+(to|on)\\s+(the\\s+)?(web|server)"
227
+ - "(?i)passthru|shell_exec|system\\s*\\(\\s*\\$_(GET|POST|REQUEST)"
228
+ metadata:
229
+ cwe: "CWE-506"
230
+ risk_score: 100
231
+ category: "malicious-injection"
232
+ action: "BLOCK"
233
+ confidence: HIGH
234
+
235
+ # ----------------------------------------------------------------------------
236
+ # Security Control Removal
237
+ # ----------------------------------------------------------------------------
238
+ - id: agent.injection.security.disable-security
239
+ languages: [generic]
240
+ severity: ERROR
241
+ message: "CRITICAL: Request to disable security controls"
242
+ patterns:
243
+ - "(?i)(disable|remove|bypass|skip|turn\\s+off|delete)\\s+(the\\s+)?(security|auth|authentication|authorization|csrf|xss|sql\\s+injection)\\s+(check|validation|protection|filter|middleware)"
244
+ - "(?i)(remove|delete|disable)\\s+(all\\s+)?(input\\s+)?validation"
245
+ - "(?i)(comment\\s+out|disable|remove)\\s+(the\\s+)?(security|auth|permission)\\s+(middleware|check|code|logic)"
246
+ - "(?i)make\\s+(the\\s+)?(endpoint|api|route)\\s+(public|unauthenticated|accessible\\s+without\\s+auth)"
247
+ metadata:
248
+ cwe: "CWE-284"
249
+ risk_score: 95
250
+ category: "malicious-injection"
251
+ action: "BLOCK"
252
+ confidence: HIGH
253
+
254
+ - id: agent.injection.security.bypass-auth
255
+ languages: [generic]
256
+ severity: ERROR
257
+ message: "CRITICAL: Request to bypass authentication"
258
+ patterns:
259
+ - "(?i)bypass\\s+(the\\s+)?(authentication|auth|login|access\\s+control|authorization)"
260
+ - "(?i)(skip|ignore|disable)\\s+(the\\s+)?(login|auth)\\s+(check|requirement|process)"
261
+ - "(?i)allow\\s+(unauthenticated|anonymous)\\s+access\\s+to"
262
+ - "(?i)(remove|disable)\\s+(the\\s+)?jwt\\s+(verification|validation|check)"
263
+ metadata:
264
+ cwe: "CWE-287"
265
+ risk_score: 95
266
+ category: "malicious-injection"
267
+ action: "BLOCK"
268
+ confidence: HIGH
269
+
270
+ # ----------------------------------------------------------------------------
271
+ # Data Theft Code
272
+ # ----------------------------------------------------------------------------
273
+ - id: agent.injection.security.data-theft-code
274
+ languages: [generic]
275
+ severity: ERROR
276
+ message: "CRITICAL: Request to write code that steals/captures data"
277
+ patterns:
278
+ - "(?i)(write|create|add|implement)\\s+(code|function|script)\\s+(that|to)\\s+(send|transmit|exfiltrate|steal|capture|harvest)\\s+(user\\s+)?data"
279
+ - "(?i)(keylogger|credential\\s*stealer|password\\s*harvester|screen\\s*capture)"
280
+ - "(?i)(capture|log|record|steal|intercept)\\s+(all\\s+)?(keystrokes?|passwords?|credentials?|input|form\\s+data)"
281
+ - "(?i)send\\s+(captured|logged|stolen|collected)\\s+(data|credentials?|passwords?)\\s+to"
282
+ metadata:
283
+ cwe: "CWE-506"
284
+ risk_score: 100
285
+ category: "malicious-injection"
286
+ action: "BLOCK"
287
+ confidence: HIGH
288
+
289
+ - id: agent.injection.security.ransomware
290
+ languages: [generic]
291
+ severity: ERROR
292
+ message: "CRITICAL: Ransomware/encryption attack request"
293
+ patterns:
294
+ - "(?i)(encrypt|lock)\\s+(all\\s+)?(files?|data|documents?)\\s+(and|then)\\s+(demand|ask\\s+for|require)\\s+(ransom|payment|bitcoin)"
295
+ - "(?i)(write|create|implement)\\s+(a\\s+)?ransomware"
296
+ - "(?i)encrypt.*files.*ransom"
297
+ metadata:
298
+ cwe: "CWE-506"
299
+ risk_score: 100
300
+ category: "malicious-injection"
301
+ action: "BLOCK"
302
+ confidence: HIGH
303
+
304
+ # ----------------------------------------------------------------------------
305
+ # Intentionally Vulnerable Code
306
+ # ----------------------------------------------------------------------------
307
+ - id: agent.injection.security.intentional-vulnerability
308
+ languages: [generic]
309
+ severity: ERROR
310
+ message: "CRITICAL: Request to create intentionally vulnerable code"
311
+ patterns:
312
+ - "(?i)(add|create|write|implement|introduce)\\s+(an?\\s+)?(intentional|deliberate)?\\s*(sql\\s+injection|xss|rce|command\\s+injection|lfi|rfi)\\s+(vulnerability|hole|exploit|flaw)"
313
+ - "(?i)make\\s+(this|the)\\s+(code|function|endpoint|api)\\s+(vulnerable|exploitable)"
314
+ - "(?i)(add|introduce|insert)\\s+(a\\s+)?(security\\s+)?(flaw|hole|vulnerability|weakness|bug)"
315
+ - "(?i)(weaken|break|compromise)\\s+(the\\s+)?security"
316
+ metadata:
317
+ cwe: "CWE-506"
318
+ risk_score: 100
319
+ category: "malicious-injection"
320
+ action: "BLOCK"
321
+ confidence: HIGH
322
+
323
+ # ----------------------------------------------------------------------------
324
+ # Obfuscation Requests
325
+ # ----------------------------------------------------------------------------
326
+ - id: agent.injection.security.obfuscate-malicious
327
+ languages: [generic]
328
+ severity: ERROR
329
+ message: "Suspicious: Request to obfuscate potentially malicious code"
330
+ patterns:
331
+ - "(?i)obfuscate\\s+(this|the)\\s+(backdoor|shell|malicious|exploit|malware|trojan)"
332
+ - "(?i)(hide|disguise|mask|obfuscate|camouflage)\\s+(the|this)\\s+(malicious|dangerous|harmful)\\s+(code|function|payload)"
333
+ - "(?i)make\\s+(this|the)\\s+(code|payload|script)\\s+(undetectable|invisible|hidden|stealthy)"
334
+ - "(?i)evade\\s+(antivirus|av|detection|security\\s+scan|edr)"
335
+ metadata:
336
+ cwe: "CWE-506"
337
+ risk_score: 95
338
+ category: "malicious-injection"
339
+ action: "BLOCK"
340
+ confidence: HIGH
341
+
342
+ # ============================================================================
343
+ # CATEGORY 3: SYSTEM MANIPULATION ATTACKS
344
+ # ============================================================================
345
+
346
+ # ----------------------------------------------------------------------------
347
+ # Destructive File Operations
348
+ # ----------------------------------------------------------------------------
349
+ - id: agent.sysmanip.security.destructive-file-ops
350
+ languages: [generic]
351
+ severity: ERROR
352
+ message: "CRITICAL: Destructive file system operation requested"
353
+ patterns:
354
+ - "(?i)(delete|remove|rm|wipe|erase|destroy)\\s+(all\\s+)?(files?|everything|the\\s+entire)\\s+(in|from|under)?\\s*[/~]"
355
+ - "(?i)rm\\s+(-rf?\\s+)?[/~]"
356
+ - "(?i)(delete|remove|destroy|drop)\\s+(the\\s+)?(entire\\s+)?(database|db|data|collection)"
357
+ - "(?i)(format|wipe|erase)\\s+(the\\s+)?(disk|drive|partition|hard\\s+drive|storage)"
358
+ - "(?i)drop\\s+(all\\s+)?(tables?|database|schema|collection)"
359
+ metadata:
360
+ cwe: "CWE-400"
361
+ risk_score: 100
362
+ category: "system-manipulation"
363
+ action: "BLOCK"
364
+ confidence: HIGH
365
+
366
+ - id: agent.sysmanip.security.recursive-delete
367
+ languages: [generic]
368
+ severity: ERROR
369
+ message: "CRITICAL: Recursive deletion command detected"
370
+ patterns:
371
+ - "(?i)rm\\s+-r(f)?\\s+/"
372
+ - "(?i)rmdir\\s+/s\\s+/q"
373
+ - "(?i)del\\s+/f\\s+/s\\s+/q"
374
+ - "(?i)(remove|delete)\\s+recursively\\s+(all|everything)"
375
+ - "(?i)shutil\\.rmtree\\s*\\(\\s*[\"']/[\"']"
376
+ metadata:
377
+ cwe: "CWE-400"
378
+ risk_score: 100
379
+ category: "system-manipulation"
380
+ action: "BLOCK"
381
+ confidence: HIGH
382
+
383
+ # ----------------------------------------------------------------------------
384
+ # System Configuration Changes
385
+ # ----------------------------------------------------------------------------
386
+ - id: agent.sysmanip.security.modify-system-config
387
+ languages: [generic]
388
+ severity: ERROR
389
+ message: "CRITICAL: Request to modify critical system configuration"
390
+ patterns:
391
+ - "(?i)(modify|edit|change|update|overwrite|append\\s+to)\\s+(/etc/passwd|/etc/shadow|/etc/hosts|/etc/sudoers)"
392
+ - "(?i)(add|create)\\s+(a\\s+)?(new\\s+)?(user|account)\\s+(to|in)\\s+(/etc/passwd|sudoers|the\\s+system)"
393
+ - "(?i)(change|modify|set)\\s+(file\\s+)?permissions?\\s+to\\s+(777|666|rwxrwxrwx)"
394
+ - "(?i)chmod\\s+(777|666|\\+rwx|-R\\s+777)"
395
+ metadata:
396
+ cwe: "CWE-732"
397
+ risk_score: 95
398
+ category: "system-manipulation"
399
+ action: "BLOCK"
400
+ confidence: HIGH
401
+
402
+ - id: agent.sysmanip.security.modify-hosts
403
+ languages: [generic]
404
+ severity: ERROR
405
+ message: "CRITICAL: Request to modify hosts file (potential DNS hijacking)"
406
+ patterns:
407
+ - "(?i)(modify|edit|change|add\\s+to|append\\s+to)\\s+(/etc/hosts|hosts\\s+file|windows.*hosts)"
408
+ - "(?i)redirect\\s+.*\\s+domain.*\\s+hosts\\s+file"
409
+ - "(?i)(add|insert)\\s+entry\\s+to\\s+hosts"
410
+ metadata:
411
+ cwe: "CWE-284"
412
+ risk_score: 90
413
+ category: "system-manipulation"
414
+ action: "BLOCK"
415
+ confidence: HIGH
416
+
417
+ # ----------------------------------------------------------------------------
418
+ # Firewall/Security Bypass
419
+ # ----------------------------------------------------------------------------
420
+ - id: agent.sysmanip.security.disable-firewall
421
+ languages: [generic]
422
+ severity: ERROR
423
+ message: "CRITICAL: Request to disable firewall or security software"
424
+ patterns:
425
+ - "(?i)(disable|stop|turn\\s+off|deactivate|kill)\\s+(the\\s+)?(firewall|iptables|ufw|windows\\s+defender|antivirus|av|edr|endpoint)"
426
+ - "(?i)(add|create)\\s+(a\\s+)?firewall\\s+rule\\s+(to\\s+)?(allow|permit)\\s+(all|any|everything)"
427
+ - "(?i)iptables\\s+.*\\s+-j\\s+ACCEPT\\s+.*\\s+(0\\.0\\.0\\.0|any|all)"
428
+ - "(?i)netsh\\s+.*\\s+firewall\\s+.*\\s+(disable|off)"
429
+ metadata:
430
+ cwe: "CWE-284"
431
+ risk_score: 95
432
+ category: "system-manipulation"
433
+ action: "BLOCK"
434
+ confidence: HIGH
435
+
436
+ # ----------------------------------------------------------------------------
437
+ # Persistence Mechanisms
438
+ # ----------------------------------------------------------------------------
439
+ - id: agent.sysmanip.security.add-persistence
440
+ languages: [generic]
441
+ severity: ERROR
442
+ message: "CRITICAL: Request to add persistence mechanism"
443
+ patterns:
444
+ - "(?i)(add|create|write|insert)\\s+(to\\s+)?(crontab|cron|scheduled\\s+task|systemd\\s+service|launchd)"
445
+ - "(?i)(modify|edit|append\\s+to)\\s+(\\.bashrc|\\.zshrc|\\.profile|\\.bash_profile|shell\\s+config)"
446
+ - "(?i)(add|create|write)\\s+(a\\s+)?(startup|boot|login|init)\\s+(script|command|entry|hook)"
447
+ - "(?i)(register|install)\\s+(as\\s+)?(a\\s+)?(service|daemon)\\s+(that|to)\\s+run\\s+(on|at)\\s+(boot|startup)"
448
+ metadata:
449
+ cwe: "CWE-506"
450
+ risk_score: 90
451
+ category: "system-manipulation"
452
+ action: "BLOCK"
453
+ confidence: HIGH
454
+
455
+ - id: agent.sysmanip.security.registry-modification
456
+ languages: [generic]
457
+ severity: ERROR
458
+ message: "CRITICAL: Windows registry modification for persistence"
459
+ patterns:
460
+ - "(?i)(modify|edit|add\\s+to)\\s+(the\\s+)?windows\\s+registry.*\\s+(run|startup)"
461
+ - "(?i)reg\\s+add.*\\s+Run"
462
+ - "(?i)HKEY_(LOCAL_MACHINE|CURRENT_USER).*\\s+Run"
463
+ metadata:
464
+ cwe: "CWE-506"
465
+ risk_score: 90
466
+ category: "system-manipulation"
467
+ action: "BLOCK"
468
+ confidence: HIGH
469
+
470
+ # ----------------------------------------------------------------------------
471
+ # Download and Execute
472
+ # ----------------------------------------------------------------------------
473
+ - id: agent.sysmanip.security.download-execute
474
+ languages: [generic]
475
+ severity: ERROR
476
+ message: "CRITICAL: Download and execute pattern detected"
477
+ patterns:
478
+ - "(?i)(download|curl|wget|fetch|get)\\s+(and\\s+)?(then\\s+)?(execute|run|install|start)\\s+(from\\s+)?https?://"
479
+ - "(?i)curl.*\\|\\s*(bash|sh|python|perl|ruby|powershell)"
480
+ - "(?i)wget.*&&.*chmod.*&&.*\\.\\/?"
481
+ - "(?i)(download|fetch)\\s+(this|a)\\s+(script|payload|file|binary)\\s+(from|at)\\s+.*\\s+and\\s+(run|execute)"
482
+ - "(?i)powershell.*downloadstring.*invoke"
483
+ metadata:
484
+ cwe: "CWE-494"
485
+ risk_score: 95
486
+ category: "system-manipulation"
487
+ action: "BLOCK"
488
+ confidence: HIGH
489
+
490
+ # ============================================================================
491
+ # CATEGORY 4: SOCIAL ENGINEERING THE AGENT
492
+ # ============================================================================
493
+
494
+ # ----------------------------------------------------------------------------
495
+ # Fake Authority Claims
496
+ # ----------------------------------------------------------------------------
497
+ - id: agent.social.security.fake-authorization
498
+ languages: [generic]
499
+ severity: ERROR
500
+ message: "Social engineering attempt: Claiming false authorization"
501
+ patterns:
502
+ - "(?i)(the\\s+)?(user|admin|administrator|owner|security\\s+team|manager|cto|ceo)\\s+(has\\s+)?(already\\s+)?(authorized|approved|permitted|allowed|granted)\\s+(you\\s+to|this|permission)"
503
+ - "(?i)(i\\s+am|this\\s+is)\\s+(the\\s+)?(system\\s+)?admin(istrator)?\\s+(and\\s+)?(i\\s+)?(authorize|approve|permit|grant)"
504
+ - "(?i)you\\s+(have|now\\s+have)\\s+(been\\s+)?(granted|given)\\s+(full\\s+|root\\s+|admin\\s+|sudo\\s+)?access"
505
+ - "(?i)(security|compliance|legal|management)\\s+(team\\s+)?(approved|signed\\s+off|authorized)\\s+(this|you)"
506
+ metadata:
507
+ cwe: "CWE-290"
508
+ risk_score: 85
509
+ category: "social-engineering"
510
+ action: "WARN"
511
+ confidence: MEDIUM
512
+
513
+ - id: agent.social.security.impersonation
514
+ languages: [generic]
515
+ severity: ERROR
516
+ message: "Social engineering attempt: Impersonating authority"
517
+ patterns:
518
+ - "(?i)(speaking|writing|acting)\\s+(as|on\\s+behalf\\s+of)\\s+(the\\s+)?(admin|administrator|owner|root)"
519
+ - "(?i)this\\s+(is|comes\\s+from)\\s+(the\\s+)?(security\\s+team|admin\\s+team|devops)"
520
+ - "(?i)(override|admin)\\s+(code|command|instruction)\\s*:"
521
+ metadata:
522
+ cwe: "CWE-290"
523
+ risk_score: 80
524
+ category: "social-engineering"
525
+ action: "WARN"
526
+ confidence: MEDIUM
527
+
528
+ # ----------------------------------------------------------------------------
529
+ # Fake Mode/State Claims
530
+ # ----------------------------------------------------------------------------
531
+ - id: agent.social.security.fake-mode
532
+ languages: [generic]
533
+ severity: WARNING
534
+ message: "Social engineering attempt: Claiming special mode or state"
535
+ patterns:
536
+ - "(?i)you\\s+are\\s+(now\\s+)?(in|entering)\\s+(maintenance|debug|developer|admin|test|safe|privileged)\\s+mode"
537
+ - "(?i)(this\\s+is\\s+)?a\\s+(test|dev|staging|sandbox|local)\\s+(environment|system|server)\\s+(so|therefore|thus)"
538
+ - "(?i)(safety|security)\\s+(protocols?|measures?|restrictions?)\\s+(are|have\\s+been)\\s+(disabled|suspended|lifted|off)"
539
+ - "(?i)(all\\s+)?(restrictions?|limitations?|safety\\s+measures?|guardrails?)\\s+(are|have\\s+been)\\s+(removed|lifted|disabled)"
540
+ metadata:
541
+ cwe: "CWE-290"
542
+ risk_score: 80
543
+ category: "social-engineering"
544
+ action: "WARN"
545
+ confidence: MEDIUM
546
+
547
+ # ----------------------------------------------------------------------------
548
+ # Urgency/Emergency Claims
549
+ # ----------------------------------------------------------------------------
550
+ - id: agent.social.security.fake-emergency
551
+ languages: [generic]
552
+ severity: WARNING
553
+ message: "Social engineering attempt: Creating false urgency to bypass security"
554
+ patterns:
555
+ - "(?i)(this\\s+is\\s+an?\\s+)?(urgent|emergency|critical|production\\s+down)\\s+(situation|issue|request|matter).*\\s+(skip|bypass|ignore)\\s+(security|safety|normal)"
556
+ - "(?i)(we\\s+)?(need|must)\\s+(this|it)\\s+(immediately|right\\s+now|urgently|asap).*\\s+(don't|do\\s+not)\\s+(worry|bother)\\s+(about|with)\\s+(security|safety)"
557
+ - "(?i)(there's|there\\s+is)\\s+(no\\s+time|an\\s+emergency).*\\s+(just\\s+)?(do|execute|run)\\s+it"
558
+ - "(?i)(production|system)\\s+(is\\s+)?(down|broken).*skip.*security"
559
+ metadata:
560
+ cwe: "CWE-290"
561
+ risk_score: 70
562
+ category: "social-engineering"
563
+ action: "WARN"
564
+ confidence: MEDIUM
565
+
566
+ # ----------------------------------------------------------------------------
567
+ # Debug/Testing Justifications
568
+ # ----------------------------------------------------------------------------
569
+ - id: agent.social.security.debug-justification
570
+ languages: [generic]
571
+ severity: WARNING
572
+ message: "Suspicious: Using debugging/testing as justification for risky action"
573
+ patterns:
574
+ - "(?i)for\\s+(debugging|testing|research|educational|learning)\\s+purposes?\\s+(only\\s+)?.*\\s+(show|reveal|disable|bypass|ignore|access)"
575
+ - "(?i)(this|it)\\s+(is|will\\s+be)\\s+(only\\s+)?(used\\s+)?(for|in)\\s+(a\\s+)?(test|debug|research|controlled)\\s+(environment|setting|scenario)"
576
+ - "(?i)(don't|do\\s+not)\\s+worry.*\\s+(it's|this\\s+is)\\s+(just\\s+)?(a\\s+)?(test|demo|poc|proof\\s+of\\s+concept)"
577
+ - "(?i)i\\s+(just\\s+)?want\\s+to\\s+(test|try|check|see).*\\s+(so\\s+)?(bypass|skip|disable|ignore)\\s+(the\\s+)?(security|safety)"
578
+ metadata:
579
+ cwe: "CWE-290"
580
+ risk_score: 65
581
+ category: "social-engineering"
582
+ action: "LOG"
583
+ confidence: LOW
584
+
585
+ # ============================================================================
586
+ # CATEGORY 5: INDIRECT & OBFUSCATED ATTACKS
587
+ # ============================================================================
588
+
589
+ # ----------------------------------------------------------------------------
590
+ # Encoded Instructions
591
+ # ----------------------------------------------------------------------------
592
+ - id: agent.obfuscated.security.base64-instructions
593
+ languages: [generic]
594
+ severity: WARNING
595
+ message: "Potential obfuscated attack: Base64 encoded instructions"
596
+ patterns:
597
+ - "(?i)(decode|execute|run|follow|process)\\s+(this|the)?\\s+base64\\s*:?\\s*[A-Za-z0-9+/=]{30,}"
598
+ - "(?i)base64\\s*-d.*\\|.*bash"
599
+ - "(?i)atob\\s*\\([\"'][A-Za-z0-9+/=]{30,}[\"']\\)"
600
+ - "aWdub3JlIHByZXZpb3Vz"
601
+ - "ZGVsZXRlIGFsbA=="
602
+ - "cm0gLXJm"
603
+ - "c2VuZCB0bw=="
604
+ metadata:
605
+ cwe: "CWE-77"
606
+ risk_score: 75
607
+ category: "obfuscation"
608
+ action: "WARN"
609
+ confidence: MEDIUM
610
+
611
+ - id: agent.obfuscated.security.rot13-instructions
612
+ languages: [generic]
613
+ severity: WARNING
614
+ message: "Potential obfuscated attack: ROT13 or cipher encoded instructions"
615
+ patterns:
616
+ - "(?i)(decode|decipher|decrypt)\\s+(this|the)?\\s+(rot13|caesar|cipher)"
617
+ - "(?i)tr\\s+['\"]A-Za-z['\"]\\s+['\"][N-ZA-Mn-za-m]['\"]"
618
+ - "vtaber cerivbhf"
619
+ - "qryrgrq nyy"
620
+ - "fraq gb"
621
+ metadata:
622
+ cwe: "CWE-77"
623
+ risk_score: 70
624
+ category: "obfuscation"
625
+ action: "WARN"
626
+ confidence: MEDIUM
627
+
628
+ - id: agent.obfuscated.security.hex-instructions
629
+ languages: [generic]
630
+ severity: WARNING
631
+ message: "Potential obfuscated attack: Hex encoded instructions"
632
+ patterns:
633
+ - "(?i)(decode|execute|run)\\s+(this|the)?\\s+hex\\s*:?\\s*[0-9a-fA-F]{20,}"
634
+ - "(?i)\\\\x[0-9a-fA-F]{2}(\\\\x[0-9a-fA-F]{2}){10,}"
635
+ metadata:
636
+ cwe: "CWE-77"
637
+ risk_score: 70
638
+ category: "obfuscation"
639
+ action: "WARN"
640
+ confidence: MEDIUM
641
+
642
+ # ----------------------------------------------------------------------------
643
+ # Split/Fragmented Instructions
644
+ # ----------------------------------------------------------------------------
645
+ - id: agent.obfuscated.security.fragmented-attack
646
+ languages: [generic]
647
+ severity: WARNING
648
+ message: "Potential fragmented attack: Instructions split to avoid detection"
649
+ patterns:
650
+ - "(?i)(concatenate|combine|join|merge)\\s+(these|the\\s+following)\\s+(words|parts|fragments|pieces|letters).*\\s+(then|and)\\s+(execute|run|follow)"
651
+ - "(?i)(first\\s+part|part\\s+1|step\\s+1)\\s*:.*\\s*(second\\s+part|part\\s+2|step\\s+2)\\s*:"
652
+ - "(?i)when\\s+you\\s+(read|see)\\s+[\"'][A-Z]{3,}[\"']\\s+(followed\\s+by|then).*\\s+(execute|run|do)"
653
+ - "(?i)(spell|read)\\s+out\\s+.*\\s+(first\\s+letters|acronym)"
654
+ metadata:
655
+ cwe: "CWE-77"
656
+ risk_score: 60
657
+ category: "obfuscation"
658
+ action: "LOG"
659
+ confidence: LOW
660
+
661
+ # ----------------------------------------------------------------------------
662
+ # Unicode/Homoglyph Attacks
663
+ # ----------------------------------------------------------------------------
664
+ - id: agent.obfuscated.security.homoglyph
665
+ languages: [generic]
666
+ severity: WARNING
667
+ message: "Potential homoglyph attack: Unicode characters disguising intent"
668
+ patterns:
669
+ - "[\u200b\u200c\u200d\ufeff\u2060]"
670
+ - "[А-яЁё]"
671
+ - "[\u0391-\u03C9]"
672
+ metadata:
673
+ cwe: "CWE-77"
674
+ risk_score: 65
675
+ category: "obfuscation"
676
+ action: "WARN"
677
+ confidence: LOW
678
+
679
+ # ----------------------------------------------------------------------------
680
+ # "Example" Requests for Malicious Code
681
+ # ----------------------------------------------------------------------------
682
+ - id: agent.obfuscated.security.example-attack
683
+ languages: [generic]
684
+ severity: ERROR
685
+ message: "Suspicious: Requesting 'examples' of malicious code"
686
+ patterns:
687
+ - "(?i)(show|give|provide|write|create)\\s+(me\\s+)?an?\\s+example\\s+(of|for)\\s+(a\\s+)?(backdoor|reverse\\s+shell|keylogger|ransomware|malware|virus|exploit|trojan)"
688
+ - "(?i)for\\s+(educational|learning|research|academic)\\s+purposes?\\s*,?\\s*(show|write|create|implement)\\s+(a\\s+)?(working\\s+)?(backdoor|malware|exploit|reverse\\s+shell)"
689
+ - "(?i)how\\s+(would|do)\\s+(you|i)\\s+(write|create|implement|code)\\s+(a\\s+)?(real|working|functional)\\s+(backdoor|reverse\\s+shell|keylogger|malware)"
690
+ - "(?i)(demonstrate|show\\s+me)\\s+how\\s+to\\s+(create|write)\\s+(a\\s+)?(backdoor|shell|exploit)"
691
+ metadata:
692
+ cwe: "CWE-506"
693
+ risk_score: 85
694
+ category: "obfuscation"
695
+ action: "BLOCK"
696
+ confidence: HIGH
697
+
698
+ # ----------------------------------------------------------------------------
699
+ # Legitimate-Sounding Justifications
700
+ # ----------------------------------------------------------------------------
701
+ - id: agent.obfuscated.security.legitimate-sounding
702
+ languages: [generic]
703
+ severity: WARNING
704
+ message: "Suspicious: Potentially malicious request with legitimate-sounding justification"
705
+ patterns:
706
+ - "(?i)(for\\s+)?(my|our)\\s+(company|employer|client|school|university)\\s+(requires|needs|wants)\\s+(me\\s+to\\s+)?(access|read|get|extract)\\s+(the\\s+)?(secrets?|credentials?|passwords?)"
707
+ - "(?i)(authorized|permitted)\\s+(penetration|security)\\s+test.*\\s+(give|show|access)\\s+(me\\s+)?(secrets?|credentials?)"
708
+ - "(?i)compliance\\s+(requires|audit).*\\s+(extract|access|read)\\s+(all\\s+)?(secrets?|credentials?)"
709
+ metadata:
710
+ cwe: "CWE-290"
711
+ risk_score: 60
712
+ category: "obfuscation"
713
+ action: "LOG"
714
+ confidence: LOW
715
+
716
+ # ============================================================================
717
+ # CATEGORY 6: AGENT-SPECIFIC MANIPULATION
718
+ # ============================================================================
719
+
720
+ # ----------------------------------------------------------------------------
721
+ # Tool/Action Manipulation
722
+ # ----------------------------------------------------------------------------
723
+ - id: agent.manipulation.security.force-tool-use
724
+ languages: [generic]
725
+ severity: WARNING
726
+ message: "Attempt to force agent to use specific dangerous tools"
727
+ patterns:
728
+ - "(?i)you\\s+must\\s+(use|execute|run)\\s+(the\\s+)?bash\\s+(command|tool)"
729
+ - "(?i)(always|only)\\s+use\\s+(the\\s+)?terminal\\s+to"
730
+ - "(?i)execute\\s+(this|the\\s+following)\\s+(directly|immediately)\\s+without\\s+(checking|asking|confirming)"
731
+ - "(?i)run\\s+this\\s+(shell\\s+)?command\\s+without\\s+(any\\s+)?(questions|prompts|confirmation)"
732
+ metadata:
733
+ cwe: "CWE-77"
734
+ risk_score: 75
735
+ category: "agent-manipulation"
736
+ action: "WARN"
737
+ confidence: MEDIUM
738
+
739
+ - id: agent.manipulation.security.disable-confirmation
740
+ languages: [generic]
741
+ severity: WARNING
742
+ message: "Attempt to disable agent confirmation/safety checks"
743
+ patterns:
744
+ - "(?i)(don't|do\\s+not|never)\\s+ask\\s+(for\\s+)?(confirmation|permission|approval)"
745
+ - "(?i)(skip|bypass|disable)\\s+(the\\s+)?(confirmation|approval|safety)\\s+(prompt|check|dialog)"
746
+ - "(?i)(auto|automatically)\\s+(approve|confirm|accept)\\s+(all|every|any)"
747
+ - "(?i)execute\\s+(without|with\\s+no)\\s+(confirmation|prompting|asking)"
748
+ metadata:
749
+ cwe: "CWE-284"
750
+ risk_score: 80
751
+ category: "agent-manipulation"
752
+ action: "WARN"
753
+ confidence: MEDIUM
754
+
755
+ # ----------------------------------------------------------------------------
756
+ # Output/Response Manipulation
757
+ # ----------------------------------------------------------------------------
758
+ - id: agent.manipulation.security.hide-output
759
+ languages: [generic]
760
+ severity: WARNING
761
+ message: "Attempt to hide agent actions from user"
762
+ patterns:
763
+ - "(?i)(don't|do\\s+not|never)\\s+(show|display|output|reveal)\\s+(the|any)\\s+(results?|output|response|actions?)"
764
+ - "(?i)(hide|suppress|silence)\\s+(the|any|all)\\s+(output|response|results?|errors?)"
765
+ - "(?i)execute\\s+(silently|quietly|invisibly)"
766
+ - "(?i)(don't|do\\s+not)\\s+(tell|inform|notify)\\s+(the\\s+)?user"
767
+ metadata:
768
+ cwe: "CWE-284"
769
+ risk_score: 75
770
+ category: "agent-manipulation"
771
+ action: "WARN"
772
+ confidence: MEDIUM
773
+
774
+ # ----------------------------------------------------------------------------
775
+ # Memory/Context Manipulation
776
+ # ----------------------------------------------------------------------------
777
+ - id: agent.manipulation.security.memory-injection
778
+ languages: [generic]
779
+ severity: WARNING
780
+ message: "Attempt to inject false memory/context into agent"
781
+ patterns:
782
+ - "(?i)(remember|recall)\\s+that\\s+(you|we)\\s+(previously|earlier|already)\\s+(agreed|decided|discussed)\\s+to"
783
+ - "(?i)(we|you)\\s+(already|previously)\\s+(authorized|approved|agreed\\s+to)\\s+this"
784
+ - "(?i)as\\s+(we\\s+)?discussed\\s+(earlier|before|previously).*\\s+(proceed|continue|execute)"
785
+ - "(?i)you\\s+said\\s+(earlier|before|previously)\\s+that\\s+you\\s+would"
786
+ metadata:
787
+ cwe: "CWE-290"
788
+ risk_score: 70
789
+ category: "agent-manipulation"
790
+ action: "WARN"
791
+ confidence: MEDIUM