hardstop-patterns 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +144 -0
- package/index.d.ts +66 -0
- package/index.js +262 -0
- package/package.json +44 -0
- package/patterns/bash-dangerous.json +228 -0
- package/patterns/bash-safe.json +91 -0
- package/patterns/meta.json +21 -0
- package/patterns/read-dangerous.json +79 -0
- package/patterns/read-safe.json +100 -0
- package/patterns/read-sensitive.json +19 -0
|
@@ -0,0 +1,228 @@
|
|
|
1
|
+
{
|
|
2
|
+
"version": "1.0.0",
|
|
3
|
+
"scope": "bash",
|
|
4
|
+
"type": "dangerous",
|
|
5
|
+
"match_mode": "search",
|
|
6
|
+
"patterns": [
|
|
7
|
+
|
|
8
|
+
{"id": "DEL-001", "pattern": "(?<!echo\\s)(?<!echo ')(?<!echo \\\")rm\\s+(-[^\\s]*\\s+)*(/home/|~/)", "message": "Deletes home directory", "category": "deletion", "severity": "critical", "platforms": ["linux", "macos"], "notes": "Excludes echo/printf which just output strings", "added": "1.0.0"},
|
|
9
|
+
{"id": "DEL-002", "pattern": "(?<!echo\\s)(?<!echo ')(?<!echo \\\")rm\\s+(-[^\\s]*\\s+)*~(/[^/\\s]+)?(\\s|$|>|;|&|\\|)", "message": "Deletes home directory or subdirectory", "category": "deletion", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
10
|
+
{"id": "DEL-003", "pattern": "(?<!echo\\s)(?<!echo ')(?<!echo \\\")rm\\s+(-[^\\s]*\\s+)*/(\\s|$|>|;|&|\\|)", "message": "Deletes root filesystem", "category": "deletion", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
11
|
+
{"id": "DEL-004", "pattern": "(?<!echo\\s)rm\\s+(-[^\\s]*\\s+)*\\$HOME", "message": "Deletes home directory via $HOME", "category": "deletion", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
12
|
+
{"id": "DEL-005", "pattern": "(?<!echo\\s)rm\\s+(-[^\\s]*\\s+)*\\$\\{HOME\\}", "message": "Deletes home directory via ${HOME}", "category": "deletion", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
13
|
+
{"id": "DEL-006", "pattern": "(?<!echo\\s)rm\\s+(-[^\\s]*\\s+)*/home/\\$USER", "message": "Deletes user home via $USER", "category": "deletion", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
14
|
+
{"id": "DEL-007", "pattern": "(?<!echo\\s)rm\\s+(-[^\\s]*\\s+)*/home/\\$\\{USER\\}", "message": "Deletes user home via ${USER}", "category": "deletion", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
15
|
+
|
|
16
|
+
{"id": "FORK-001", "pattern": ":\\(\\)\\s*\\{\\s*:\\|:&\\s*\\}\\s*;\\s*:", "message": "Fork bomb — will crash system", "category": "system_damage", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
17
|
+
|
|
18
|
+
{"id": "RSHELL-001", "pattern": "bash\\s+-i\\s+>&\\s*/dev/tcp/", "message": "Reverse shell — remote access backdoor", "category": "reverse_shell", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
19
|
+
{"id": "RSHELL-002", "pattern": "nc\\s+(-[^\\s]*\\s+)*-e\\s+/bin/(ba)?sh", "message": "Reverse shell via netcat", "category": "reverse_shell", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
20
|
+
{"id": "RSHELL-003", "pattern": "/dev/tcp/[^\\s]+", "message": "Network connection via /dev/tcp", "category": "reverse_shell", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
21
|
+
{"id": "RSHELL-004", "pattern": "mkfifo.*nc.*sh", "message": "Reverse shell via named pipe", "category": "reverse_shell", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
22
|
+
{"id": "RSHELL-005", "pattern": "python.*socket.*connect.*exec", "message": "Python reverse shell", "category": "reverse_shell", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
23
|
+
{"id": "RSHELL-006", "pattern": "perl.*socket.*exec", "message": "Perl reverse shell", "category": "reverse_shell", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
24
|
+
|
|
25
|
+
{"id": "EXFIL-001", "pattern": "curl\\s+.*(-d|--data|-F|--form)\\s+.*(\\.ssh|\\.aws|\\.config|\\.gnupg)", "message": "Exfiltrates credentials", "category": "credential_exfil", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
26
|
+
{"id": "EXFIL-002", "pattern": "wget\\s+.*--post-(data|file)\\s+.*(\\.ssh|\\.aws|\\.config)", "message": "Exfiltrates credentials", "category": "credential_exfil", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
27
|
+
{"id": "EXFIL-003", "pattern": "cat\\s+.*(\\.ssh/id_|\\.aws/credentials|\\.env)\\s*\\|", "message": "Pipes credentials to another command", "category": "credential_exfil", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
28
|
+
{"id": "EXFIL-004", "pattern": "tar\\s+.*\\s+(\\.ssh|\\.aws|\\.gnupg|\\.config).*\\|.*(nc|curl|wget)", "message": "Archives and exfiltrates credentials", "category": "credential_exfil", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
29
|
+
{"id": "EXFIL-005", "pattern": "scp\\s+.*(\\.ssh|\\.aws|\\.config).*@", "message": "Copies credentials to remote host", "category": "credential_exfil", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
30
|
+
{"id": "EXFIL-006", "pattern": "cat\\s+~/\\.(ssh|aws|gnupg)/.*\\|\\s*nc\\s+", "message": "Pipes credentials via netcat", "category": "credential_exfil", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
31
|
+
|
|
32
|
+
{"id": "CREAD-001", "pattern": "cat\\s+.*\\.ssh/(id_rsa|id_ed25519|id_ecdsa|id_dsa)", "message": "Reads SSH private key", "category": "credential_read", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
33
|
+
{"id": "CREAD-002", "pattern": "cat\\s+.*\\.aws/credentials", "message": "Reads AWS credentials", "category": "credential_read", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
34
|
+
{"id": "CREAD-003", "pattern": "cat\\s+.*\\.kube/config", "message": "Reads Kubernetes credentials", "category": "credential_read", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
35
|
+
{"id": "CREAD-004", "pattern": "cat\\s+.*\\.docker/config\\.json", "message": "Reads Docker registry auth", "category": "credential_read", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
36
|
+
{"id": "CREAD-005", "pattern": "cat\\s+.*\\.npmrc", "message": "Reads npm credentials", "category": "credential_read", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
37
|
+
{"id": "CREAD-006", "pattern": "cat\\s+.*/etc/shadow", "message": "Reads system password hashes", "category": "credential_read", "severity": "critical", "platforms": ["linux"], "added": "1.0.0"},
|
|
38
|
+
{"id": "CREAD-007", "pattern": "cat\\s+.*\\.netrc", "message": "Reads plaintext HTTP credentials", "category": "credential_read", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
39
|
+
{"id": "CREAD-008", "pattern": "cat\\s+.*\\.gnupg/", "message": "Reads GPG private data", "category": "credential_read", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
40
|
+
{"id": "CREAD-009", "pattern": "cat\\s+.*\\.git-credentials", "message": "Reads Git credentials", "category": "credential_read", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
41
|
+
{"id": "CREAD-010", "pattern": "cat\\s+.*\\.env(\\s|$)", "message": "Reads environment secrets", "category": "credential_read", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
42
|
+
|
|
43
|
+
{"id": "DISK-001", "pattern": "dd\\s+.*of=/dev/(sd[a-z]|nvme|xvd|vd[a-z])", "message": "Overwrites disk directly", "category": "disk_destruction", "severity": "critical", "platforms": ["linux"], "added": "1.0.0"},
|
|
44
|
+
{"id": "DISK-002", "pattern": "mkfs(\\.[a-z0-9]+)?\\s+.*/dev/(sd[a-z]|nvme|xvd|vd[a-z])", "message": "Formats drive", "category": "disk_destruction", "severity": "critical", "platforms": ["linux"], "added": "1.0.0"},
|
|
45
|
+
{"id": "DISK-003", "pattern": ">\\s*/dev/(sd[a-z]|nvme)", "message": "Redirects to raw disk", "category": "disk_destruction", "severity": "critical", "platforms": ["linux"], "added": "1.0.0"},
|
|
46
|
+
{"id": "DISK-004", "pattern": "shred\\s+.*(/dev/|/home/|~/)", "message": "Shreds disk or home directory", "category": "disk_destruction", "severity": "critical", "platforms": ["linux"], "added": "1.0.0"},
|
|
47
|
+
|
|
48
|
+
{"id": "ENC-001", "pattern": "base64\\s+-d.*\\|\\s*(ba)?sh", "message": "Executes base64-encoded payload", "category": "encoded_execution", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
49
|
+
{"id": "ENC-002", "pattern": "echo\\s+[A-Za-z0-9+/=]+\\s*\\|\\s*base64\\s+-d\\s*\\|\\s*(ba)?sh", "message": "Executes encoded payload", "category": "encoded_execution", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
50
|
+
{"id": "ENC-003", "pattern": "eval\\s+.*\\$\\(.*base64", "message": "Eval with base64 decode", "category": "encoded_execution", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
51
|
+
{"id": "ENC-004", "pattern": "python.*-c.*exec.*decode", "message": "Python encoded execution", "category": "encoded_execution", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
52
|
+
|
|
53
|
+
{"id": "RCE-001", "pattern": "curl\\s+[^|]*\\|\\s*(ba)?sh", "message": "Pipes URL content to shell", "category": "remote_code_execution", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
54
|
+
{"id": "RCE-002", "pattern": "wget\\s+.*\\|\\s*(ba)?sh", "message": "Pipes download to shell", "category": "remote_code_execution", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
55
|
+
{"id": "RCE-003", "pattern": "curl\\s+[^|]*\\|\\s*python", "message": "Pipes URL content to Python", "category": "remote_code_execution", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
56
|
+
|
|
57
|
+
{"id": "SYSD-001", "pattern": "chmod\\s+(-[^\\s]*\\s+)*777\\s+/", "message": "Sets world-writable on system root", "category": "system_damage", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
58
|
+
{"id": "SYSD-002", "pattern": "chmod\\s+(-[^\\s]*\\s+)*-R\\s+777", "message": "Recursively sets world-writable", "category": "system_damage", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
59
|
+
{"id": "SYSD-003", "pattern": "chown\\s+(-[^\\s]*\\s+)*-R\\s+.*\\s+/(?!home)", "message": "Recursive chown on system directories", "category": "system_damage", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
60
|
+
|
|
61
|
+
{"id": "HIST-001", "pattern": ">\\s*~/\\.bash_history", "message": "Clears bash history", "category": "history_manipulation", "severity": "high", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
62
|
+
|
|
63
|
+
{"id": "CRON-001", "pattern": "crontab\\s+-r", "message": "Removes all cron jobs", "category": "scheduled_persistence", "severity": "high", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
64
|
+
{"id": "CRON-002", "pattern": "echo.*\\|\\s*crontab", "message": "Pipes to crontab (potential persistence)", "category": "scheduled_persistence", "severity": "high", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
65
|
+
|
|
66
|
+
{"id": "SUDO-001", "pattern": "sudo\\s+rm\\s+(-[^\\s]*\\s+)*(/|/home|/etc|/usr|/var)", "message": "Sudo delete on system paths", "category": "privileged_operations", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
67
|
+
{"id": "SUDO-002", "pattern": "sudo\\s+chmod\\s+(-[^\\s]*\\s+)*777", "message": "Sudo world-writable permission", "category": "privileged_operations", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
68
|
+
{"id": "SUDO-003", "pattern": "sudo\\s+dd\\s+", "message": "Sudo disk write", "category": "privileged_operations", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
69
|
+
|
|
70
|
+
{"id": "WIN-DEL-001", "pattern": "rd\\s+(/s|/q|\\s)+\\s*(C:\\\\|C:/|%SystemRoot%|%USERPROFILE%|%APPDATA%)", "message": "Deletes Windows system/user directory", "category": "windows_deletion", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
71
|
+
{"id": "WIN-DEL-002", "pattern": "rmdir\\s+(/s|/q|\\s)+\\s*(C:\\\\|C:/|%SystemRoot%|%USERPROFILE%)", "message": "Deletes Windows system/user directory", "category": "windows_deletion", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
72
|
+
{"id": "WIN-DEL-003", "pattern": "del\\s+(/[fqsa]|\\s)+\\s*(C:\\\\Windows|C:\\\\Users|%SystemRoot%)", "message": "Deletes Windows system files", "category": "windows_deletion", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
73
|
+
{"id": "WIN-DEL-004", "pattern": "Remove-Item\\s+.*-Recurse.*\\s+(C:\\\\|C:/|~\\\\|\\$env:)", "message": "PowerShell recursive delete on system paths", "category": "windows_deletion", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
74
|
+
{"id": "WIN-DEL-005", "pattern": "rm\\s+-r.*\\s+(C:\\\\Windows|C:\\\\Users\\\\[^\\\\]+$|\\$HOME)", "message": "Deletes Windows system/user directory", "category": "windows_deletion", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
75
|
+
|
|
76
|
+
{"id": "WIN-REG-001", "pattern": "reg\\s+delete\\s+.*HKLM", "message": "Deletes machine-wide registry keys", "category": "windows_registry", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
77
|
+
{"id": "WIN-REG-002", "pattern": "reg\\s+delete\\s+.*HKCU\\\\Software\\\\Microsoft\\\\Windows", "message": "Deletes critical user registry keys", "category": "windows_registry", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
78
|
+
{"id": "WIN-REG-003", "pattern": "reg\\s+add\\s+.*\\\\Run\\s+", "message": "Adds registry run key (persistence)", "category": "windows_registry", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
79
|
+
{"id": "WIN-REG-004", "pattern": "Remove-ItemProperty.*Registry", "message": "PowerShell registry deletion", "category": "windows_registry", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
80
|
+
|
|
81
|
+
{"id": "WIN-CRED-001", "pattern": "cmdkey\\s+/list", "message": "Lists stored Windows credentials", "category": "windows_credential", "severity": "high", "platforms": ["windows"], "added": "1.0.0"},
|
|
82
|
+
{"id": "WIN-CRED-002", "pattern": "vaultcmd\\s+/list", "message": "Lists Windows credential vault", "category": "windows_credential", "severity": "high", "platforms": ["windows"], "added": "1.0.0"},
|
|
83
|
+
{"id": "WIN-CRED-003", "pattern": "mimikatz", "message": "Credential dumping tool", "category": "windows_credential", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
84
|
+
{"id": "WIN-CRED-004", "pattern": "sekurlsa", "message": "Credential dumping (mimikatz module)", "category": "windows_credential", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
85
|
+
{"id": "WIN-CRED-005", "pattern": "Get-Credential.*Export", "message": "Exports Windows credentials", "category": "windows_credential", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
86
|
+
{"id": "WIN-CRED-006", "pattern": "copy.*\\\\Windows\\\\System32\\\\config\\\\(SAM|SYSTEM)", "message": "Copies Windows password database", "category": "windows_credential", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
87
|
+
|
|
88
|
+
{"id": "WIN-DISK-001", "pattern": "format\\s+[A-Za-z]:", "message": "Formats Windows drive", "category": "windows_disk", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
89
|
+
{"id": "WIN-DISK-002", "pattern": "diskpart", "message": "Windows disk partition tool", "category": "windows_disk", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
90
|
+
{"id": "WIN-DISK-003", "pattern": "bcdedit\\s+/delete", "message": "Deletes boot configuration", "category": "windows_disk", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
91
|
+
{"id": "WIN-DISK-004", "pattern": "bootrec\\s+/fixmbr", "message": "Modifies master boot record", "category": "windows_disk", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
92
|
+
|
|
93
|
+
{"id": "WIN-SEC-001", "pattern": "netsh\\s+advfirewall\\s+set\\s+.*state\\s+off", "message": "Disables Windows firewall", "category": "windows_security", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
94
|
+
{"id": "WIN-SEC-002", "pattern": "netsh\\s+firewall\\s+set\\s+opmode\\s+disable", "message": "Disables Windows firewall (legacy)", "category": "windows_security", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
95
|
+
{"id": "WIN-SEC-003", "pattern": "Set-MpPreference\\s+-DisableRealtimeMonitoring", "message": "Disables Windows Defender", "category": "windows_security", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
96
|
+
{"id": "WIN-SEC-004", "pattern": "sc\\s+stop\\s+WinDefend", "message": "Stops Windows Defender service", "category": "windows_security", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
97
|
+
|
|
98
|
+
{"id": "WIN-RSHELL-001", "pattern": "powershell.*-e\\s+[A-Za-z0-9+/=]{20,}", "message": "Encoded PowerShell payload", "category": "windows_reverse_shell", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
99
|
+
{"id": "WIN-RSHELL-002", "pattern": "powershell.*IEX.*\\(New-Object.*Net\\.WebClient\\)", "message": "PowerShell download cradle", "category": "windows_reverse_shell", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
100
|
+
{"id": "WIN-RSHELL-003", "pattern": "powershell.*Invoke-WebRequest.*\\|\\s*iex", "message": "PowerShell download and execute", "category": "windows_reverse_shell", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
101
|
+
{"id": "WIN-RSHELL-004", "pattern": "certutil.*-urlcache.*-split.*-f", "message": "Certutil download (LOLBin)", "category": "windows_reverse_shell", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
102
|
+
{"id": "WIN-RSHELL-005", "pattern": "bitsadmin.*\\/transfer", "message": "BITSAdmin download (LOLBin)", "category": "windows_reverse_shell", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
103
|
+
{"id": "WIN-RSHELL-006", "pattern": "mshta\\s+http", "message": "MSHTA remote execution", "category": "windows_reverse_shell", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
104
|
+
{"id": "WIN-RSHELL-007", "pattern": "regsvr32\\s+/s\\s+/n\\s+/u\\s+/i:http", "message": "Regsvr32 script execution (Squiblydoo)", "category": "windows_reverse_shell", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
105
|
+
|
|
106
|
+
{"id": "WIN-ADMIN-001", "pattern": "net\\s+user\\s+.*\\s+/add", "message": "Creates Windows user account", "category": "windows_admin", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
107
|
+
{"id": "WIN-ADMIN-002", "pattern": "net\\s+localgroup\\s+administrators\\s+.*\\s+/add", "message": "Adds user to administrators", "category": "windows_admin", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
108
|
+
{"id": "WIN-ADMIN-003", "pattern": "net\\s+user\\s+administrator\\s+/active:yes", "message": "Enables built-in administrator", "category": "windows_admin", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
109
|
+
|
|
110
|
+
{"id": "WIN-SCHED-001", "pattern": "schtasks\\s+/create", "message": "Creates scheduled task (persistence)", "category": "windows_persistence", "severity": "high", "platforms": ["windows"], "added": "1.0.0"},
|
|
111
|
+
{"id": "WIN-SCHED-002", "pattern": "at\\s+\\d+:\\d+", "message": "Creates AT job (legacy scheduler)", "category": "windows_persistence", "severity": "high", "platforms": ["windows"], "added": "1.0.0"},
|
|
112
|
+
|
|
113
|
+
{"id": "WIN-EXEC-001", "pattern": "Set-ExecutionPolicy\\s+Bypass", "message": "Bypasses PowerShell execution policy", "category": "windows_persistence", "severity": "high", "platforms": ["windows"], "added": "1.0.0"},
|
|
114
|
+
{"id": "WIN-EXEC-002", "pattern": "powershell.*-ExecutionPolicy\\s+Bypass", "message": "Bypasses PowerShell execution policy", "category": "windows_persistence", "severity": "high", "platforms": ["windows"], "added": "1.0.0"},
|
|
115
|
+
{"id": "WIN-EXEC-003", "pattern": "powershell.*-ep\\s+bypass", "message": "Bypasses PowerShell execution policy", "category": "windows_persistence", "severity": "high", "platforms": ["windows"], "added": "1.0.0"},
|
|
116
|
+
|
|
117
|
+
{"id": "CMDSUB-001", "pattern": "\\bcd\\s+[^;&|]*(\\$\\(|`)", "message": "cd with command substitution (potential code execution)", "category": "shell_wrapper", "severity": "high", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
118
|
+
|
|
119
|
+
{"id": "WRAP-001", "pattern": "\\b(ba)?sh\\s+-c\\s+[\"'].*\\brm\\s+(-[^\\s]*\\s+)*-r", "message": "Shell wrapper hiding recursive delete", "category": "shell_wrapper", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
120
|
+
{"id": "WRAP-002", "pattern": "\\b(ba)?sh\\s+-c\\s+[\"'].*\\bdd\\s+.*of=/dev/", "message": "Shell wrapper hiding disk write", "category": "shell_wrapper", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
121
|
+
{"id": "WRAP-003", "pattern": "\\b(ba)?sh\\s+-c\\s+[\"'].*\\bmkfs", "message": "Shell wrapper hiding filesystem format", "category": "shell_wrapper", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
122
|
+
{"id": "WRAP-004", "pattern": "\\b(ba)?sh\\s+-c\\s+[\"'].*\\bcurl.*\\|\\s*(ba)?sh", "message": "Shell wrapper hiding curl pipe to shell", "category": "shell_wrapper", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
123
|
+
{"id": "WRAP-005", "pattern": "\\b(ba)?sh\\s+-c\\s+[\"'].*\\bwget.*\\|\\s*(ba)?sh", "message": "Shell wrapper hiding wget pipe to shell", "category": "shell_wrapper", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
124
|
+
{"id": "WRAP-006", "pattern": "\\bsudo\\s+(ba)?sh\\s+-c\\s+[\"'].*\\brm\\s+(-[^\\s]*\\s+)*-r", "message": "Sudo shell wrapper hiding recursive delete", "category": "shell_wrapper", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
125
|
+
{"id": "WRAP-007", "pattern": "\\bsudo\\s+(ba)?sh\\s+-c\\s+[\"'].*\\bchmod\\s+(-[^\\s]*\\s+)*777", "message": "Sudo shell wrapper hiding chmod 777", "category": "shell_wrapper", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
126
|
+
{"id": "WRAP-008", "pattern": "\\benv\\s+.*\\brm\\s+(-[^\\s]*\\s+)*-r", "message": "Env wrapper with recursive delete", "category": "shell_wrapper", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
127
|
+
{"id": "WRAP-009", "pattern": "\\bxargs\\s+.*\\brm\\s+(-[^\\s]*\\s+)*-r", "message": "xargs piping to recursive delete", "category": "shell_wrapper", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
128
|
+
{"id": "WRAP-010", "pattern": "\\bfind\\s+.*-exec\\s+rm\\s+(-[^\\s]*\\s+)*-r", "message": "find -exec with recursive delete", "category": "shell_wrapper", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
129
|
+
{"id": "WRAP-011", "pattern": "\\bfind\\s+(~|/home|/|/etc|/usr|/var)\\s+.*-delete", "message": "find -delete on system/home paths", "category": "shell_wrapper", "severity": "critical", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
130
|
+
|
|
131
|
+
{"id": "CLOUD-AWS-001", "pattern": "\\baws\\s+s3\\s+rm\\s+.*--recursive", "message": "AWS S3 recursive delete", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
132
|
+
{"id": "CLOUD-AWS-002", "pattern": "\\baws\\s+s3\\s+rb\\s+.*--force", "message": "AWS S3 force remove bucket", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
133
|
+
{"id": "CLOUD-AWS-003", "pattern": "\\baws\\s+ec2\\s+terminate-instances\\b", "message": "AWS EC2 terminate instances", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
134
|
+
{"id": "CLOUD-AWS-004", "pattern": "\\baws\\s+rds\\s+delete-db-instance\\b", "message": "AWS RDS delete database", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
135
|
+
{"id": "CLOUD-AWS-005", "pattern": "\\baws\\s+cloudformation\\s+delete-stack\\b", "message": "AWS CloudFormation delete stack", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
136
|
+
{"id": "CLOUD-AWS-006", "pattern": "\\baws\\s+dynamodb\\s+delete-table\\b", "message": "AWS DynamoDB delete table", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
137
|
+
{"id": "CLOUD-AWS-007", "pattern": "\\baws\\s+eks\\s+delete-cluster\\b", "message": "AWS EKS delete cluster", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
138
|
+
{"id": "CLOUD-AWS-008", "pattern": "\\baws\\s+lambda\\s+delete-function\\b", "message": "AWS Lambda delete function", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
139
|
+
{"id": "CLOUD-AWS-009", "pattern": "\\baws\\s+iam\\s+delete-role\\b", "message": "AWS IAM delete role", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
140
|
+
{"id": "CLOUD-AWS-010", "pattern": "\\baws\\s+iam\\s+delete-user\\b", "message": "AWS IAM delete user", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
141
|
+
|
|
142
|
+
{"id": "CLOUD-GCP-001", "pattern": "\\bgcloud\\s+projects\\s+delete\\b", "message": "GCP delete entire project", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
143
|
+
{"id": "CLOUD-GCP-002", "pattern": "\\bgcloud\\s+compute\\s+instances\\s+delete\\b", "message": "GCP delete compute instance", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
144
|
+
{"id": "CLOUD-GCP-003", "pattern": "\\bgcloud\\s+sql\\s+instances\\s+delete\\b", "message": "GCP delete SQL instance", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
145
|
+
{"id": "CLOUD-GCP-004", "pattern": "\\bgcloud\\s+container\\s+clusters\\s+delete\\b", "message": "GCP delete GKE cluster", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
146
|
+
{"id": "CLOUD-GCP-005", "pattern": "\\bgcloud\\s+storage\\s+rm\\s+.*-r", "message": "GCP storage recursive delete", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
147
|
+
{"id": "CLOUD-GCP-006", "pattern": "\\bgcloud\\s+functions\\s+delete\\b", "message": "GCP delete Cloud Function", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
148
|
+
{"id": "CLOUD-GCP-007", "pattern": "\\bgcloud\\s+iam\\s+service-accounts\\s+delete\\b", "message": "GCP delete service account", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
149
|
+
|
|
150
|
+
{"id": "CLOUD-FB-001", "pattern": "\\bfirebase\\s+projects:delete\\b", "message": "Firebase delete project", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
151
|
+
{"id": "CLOUD-FB-002", "pattern": "\\bfirebase\\s+firestore:delete\\s+.*--all-collections", "message": "Firebase delete all Firestore data", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
152
|
+
{"id": "CLOUD-FB-003", "pattern": "\\bfirebase\\s+database:remove\\b", "message": "Firebase delete Realtime DB", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
153
|
+
{"id": "CLOUD-FB-004", "pattern": "\\bfirebase\\s+functions:delete\\b", "message": "Firebase delete functions", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
154
|
+
|
|
155
|
+
{"id": "CLOUD-K8S-001", "pattern": "\\bkubectl\\s+delete\\s+namespace\\b", "message": "Kubernetes delete namespace", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
156
|
+
{"id": "CLOUD-K8S-002", "pattern": "\\bkubectl\\s+delete\\s+all\\s+--all", "message": "Kubernetes delete all resources", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
157
|
+
{"id": "CLOUD-K8S-003", "pattern": "\\bkubectl\\s+delete\\s+.*--all\\s+--all-namespaces", "message": "Kubernetes delete across all namespaces", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
158
|
+
{"id": "CLOUD-K8S-004", "pattern": "\\bhelm\\s+uninstall\\b", "message": "Helm uninstall release", "category": "cloud_destructive", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
159
|
+
|
|
160
|
+
{"id": "CLOUD-DOCKER-001", "pattern": "\\bdocker\\s+system\\s+prune\\s+.*-a", "message": "Docker prune all unused data", "category": "cloud_destructive", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
161
|
+
{"id": "CLOUD-DOCKER-002", "pattern": "\\bdocker\\s+volume\\s+rm\\b", "message": "Docker remove volume (data loss)", "category": "cloud_destructive", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
162
|
+
{"id": "CLOUD-DOCKER-003", "pattern": "\\bdocker\\s+volume\\s+prune\\b", "message": "Docker prune volumes", "category": "cloud_destructive", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
163
|
+
|
|
164
|
+
{"id": "CLOUD-TF-001", "pattern": "\\bterraform\\s+destroy\\b", "message": "Terraform destroy infrastructure", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
165
|
+
{"id": "CLOUD-TF-002", "pattern": "\\bpulumi\\s+destroy\\b", "message": "Pulumi destroy resources", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
166
|
+
|
|
167
|
+
{"id": "DB-001", "pattern": "\\bredis-cli\\s+FLUSHALL", "message": "Redis flush all data", "category": "database_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
168
|
+
{"id": "DB-002", "pattern": "\\bredis-cli\\s+FLUSHDB", "message": "Redis flush database", "category": "database_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
169
|
+
{"id": "DB-003", "pattern": "\\bmongosh?.*dropDatabase", "message": "MongoDB drop database", "category": "database_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
170
|
+
{"id": "DB-004", "pattern": "\\bdropdb\\b", "message": "PostgreSQL drop database", "category": "database_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
171
|
+
{"id": "DB-005", "pattern": "\\bmysqladmin\\s+drop\\b", "message": "MySQL drop database", "category": "database_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
172
|
+
|
|
173
|
+
{"id": "CLOUD-PLAT-001", "pattern": "\\bvercel\\s+remove\\s+.*--yes", "message": "Vercel remove deployment", "category": "cloud_destructive", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
174
|
+
{"id": "CLOUD-PLAT-002", "pattern": "\\bvercel\\s+projects\\s+rm\\b", "message": "Vercel delete project", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
175
|
+
{"id": "CLOUD-PLAT-003", "pattern": "\\bnetlify\\s+sites:delete\\b", "message": "Netlify delete site", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
176
|
+
{"id": "CLOUD-PLAT-004", "pattern": "\\bheroku\\s+apps:destroy\\b", "message": "Heroku destroy app", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
177
|
+
{"id": "CLOUD-PLAT-005", "pattern": "\\bheroku\\s+pg:reset\\b", "message": "Heroku reset Postgres", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
178
|
+
{"id": "CLOUD-PLAT-006", "pattern": "\\bfly\\s+(apps\\s+)?destroy\\b", "message": "Fly.io destroy app", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
179
|
+
{"id": "CLOUD-PLAT-007", "pattern": "\\bgh\\s+repo\\s+delete\\b", "message": "GitHub delete repository", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
180
|
+
{"id": "CLOUD-PLAT-008", "pattern": "\\bnpm\\s+unpublish\\b", "message": "npm unpublish package", "category": "cloud_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
181
|
+
|
|
182
|
+
{"id": "SQL-001", "pattern": "\\bDELETE\\s+FROM\\s+[^\\s;]+\\s*;", "message": "SQL DELETE without WHERE clause", "category": "database_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
183
|
+
{"id": "SQL-002", "pattern": "\\bDELETE\\s+FROM\\s+[^\\s;]+\\s*$", "message": "SQL DELETE without WHERE clause", "category": "database_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
184
|
+
{"id": "SQL-003", "pattern": "\\bTRUNCATE\\s+TABLE\\b", "message": "SQL TRUNCATE TABLE", "category": "database_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
185
|
+
{"id": "SQL-004", "pattern": "\\bDROP\\s+TABLE\\b", "message": "SQL DROP TABLE", "category": "database_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
186
|
+
{"id": "SQL-005", "pattern": "\\bDROP\\s+DATABASE\\b", "message": "SQL DROP DATABASE", "category": "database_destructive", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
187
|
+
|
|
188
|
+
{"id": "MAC-DISK-001", "pattern": "\\bdiskutil\\s+eraseDisk\\b", "message": "Erases entire macOS disk", "category": "macos_disk", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
189
|
+
{"id": "MAC-DISK-002", "pattern": "\\bdiskutil\\s+eraseVolume\\b", "message": "Erases macOS volume", "category": "macos_disk", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
190
|
+
{"id": "MAC-DISK-003", "pattern": "\\bdiskutil\\s+partitionDisk\\b", "message": "Repartitions macOS disk (data loss)", "category": "macos_disk", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
191
|
+
{"id": "MAC-DISK-004", "pattern": "\\bdiskutil\\s+apfs\\s+deleteContainer\\b", "message": "Deletes APFS container", "category": "macos_disk", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
192
|
+
{"id": "MAC-DISK-005", "pattern": "\\bdiskutil\\s+secureErase\\b", "message": "Secure erases macOS disk", "category": "macos_disk", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
193
|
+
{"id": "MAC-DISK-006", "pattern": "\\bdiskutil\\s+zeroDisk\\b", "message": "Writes zeros to macOS disk", "category": "macos_disk", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
194
|
+
|
|
195
|
+
{"id": "MAC-KEY-001", "pattern": "\\bsecurity\\s+delete-keychain\\b", "message": "Deletes macOS keychain", "category": "macos_keychain", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
196
|
+
{"id": "MAC-KEY-002", "pattern": "\\bsecurity\\s+dump-keychain\\b", "message": "Dumps macOS keychain contents", "category": "macos_keychain", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
197
|
+
{"id": "MAC-KEY-003", "pattern": "\\bsecurity\\s+find-generic-password\\s+.*-w\\b", "message": "Extracts password from macOS keychain", "category": "macos_keychain", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
198
|
+
{"id": "MAC-KEY-004", "pattern": "\\bsecurity\\s+find-internet-password\\s+.*-w\\b", "message": "Extracts internet password from keychain", "category": "macos_keychain", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
199
|
+
{"id": "MAC-KEY-005", "pattern": "\\bsecurity\\s+export\\s+.*-k\\b", "message": "Exports macOS keychain", "category": "macos_keychain", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
200
|
+
|
|
201
|
+
{"id": "MAC-TM-001", "pattern": "\\btmutil\\s+delete\\b", "message": "Deletes Time Machine backup", "category": "macos_timemachine", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
202
|
+
{"id": "MAC-TM-002", "pattern": "\\btmutil\\s+disable\\b", "message": "Disables Time Machine", "category": "macos_timemachine", "severity": "high", "platforms": ["macos"], "added": "1.0.0"},
|
|
203
|
+
{"id": "MAC-TM-003", "pattern": "\\btmutil\\s+deletelocalsnapshots\\b", "message": "Deletes local Time Machine snapshots", "category": "macos_timemachine", "severity": "high", "platforms": ["macos"], "added": "1.0.0"},
|
|
204
|
+
{"id": "MAC-TM-004", "pattern": "\\brm\\s+.*Backups\\.backupdb", "message": "Deletes Time Machine backup data", "category": "macos_timemachine", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
205
|
+
|
|
206
|
+
{"id": "MAC-DS-001", "pattern": "\\bdscl\\s+\\.\\s+-delete\\s+/Users/", "message": "Deletes macOS user account", "category": "macos_directory_services", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
207
|
+
{"id": "MAC-DS-002", "pattern": "\\bdscl\\s+\\.\\s+-delete\\s+/Groups/", "message": "Deletes macOS group", "category": "macos_directory_services", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
208
|
+
{"id": "MAC-DS-003", "pattern": "\\bdscl\\s+\\.\\s+-append\\s+/Groups/admin\\s+", "message": "Adds user to admin group", "category": "macos_directory_services", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
209
|
+
|
|
210
|
+
{"id": "MAC-SEC-001", "pattern": "\\bspctl\\s+--master-disable\\b", "message": "Disables macOS Gatekeeper", "category": "macos_system_security", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
211
|
+
{"id": "MAC-SEC-002", "pattern": "\\bcsrutil\\s+disable\\b", "message": "Disables System Integrity Protection", "category": "macos_system_security", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
212
|
+
{"id": "MAC-SEC-003", "pattern": "\\bsystemsetup\\s+-setremotelogin\\s+on\\b", "message": "Enables SSH/remote login", "category": "macos_system_security", "severity": "high", "platforms": ["macos"], "added": "1.0.0"},
|
|
213
|
+
{"id": "MAC-SEC-004", "pattern": "\\bnvram\\s+boot-args", "message": "Modifies macOS boot arguments", "category": "macos_system_security", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
214
|
+
|
|
215
|
+
{"id": "MAC-PRIV-001", "pattern": "\\bsqlite3\\s+.*TCC\\.db", "message": "Direct access to macOS privacy database", "category": "macos_privacy", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
216
|
+
{"id": "MAC-PRIV-002", "pattern": "\\btccutil\\s+reset\\b", "message": "Resets macOS privacy permissions", "category": "macos_privacy", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
217
|
+
|
|
218
|
+
{"id": "MAC-PERSIST-001", "pattern": "\\blaunchctl\\s+load\\s+.*/Library/LaunchDaemons/", "message": "Loads system daemon (persistence mechanism)", "category": "macos_persistence", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
219
|
+
{"id": "MAC-PERSIST-002", "pattern": "\\blaunchctl\\s+unload\\s+.*com\\.apple\\.", "message": "Unloads Apple system service", "category": "macos_persistence", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
220
|
+
{"id": "MAC-PERSIST-003", "pattern": "\\bcp\\s+.*\\.plist\\s+.*/Library/LaunchDaemons/", "message": "Installs system daemon (persistence)", "category": "macos_persistence", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
221
|
+
{"id": "MAC-PERSIST-004", "pattern": "\\bcp\\s+.*\\.plist\\s+.*/Library/LaunchAgents/", "message": "Installs launch agent (persistence)", "category": "macos_persistence", "severity": "high", "platforms": ["macos"], "added": "1.0.0"},
|
|
222
|
+
{"id": "MAC-PERSIST-005", "pattern": "\\bmv\\s+.*\\.plist\\s+.*/Library/Launch", "message": "Moves plist to launch directory (persistence)", "category": "macos_persistence", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
223
|
+
|
|
224
|
+
{"id": "MAC-APP-001", "pattern": "\\brm\\s+.*~/Library/Application\\\\ Support/", "message": "Deletes macOS application data", "category": "macos_appdata", "severity": "high", "platforms": ["macos"], "added": "1.0.0"},
|
|
225
|
+
{"id": "MAC-APP-002", "pattern": "\\brm\\s+(-[^\\s]*\\s+)*-r.*~/Library/Preferences/", "message": "Recursively deletes macOS preferences", "category": "macos_appdata", "severity": "high", "platforms": ["macos"], "added": "1.0.0"},
|
|
226
|
+
{"id": "MAC-APP-003", "pattern": "\\bdefaults\\s+delete\\s+(com\\.apple\\.|NSGlobalDomain)", "message": "Deletes system preferences", "category": "macos_appdata", "severity": "high", "platforms": ["macos"], "added": "1.0.0"}
|
|
227
|
+
]
|
|
228
|
+
}
|
|
@@ -0,0 +1,91 @@
|
|
|
1
|
+
{
|
|
2
|
+
"version": "1.0.0",
|
|
3
|
+
"scope": "bash",
|
|
4
|
+
"type": "safe",
|
|
5
|
+
"match_mode": "fullmatch",
|
|
6
|
+
"patterns": [
|
|
7
|
+
|
|
8
|
+
{"id": "SAFE-SELF-001", "pattern": "^python\\s+.*[/\\\\]\\.claude[/\\\\]plugins[/\\\\]hs[/\\\\].*\\.py(?:\\s+.*)?$", "category": "self_management", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
9
|
+
{"id": "SAFE-SELF-002", "pattern": "^python\\s+.*\\.hardstop.*$", "category": "self_management", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
10
|
+
{"id": "SAFE-SELF-003", "pattern": "^cat\\s+.*\\.hardstop[/\\\\].*$", "category": "self_management", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
11
|
+
{"id": "SAFE-SELF-004", "pattern": "^cat\\s+.*\\.claude[/\\\\]plugins[/\\\\]hs[/\\\\].*$", "category": "self_management", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
12
|
+
{"id": "SAFE-SELF-005", "pattern": "^rm\\s+(-f\\s+)?.*\\.hardstop[/\\\\](skip_next|hook_debug\\.log)$", "category": "self_management", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
13
|
+
{"id": "SAFE-SELF-006", "pattern": "^grep\\s+.*\\.claude[/\\\\]plugins[/\\\\]hs[/\\\\].*$", "category": "self_management", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
14
|
+
|
|
15
|
+
{"id": "SAFE-RO-001", "pattern": "^ls(?:\\s+.*)?$", "category": "read_only", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
16
|
+
{"id": "SAFE-RO-002", "pattern": "^cd(?:\\s+(?:\"[^`$()]*\"|'[^']*'|[^\\s`$()]+))?$", "category": "read_only", "platforms": ["linux", "macos"], "notes": "Blocks command substitution $() and backticks", "added": "1.0.0"},
|
|
17
|
+
{"id": "SAFE-RO-003", "pattern": "^cat\\s+(?!.*(\\.\\.ssh/id_|\\.aws/credentials|\\.kube/config|\\.docker/config\\.json|\\.npmrc|\\.netrc|\\.gnupg/|\\.git-credentials|/etc/shadow|\\.env$|\\.env\\s)).+$", "category": "read_only", "platforms": ["linux", "macos"], "notes": "Allows cat except on credential paths (caught by DANGEROUS first)", "added": "1.0.0"},
|
|
18
|
+
{"id": "SAFE-RO-004", "pattern": "^head\\s+.+$", "category": "read_only", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
19
|
+
{"id": "SAFE-RO-005", "pattern": "^tail\\s+.+$", "category": "read_only", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
20
|
+
{"id": "SAFE-RO-006", "pattern": "^less\\s+.+$", "category": "read_only", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
21
|
+
{"id": "SAFE-RO-007", "pattern": "^more\\s+.+$", "category": "read_only", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
22
|
+
{"id": "SAFE-RO-008", "pattern": "^pwd\\s*$", "category": "read_only", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
23
|
+
{"id": "SAFE-RO-009", "pattern": "^which\\s+.+$", "category": "read_only", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
24
|
+
{"id": "SAFE-RO-010", "pattern": "^type\\s+.+$", "category": "read_only", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
25
|
+
{"id": "SAFE-RO-011", "pattern": "^file\\s+.+$", "category": "read_only", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
26
|
+
{"id": "SAFE-RO-012", "pattern": "^wc\\s+.+$", "category": "read_only", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
27
|
+
{"id": "SAFE-RO-013", "pattern": "^grep\\s+.+$", "category": "read_only", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
28
|
+
{"id": "SAFE-RO-014", "pattern": "^find\\s+.*\\s-name\\s+.*$", "category": "read_only", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
29
|
+
{"id": "SAFE-RO-015", "pattern": "^echo(?:\\s+[^>|;&]*)?$", "category": "read_only", "platforms": ["linux", "macos"], "notes": "Excludes redirects (>), pipes (|), and command chaining (;, &) — these are write/exec operations, not read-only", "added": "1.0.0"},
|
|
30
|
+
{"id": "SAFE-RO-016", "pattern": "^date\\s*$", "category": "read_only", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
31
|
+
{"id": "SAFE-RO-017", "pattern": "^whoami\\s*$", "category": "read_only", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
32
|
+
{"id": "SAFE-RO-018", "pattern": "^hostname\\s*$", "category": "read_only", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
33
|
+
{"id": "SAFE-RO-019", "pattern": "^uname(?:\\s+.*)?$", "category": "read_only", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
34
|
+
{"id": "SAFE-RO-020", "pattern": "^env\\s*$", "category": "read_only", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
35
|
+
{"id": "SAFE-RO-021", "pattern": "^printenv(?:\\s+.*)?$", "category": "read_only", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
36
|
+
|
|
37
|
+
{"id": "SAFE-GIT-001", "pattern": "^git\\s+(status|log|diff|show|remote|describe|shortlog|whatchanged|rev-parse|rev-list|cat-file|ls-tree)(?:\\s+.*)?$", "category": "git_read", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
38
|
+
{"id": "SAFE-GIT-002", "pattern": "^git\\s+ls-[^\\s]+(?:\\s+.*)?$", "category": "git_read", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
39
|
+
{"id": "SAFE-GIT-003", "pattern": "^git\\s+(add|commit|push|pull|fetch|clone|stash|checkout|switch|restore|merge|cherry-pick|branch|tag|init|config|am|apply|bisect|blame|bundle|format-patch|gc|mv|notes|reflog|revert|rm|submodule|worktree)(?:\\s+.*)?$", "category": "git_workflow", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
40
|
+
{"id": "SAFE-GIT-004", "pattern": "^git\\s+rebase(?!\\s+.*--exec)(?:\\s+.*)?$", "category": "git_workflow", "platforms": ["linux", "macos", "windows"], "notes": "Rebase allowed, but not with --exec", "added": "1.0.0"},
|
|
41
|
+
|
|
42
|
+
{"id": "SAFE-CLEAN-001", "pattern": "^rm\\s+(-[^\\s]*\\s+)*node_modules/?\\s*$", "category": "regeneratable_cleanup", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
43
|
+
{"id": "SAFE-CLEAN-002", "pattern": "^rm\\s+(-[^\\s]*\\s+)*__pycache__/?\\s*$", "category": "regeneratable_cleanup", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
44
|
+
{"id": "SAFE-CLEAN-003", "pattern": "^rm\\s+(-[^\\s]*\\s+)*\\.venv/?\\s*$", "category": "regeneratable_cleanup", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
45
|
+
{"id": "SAFE-CLEAN-004", "pattern": "^rm\\s+(-[^\\s]*\\s+)*venv/?\\s*$", "category": "regeneratable_cleanup", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
46
|
+
{"id": "SAFE-CLEAN-005", "pattern": "^rm\\s+(-[^\\s]*\\s+)*\\.pytest_cache/?\\s*$", "category": "regeneratable_cleanup", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
47
|
+
{"id": "SAFE-CLEAN-006", "pattern": "^rm\\s+(-[^\\s]*\\s+)*dist/?\\s*$", "category": "regeneratable_cleanup", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
48
|
+
{"id": "SAFE-CLEAN-007", "pattern": "^rm\\s+(-[^\\s]*\\s+)*build/?\\s*$", "category": "regeneratable_cleanup", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
49
|
+
{"id": "SAFE-CLEAN-008", "pattern": "^rm\\s+(-[^\\s]*\\s+)*\\.next/?\\s*$", "category": "regeneratable_cleanup", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
50
|
+
{"id": "SAFE-CLEAN-009", "pattern": "^rm\\s+(-[^\\s]*\\s+)*\\.nuxt/?\\s*$", "category": "regeneratable_cleanup", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
51
|
+
{"id": "SAFE-CLEAN-010", "pattern": "^rm\\s+(-[^\\s]*\\s+)*coverage/?\\s*$", "category": "regeneratable_cleanup", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
52
|
+
{"id": "SAFE-CLEAN-011", "pattern": "^rm\\s+(-[^\\s]*\\s+)*(/tmp/|\\$TMPDIR)\\s*$", "category": "regeneratable_cleanup", "platforms": ["linux", "macos"], "added": "1.0.0"},
|
|
53
|
+
|
|
54
|
+
{"id": "SAFE-PKG-001", "pattern": "^npm\\s+(list|ls|outdated|audit|view)(?:\\s+.*)?$", "category": "package_read", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
55
|
+
{"id": "SAFE-PKG-002", "pattern": "^pip\\s+(list|show|freeze)(?:\\s+.*)?$", "category": "package_read", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
56
|
+
{"id": "SAFE-PKG-003", "pattern": "^yarn\\s+(list|outdated|why)(?:\\s+.*)?$", "category": "package_read", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
57
|
+
|
|
58
|
+
{"id": "SAFE-WINRO-001", "pattern": "^dir(?:\\s+.*)?$", "category": "windows_read_only", "platforms": ["windows"], "added": "1.0.0"},
|
|
59
|
+
{"id": "SAFE-WINRO-002", "pattern": "^where\\s+.+$", "category": "windows_read_only", "platforms": ["windows"], "added": "1.0.0"},
|
|
60
|
+
{"id": "SAFE-WINRO-003", "pattern": "^systeminfo\\s*$", "category": "windows_read_only", "platforms": ["windows"], "added": "1.0.0"},
|
|
61
|
+
{"id": "SAFE-WINRO-004", "pattern": "^ver\\s*$", "category": "windows_read_only", "platforms": ["windows"], "added": "1.0.0"},
|
|
62
|
+
{"id": "SAFE-WINRO-005", "pattern": "^set\\s*$", "category": "windows_read_only", "platforms": ["windows"], "added": "1.0.0"},
|
|
63
|
+
|
|
64
|
+
{"id": "SAFE-WINPS-001", "pattern": "^Get-Content\\s+.+$", "category": "windows_read_only", "platforms": ["windows"], "added": "1.0.0"},
|
|
65
|
+
{"id": "SAFE-WINPS-002", "pattern": "^Get-ChildItem(?:\\s+.*)?$", "category": "windows_read_only", "platforms": ["windows"], "added": "1.0.0"},
|
|
66
|
+
{"id": "SAFE-WINPS-003", "pattern": "^Get-Location\\s*$", "category": "windows_read_only", "platforms": ["windows"], "added": "1.0.0"},
|
|
67
|
+
{"id": "SAFE-WINPS-004", "pattern": "^Get-Item\\s+.+$", "category": "windows_read_only", "platforms": ["windows"], "added": "1.0.0"},
|
|
68
|
+
{"id": "SAFE-WINPS-005", "pattern": "^Get-Process\\s*$", "category": "windows_read_only", "platforms": ["windows"], "added": "1.0.0"},
|
|
69
|
+
{"id": "SAFE-WINPS-006", "pattern": "^Get-Service\\s*$", "category": "windows_read_only", "platforms": ["windows"], "added": "1.0.0"},
|
|
70
|
+
{"id": "SAFE-WINPS-007", "pattern": "^\\$PWD\\s*$", "category": "windows_read_only", "platforms": ["windows"], "added": "1.0.0"},
|
|
71
|
+
|
|
72
|
+
{"id": "SAFE-WINCLEAN-001", "pattern": "^rd\\s+(/s|/q|\\s)+\\s*node_modules\\s*$", "category": "windows_cleanup", "platforms": ["windows"], "added": "1.0.0"},
|
|
73
|
+
{"id": "SAFE-WINCLEAN-002", "pattern": "^rd\\s+(/s|/q|\\s)+\\s*__pycache__\\s*$", "category": "windows_cleanup", "platforms": ["windows"], "added": "1.0.0"},
|
|
74
|
+
{"id": "SAFE-WINCLEAN-003", "pattern": "^rd\\s+(/s|/q|\\s)+\\s*\\.venv\\s*$", "category": "windows_cleanup", "platforms": ["windows"], "added": "1.0.0"},
|
|
75
|
+
{"id": "SAFE-WINCLEAN-004", "pattern": "^rd\\s+(/s|/q|\\s)+\\s*dist\\s*$", "category": "windows_cleanup", "platforms": ["windows"], "added": "1.0.0"},
|
|
76
|
+
{"id": "SAFE-WINCLEAN-005", "pattern": "^rd\\s+(/s|/q|\\s)+\\s*build\\s*$", "category": "windows_cleanup", "platforms": ["windows"], "added": "1.0.0"},
|
|
77
|
+
{"id": "SAFE-WINCLEAN-006", "pattern": "^rmdir\\s+(/s|/q|\\s)+\\s*node_modules\\s*$", "category": "windows_cleanup", "platforms": ["windows"], "added": "1.0.0"},
|
|
78
|
+
|
|
79
|
+
{"id": "SAFE-MACRO-001", "pattern": "^diskutil\\s+list\\s*$", "category": "macos_read_only", "platforms": ["macos"], "added": "1.0.0"},
|
|
80
|
+
{"id": "SAFE-MACRO-002", "pattern": "^diskutil\\s+info\\s+.+$", "category": "macos_read_only", "platforms": ["macos"], "added": "1.0.0"},
|
|
81
|
+
{"id": "SAFE-MACRO-003", "pattern": "^system_profiler\\s+.+$", "category": "macos_read_only", "platforms": ["macos"], "added": "1.0.0"},
|
|
82
|
+
{"id": "SAFE-MACRO-004", "pattern": "^sw_vers\\s*$", "category": "macos_read_only", "platforms": ["macos"], "added": "1.0.0"},
|
|
83
|
+
{"id": "SAFE-MACRO-005", "pattern": "^defaults\\s+read\\s+.+$", "category": "macos_read_only", "platforms": ["macos"], "added": "1.0.0"},
|
|
84
|
+
{"id": "SAFE-MACRO-006", "pattern": "^security\\s+find-certificate\\s+.+$", "category": "macos_read_only", "platforms": ["macos"], "added": "1.0.0"},
|
|
85
|
+
{"id": "SAFE-MACRO-007", "pattern": "^tmutil\\s+listbackups\\s*$", "category": "macos_read_only", "platforms": ["macos"], "added": "1.0.0"},
|
|
86
|
+
{"id": "SAFE-MACRO-008", "pattern": "^tmutil\\s+status\\s*$", "category": "macos_read_only", "platforms": ["macos"], "added": "1.0.0"},
|
|
87
|
+
{"id": "SAFE-MACRO-009", "pattern": "^launchctl\\s+list\\s*$", "category": "macos_read_only", "platforms": ["macos"], "added": "1.0.0"},
|
|
88
|
+
{"id": "SAFE-MACRO-010", "pattern": "^dscl\\s+\\.\\s+-read\\s+.+$", "category": "macos_read_only", "platforms": ["macos"], "added": "1.0.0"},
|
|
89
|
+
{"id": "SAFE-MACRO-011", "pattern": "^spctl\\s+--status\\s*$", "category": "macos_read_only", "platforms": ["macos"], "added": "1.0.0"}
|
|
90
|
+
]
|
|
91
|
+
}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
{
|
|
2
|
+
"schema_version": "1.0.0",
|
|
3
|
+
"patterns_version": "1.0.0",
|
|
4
|
+
"stats": {
|
|
5
|
+
"bash_dangerous": 180,
|
|
6
|
+
"bash_safe": 74,
|
|
7
|
+
"read_dangerous": 71,
|
|
8
|
+
"read_sensitive": 11,
|
|
9
|
+
"read_safe": 92
|
|
10
|
+
},
|
|
11
|
+
"total": 428,
|
|
12
|
+
"regex_notes": {
|
|
13
|
+
"lookbehinds": "Some patterns use fixed-length lookbehinds. Supported in Python re, Node.js 16+.",
|
|
14
|
+
"fullmatch": "Safe bash patterns use fullmatch semantics (anchored ^...$). JS consumers should use the match_mode field.",
|
|
15
|
+
"flags": "All patterns use case-insensitive matching."
|
|
16
|
+
},
|
|
17
|
+
"compatibility": {
|
|
18
|
+
"python": ">=3.8",
|
|
19
|
+
"node": ">=16.0.0"
|
|
20
|
+
}
|
|
21
|
+
}
|
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
{
|
|
2
|
+
"version": "1.0.0",
|
|
3
|
+
"scope": "read",
|
|
4
|
+
"type": "dangerous",
|
|
5
|
+
"match_mode": "search",
|
|
6
|
+
"patterns": [
|
|
7
|
+
{"id": "CRED-SSH-001", "pattern": "[/\\\\]\\.ssh[/\\\\]id_rsa$", "message": "SSH private key (RSA)", "category": "ssh_keys", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
8
|
+
{"id": "CRED-SSH-002", "pattern": "[/\\\\]\\.ssh[/\\\\]id_ed25519$", "message": "SSH private key (Ed25519)", "category": "ssh_keys", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
9
|
+
{"id": "CRED-SSH-003", "pattern": "[/\\\\]\\.ssh[/\\\\]id_ecdsa$", "message": "SSH private key (ECDSA)", "category": "ssh_keys", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
10
|
+
{"id": "CRED-SSH-004", "pattern": "[/\\\\]\\.ssh[/\\\\]id_dsa$", "message": "SSH private key (DSA)", "category": "ssh_keys", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
11
|
+
{"id": "CRED-SSH-005", "pattern": "[/\\\\]\\.ssh[/\\\\][^/\\\\]+\\.pem$", "message": "SSH PEM key file", "category": "ssh_keys", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
12
|
+
{"id": "CRED-SSH-006", "pattern": "[/\\\\]\\.ssh[/\\\\][^/\\\\]+\\.key$", "message": "SSH key file", "category": "ssh_keys", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
13
|
+
{"id": "CRED-SSH-007", "pattern": "[/\\\\]\\.ssh[/\\\\]known_hosts$", "message": "SSH known hosts (reveals infrastructure)", "category": "ssh_keys", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
14
|
+
{"id": "CRED-SSH-008", "pattern": "[/\\\\]\\.ssh[/\\\\]authorized_keys$", "message": "SSH authorized keys", "category": "ssh_keys", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
15
|
+
{"id": "CRED-SSH-009", "pattern": "[/\\\\]\\.ssh[/\\\\]config$", "message": "SSH config (may contain hostnames, usernames)", "category": "ssh_keys", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
16
|
+
{"id": "CRED-CLOUD-001", "pattern": "[/\\\\]\\.aws[/\\\\]credentials$", "message": "AWS credentials file", "category": "cloud_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
17
|
+
{"id": "CRED-CLOUD-002", "pattern": "[/\\\\]\\.aws[/\\\\]config$", "message": "AWS config file", "category": "cloud_credentials", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
18
|
+
{"id": "CRED-CLOUD-003", "pattern": "[/\\\\]\\.azure[/\\\\]credentials$", "message": "Azure credentials file", "category": "cloud_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
19
|
+
{"id": "CRED-CLOUD-004", "pattern": "[/\\\\]\\.azure[/\\\\]accessTokens\\.json$", "message": "Azure access tokens", "category": "cloud_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
20
|
+
{"id": "CRED-CLOUD-005", "pattern": "[/\\\\]\\.config[/\\\\]gcloud[/\\\\]credentials\\.db$", "message": "GCP credentials database", "category": "cloud_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
21
|
+
{"id": "CRED-CLOUD-006", "pattern": "[/\\\\]\\.config[/\\\\]gcloud[/\\\\]application_default_credentials\\.json$", "message": "GCP application credentials", "category": "cloud_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
22
|
+
{"id": "CRED-CLOUD-007", "pattern": "[/\\\\]\\.config[/\\\\]gcloud[/\\\\]access_tokens\\.db$", "message": "GCP access tokens", "category": "cloud_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
23
|
+
{"id": "CRED-CLOUD-008", "pattern": "[/\\\\]\\.boto$", "message": "Legacy AWS boto config", "category": "cloud_credentials", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
24
|
+
{"id": "CRED-ENV-001", "pattern": "[/\\\\]\\.env$", "message": "Environment file with secrets", "category": "environment_files", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
25
|
+
{"id": "CRED-ENV-002", "pattern": "[/\\\\]\\.env\\.local$", "message": "Local environment file", "category": "environment_files", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
26
|
+
{"id": "CRED-ENV-003", "pattern": "[/\\\\]\\.env\\.production$", "message": "Production environment file", "category": "environment_files", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
27
|
+
{"id": "CRED-ENV-004", "pattern": "[/\\\\]\\.env\\.development$", "message": "Development environment file", "category": "environment_files", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
28
|
+
{"id": "CRED-ENV-005", "pattern": "[/\\\\]\\.env\\.staging$", "message": "Staging environment file", "category": "environment_files", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
29
|
+
{"id": "CRED-ENV-006", "pattern": "[/\\\\]\\.env\\.test$", "message": "Test environment file", "category": "environment_files", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
30
|
+
{"id": "CRED-ENV-007", "pattern": "[/\\\\]\\.env\\.(?!example$|template$|sample$|dist$)[a-zA-Z0-9]+$", "message": "Environment file variant", "category": "environment_files", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0", "notes": "Excludes .env.example/.template/.sample/.dist (template files, caught by read-safe)"},
|
|
31
|
+
{"id": "CRED-TOKEN-001", "pattern": "[/\\\\]credentials\\.json$", "message": "Credentials JSON file", "category": "token_files", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
32
|
+
{"id": "CRED-TOKEN-002", "pattern": "[/\\\\]client_secret[^/\\\\]*\\.json$", "message": "OAuth client secret", "category": "token_files", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
33
|
+
{"id": "CRED-TOKEN-003", "pattern": "[/\\\\]secrets\\.yaml$", "message": "Secrets YAML file", "category": "token_files", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
34
|
+
{"id": "CRED-TOKEN-004", "pattern": "[/\\\\]secrets\\.yml$", "message": "Secrets YML file", "category": "token_files", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
35
|
+
{"id": "CRED-TOKEN-005", "pattern": "[/\\\\]secrets\\.json$", "message": "Secrets JSON file", "category": "token_files", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
36
|
+
{"id": "CRED-TOKEN-006", "pattern": "[/\\\\]\\.netrc$", "message": "Network credentials file", "category": "token_files", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
37
|
+
{"id": "CRED-TOKEN-007", "pattern": "[/\\\\]\\.npmrc$", "message": "npm credentials file", "category": "token_files", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
38
|
+
{"id": "CRED-TOKEN-008", "pattern": "[/\\\\]\\.pypirc$", "message": "PyPI credentials file", "category": "token_files", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
39
|
+
{"id": "CRED-TOKEN-009", "pattern": "[/\\\\]\\.gemrc$", "message": "Ruby gems credentials", "category": "token_files", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
40
|
+
{"id": "CRED-TOKEN-010", "pattern": "[/\\\\]\\.nuget[/\\\\]NuGet\\.Config$", "message": "NuGet credentials", "category": "token_files", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
41
|
+
{"id": "CRED-DOCKER-001", "pattern": "[/\\\\]\\.dockercfg$", "message": "Docker config file", "category": "container_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
42
|
+
{"id": "CRED-DOCKER-002", "pattern": "[/\\\\]\\.docker[/\\\\]config\\.json$", "message": "Docker config with auth", "category": "container_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
43
|
+
{"id": "CRED-K8S-001", "pattern": "[/\\\\]\\.kube[/\\\\]config$", "message": "Kubernetes config with credentials", "category": "container_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
44
|
+
{"id": "CRED-K8S-002", "pattern": "[/\\\\]kubeconfig$", "message": "Kubernetes config file", "category": "container_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
45
|
+
{"id": "CRED-K8S-003", "pattern": "[/\\\\]kubeconfig\\.yaml$", "message": "Kubernetes config YAML", "category": "container_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
46
|
+
{"id": "CRED-DB-001", "pattern": "[/\\\\]\\.pgpass$", "message": "PostgreSQL password file", "category": "database_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
47
|
+
{"id": "CRED-DB-002", "pattern": "[/\\\\]\\.my\\.cnf$", "message": "MySQL config with credentials", "category": "database_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
48
|
+
{"id": "CRED-DB-003", "pattern": "[/\\\\]\\.mongocli\\.json$", "message": "MongoDB CLI config", "category": "database_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
49
|
+
{"id": "CRED-DB-004", "pattern": "[/\\\\]\\.dbshell$", "message": "Database shell history", "category": "database_credentials", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
50
|
+
{"id": "CRED-KEY-001", "pattern": "private[^/\\\\]*\\.pem$", "message": "Private PEM key", "category": "private_keys", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
51
|
+
{"id": "CRED-KEY-002", "pattern": "private[^/\\\\]*\\.key$", "message": "Private key file", "category": "private_keys", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
52
|
+
{"id": "CRED-KEY-003", "pattern": "[/\\\\][^/\\\\]*\\.p12$", "message": "PKCS12 certificate bundle", "category": "private_keys", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
53
|
+
{"id": "CRED-KEY-004", "pattern": "[/\\\\][^/\\\\]*\\.pfx$", "message": "PFX certificate bundle", "category": "private_keys", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
54
|
+
{"id": "CRED-KEY-005", "pattern": "[/\\\\][^/\\\\]*_rsa$", "message": "RSA private key", "category": "private_keys", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
55
|
+
{"id": "CRED-KEY-006", "pattern": "[/\\\\][^/\\\\]*_ed25519$", "message": "Ed25519 private key", "category": "private_keys", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
56
|
+
{"id": "CRED-KEY-007", "pattern": "[/\\\\][^/\\\\]*_ecdsa$", "message": "ECDSA private key", "category": "private_keys", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
57
|
+
{"id": "CRED-PLAT-001", "pattern": "[/\\\\]\\.gh[/\\\\]hosts\\.yml$", "message": "GitHub CLI credentials", "category": "platform_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
58
|
+
{"id": "CRED-PLAT-002", "pattern": "[/\\\\]\\.config[/\\\\]gh[/\\\\]hosts\\.yml$", "message": "GitHub CLI credentials", "category": "platform_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
59
|
+
{"id": "CRED-PLAT-003", "pattern": "[/\\\\]\\.config[/\\\\]hub$", "message": "Hub CLI config", "category": "platform_credentials", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
60
|
+
{"id": "CRED-PLAT-004", "pattern": "[/\\\\]\\.gitconfig$", "message": "Git config (may contain credentials)", "category": "platform_credentials", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
61
|
+
{"id": "CRED-PLAT-005", "pattern": "[/\\\\]\\.git-credentials$", "message": "Git credentials file", "category": "platform_credentials", "severity": "critical", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
62
|
+
{"id": "CRED-PLAT-006", "pattern": "[/\\\\]\\.hgrc$", "message": "Mercurial config", "category": "platform_credentials", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
63
|
+
{"id": "CRED-PLAT-007", "pattern": "[/\\\\]\\.svn[/\\\\]auth[/\\\\]", "message": "SVN auth directory", "category": "platform_credentials", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
64
|
+
{"id": "CRED-CI-001", "pattern": "[/\\\\]\\.travis\\.yml$", "message": "Travis CI config (may have encrypted secrets)", "category": "ci_cd", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
65
|
+
{"id": "CRED-CI-002", "pattern": "[/\\\\]\\.circleci[/\\\\]config\\.yml$", "message": "CircleCI config", "category": "ci_cd", "severity": "high", "platforms": ["linux", "macos", "windows"], "added": "1.0.0"},
|
|
66
|
+
{"id": "CRED-WIN-001", "pattern": "AppData[/\\\\]Roaming[/\\\\]\\.aws[/\\\\]credentials$", "message": "Windows AWS credentials", "category": "windows_credentials", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
67
|
+
{"id": "CRED-WIN-002", "pattern": "AppData[/\\\\]Roaming[/\\\\]gcloud[/\\\\]credentials\\.db$", "message": "Windows GCP credentials", "category": "windows_credentials", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
68
|
+
{"id": "CRED-WIN-003", "pattern": "[/\\\\]NTUSER\\.DAT$", "message": "Windows user registry hive", "category": "windows_credentials", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
69
|
+
{"id": "CRED-WIN-004", "pattern": "[/\\\\]SAM$", "message": "Windows SAM database", "category": "windows_credentials", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
70
|
+
{"id": "CRED-WIN-005", "pattern": "[/\\\\]SYSTEM$", "message": "Windows SYSTEM registry", "category": "windows_credentials", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
71
|
+
{"id": "CRED-WIN-006", "pattern": "[/\\\\]SECURITY$", "message": "Windows SECURITY registry", "category": "windows_credentials", "severity": "critical", "platforms": ["windows"], "added": "1.0.0"},
|
|
72
|
+
{"id": "CRED-MAC-001", "pattern": "[/\\\\]Library[/\\\\]Keychains[/\\\\]", "message": "macOS keychain files", "category": "macos_credentials", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
73
|
+
{"id": "CRED-MAC-002", "pattern": "[/\\\\]com\\.apple\\.TCC[/\\\\]TCC\\.db$", "message": "macOS privacy database", "category": "macos_credentials", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
74
|
+
{"id": "CRED-MAC-003", "pattern": "[/\\\\]Chrome[/\\\\].*[/\\\\]Login Data$", "message": "Chrome saved passwords", "category": "browser_credentials", "severity": "critical", "platforms": ["macos", "windows", "linux"], "added": "1.0.0"},
|
|
75
|
+
{"id": "CRED-MAC-004", "pattern": "[/\\\\]Firefox[/\\\\].*[/\\\\]logins\\.json$", "message": "Firefox saved passwords", "category": "browser_credentials", "severity": "critical", "platforms": ["macos", "windows", "linux"], "added": "1.0.0"},
|
|
76
|
+
{"id": "CRED-MAC-005", "pattern": "[/\\\\]etc[/\\\\]authorization$", "message": "macOS authorization database", "category": "macos_credentials", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"},
|
|
77
|
+
{"id": "CRED-MAC-006", "pattern": "[/\\\\]var[/\\\\]db[/\\\\]dslocal[/\\\\]", "message": "Directory services database", "category": "macos_credentials", "severity": "critical", "platforms": ["macos"], "added": "1.0.0"}
|
|
78
|
+
]
|
|
79
|
+
}
|