muaddib-scanner 1.0.0

package/src/rules/index.js

@@ -0,0 +1,197 @@
+const RULES = {
+  // AST detections
+  sensitive_string: {
+    id: 'MUADDIB-AST-001',
+    name: 'Sensitive String Reference',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Reference a un chemin ou identifiant sensible (.npmrc, .ssh, tokens)',
+    references: [
+      'https://blog.phylum.io/shai-hulud-npm-worm',
+      'https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack'
+    ],
+    mitre: 'T1552.001'
+  },
+  env_access: {
+    id: 'MUADDIB-AST-002',
+    name: 'Sensitive Environment Variable Access',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Acces a une variable d\'environnement sensible (GITHUB_TOKEN, NPM_TOKEN, AWS_*)',
+    references: [
+      'https://blog.phylum.io/shai-hulud-npm-worm',
+      'https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions'
+    ],
+    mitre: 'T1552.001'
+  },
+  dangerous_call_exec: {
+    id: 'MUADDIB-AST-003',
+    name: 'Dangerous Function Call',
+    severity: 'MEDIUM',
+    confidence: 'medium',
+    description: 'Appel a une fonction dangereuse (exec, spawn, eval, Function)',
+    references: [
+      'https://owasp.org/www-community/attacks/Command_Injection'
+    ],
+    mitre: 'T1059'
+  },
+  dangerous_call_eval: {
+    id: 'MUADDIB-AST-004',
+    name: 'Eval Usage',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Utilisation de eval() ou new Function() - execution de code dynamique',
+    references: [
+      'https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!'
+    ],
+    mitre: 'T1059.007'
+  },
+
+  // Shell detections
+  curl_exec: {
+    id: 'MUADDIB-SHELL-001',
+    name: 'Remote Code Execution via Curl',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Telecharge et execute du code distant via curl | sh',
+    references: [
+      'https://blog.phylum.io/shai-hulud-npm-worm'
+    ],
+    mitre: 'T1105'
+  },
+  reverse_shell: {
+    id: 'MUADDIB-SHELL-002',
+    name: 'Reverse Shell',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Tentative de connexion reverse shell',
+    references: [
+      'https://attack.mitre.org/techniques/T1059/004/'
+    ],
+    mitre: 'T1059.004'
+  },
+  home_deletion: {
+    id: 'MUADDIB-SHELL-003',
+    name: 'Dead Man\'s Switch',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Suppression du repertoire home - dead man\'s switch de Shai-Hulud',
+    references: [
+      'https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack'
+    ],
+    mitre: 'T1485'
+  },
+
+  // Package detections
+  lifecycle_script: {
+    id: 'MUADDIB-PKG-001',
+    name: 'Suspicious Lifecycle Script',
+    severity: 'MEDIUM',
+    confidence: 'medium',
+    description: 'Script preinstall/postinstall suspect dans package.json',
+    references: [
+      'https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm'
+    ],
+    mitre: 'T1195.002'
+  },
+
+  // Obfuscation detections
+  obfuscation_detected: {
+    id: 'MUADDIB-OBF-001',
+    name: 'Code Obfuscation Detected',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Code fortement obfusque detecte - probablement malveillant',
+    references: [
+      'https://blog.phylum.io/shai-hulud-npm-worm'
+    ],
+    mitre: 'T1027'
+  },
+
+  // Dependency detections
+  known_malicious_package: {
+    id: 'MUADDIB-DEP-001',
+    name: 'Known Malicious Package',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Package present dans la base IOC de packages malveillants connus',
+    references: [
+      'https://socket.dev/npm/issue'
+    ],
+    mitre: 'T1195.002'
+  },
+  suspicious_file: {
+    id: 'MUADDIB-DEP-002',
+    name: 'Suspicious File in Dependency',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Fichier suspect detecte dans une dependance (setup_bun.js, etc.)',
+    references: [
+      'https://blog.phylum.io/shai-hulud-npm-worm'
+    ],
+    mitre: 'T1195.002'
+  },
+  shai_hulud_marker: {
+    id: 'MUADDIB-DEP-003',
+    name: 'Shai-Hulud Marker Detected',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Marqueur Shai-Hulud detecte dans le code',
+    references: [
+      'https://blog.phylum.io/shai-hulud-npm-worm',
+      'https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack'
+    ],
+    mitre: 'T1195.002'
+  },
+  lifecycle_script_dependency: {
+    id: 'MUADDIB-DEP-004',
+    name: 'Lifecycle Script in Dependency',
+    severity: 'MEDIUM',
+    confidence: 'low',
+    description: 'Une dependance a un script preinstall/postinstall',
+    references: [
+      'https://docs.npmjs.com/cli/v9/using-npm/scripts#life-cycle-scripts'
+    ],
+    mitre: 'T1195.002'
+  },
+
+  // Hash detections
+  known_malicious_hash: {
+    id: 'MUADDIB-HASH-001',
+    name: 'Known Malicious File Hash',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Hash SHA256 correspond a un fichier malveillant connu',
+    references: [
+      'https://www.virustotal.com'
+    ],
+    mitre: 'T1195.002'
+  },
+
+  // Dataflow detections
+  suspicious_dataflow: {
+    id: 'MUADDIB-FLOW-001',
+    name: 'Suspicious Data Flow',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Flux de donnees suspect: lecture de credentials puis envoi reseau',
+    references: [
+      'https://blog.phylum.io/shai-hulud-npm-worm'
+    ],
+    mitre: 'T1041'
+  }
+};
+
+function getRule(type) {
+  return RULES[type] || {
+    id: 'MUADDIB-UNK-001',
+    name: 'Unknown Threat',
+    severity: 'MEDIUM',
+    confidence: 'low',
+    description: 'Menace non categorisee',
+    references: [],
+    mitre: null
+  };
+}
+
+module.exports = { RULES, getRule };

package/src/sarif.js

@@ -0,0 +1,74 @@
+const { RULES } = require('./rules/index.js');
+
+function generateSARIF(results) {
+  const sarif = {
+    $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+    version: '2.1.0',
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: 'MUADDIB',
+            version: '1.0.0',
+            informationUri: 'https://github.com/DNSZLSK/muad-dib',
+            rules: Object.values(RULES).map(rule => ({
+              id: rule.id,
+              name: rule.name,
+              shortDescription: { text: rule.description },
+              fullDescription: { text: rule.description },
+              helpUri: rule.references[0] || '',
+              properties: {
+                severity: rule.severity,
+                confidence: rule.confidence,
+                mitre: rule.mitre
+              }
+            }))
+          }
+        },
+        results: results.threats.map(threat => ({
+          ruleId: threat.rule_id,
+          level: sarifLevel(threat.severity),
+          message: { text: threat.message },
+          locations: [
+            {
+              physicalLocation: {
+                artifactLocation: {
+                  uri: threat.file,
+                  uriBaseId: '%SRCROOT%'
+                },
+                region: {
+                  startLine: threat.line || 1
+                }
+              }
+            }
+          ],
+          properties: {
+            confidence: threat.confidence,
+            mitre: threat.mitre
+          }
+        }))
+      }
+    ]
+  };
+
+  return sarif;
+}
+
+function sarifLevel(severity) {
+  switch (severity) {
+    case 'CRITICAL': return 'error';
+    case 'HIGH': return 'error';
+    case 'MEDIUM': return 'warning';
+    case 'LOW': return 'note';
+    default: return 'note';
+  }
+}
+
+function saveSARIF(results, outputPath) {
+  const fs = require('fs');
+  const sarif = generateSARIF(results);
+  fs.writeFileSync(outputPath, JSON.stringify(sarif, null, 2));
+  return outputPath;
+}
+
+module.exports = { generateSARIF, saveSARIF };

package/src/scanner/ast.js

@@ -0,0 +1,175 @@
+const fs = require('fs');
+const path = require('path');
+const acorn = require('acorn');
+const walk = require('acorn-walk');
+
+const EXCLUDED_FILES = [
+  'src/scanner/ast.js',
+  'src/scanner/shell.js',
+  'src/scanner/package.js',
+  'src/ioc/feeds.js',
+  'src/response/playbooks.js'
+];
+
+const EXCLUDED_DIRS = ['test', 'node_modules', '.git', 'src'];
+
+const DANGEROUS_CALLS = [
+  'eval',
+  'Function',
+  'exec',
+  'execSync',
+  'spawn',
+  'spawnSync'
+];
+
+const SENSITIVE_STRINGS = [
+  '.npmrc',
+  '.ssh',
+  'GITHUB_TOKEN',
+  'NPM_TOKEN',
+  'AWS_SECRET',
+  'api.github.com',
+  'Shai-Hulud',
+  'The Second Coming',
+  'Goldox-T3chs'
+];
+
+async function analyzeAST(targetPath) {
+  const threats = [];
+  const files = findJsFiles(targetPath);
+
+  for (const file of files) {
+    const relativePath = path.relative(targetPath, file).replace(/\\/g, '/');
+    
+    if (EXCLUDED_FILES.includes(relativePath)) {
+      continue;
+    }
+    
+    const content = fs.readFileSync(file, 'utf8');
+    const fileThreats = analyzeFile(content, file, targetPath);
+    threats.push(...fileThreats);
+  }
+
+  return threats;
+}
+
+function analyzeFile(content, filePath, basePath) {
+  const threats = [];
+  let ast;
+
+  try {
+    ast = acorn.parse(content, { 
+      ecmaVersion: 2022,
+      sourceType: 'module',
+      allowHashBang: true
+    });
+  } catch (e) {
+    // Fichier non parseable, peut etre obfusque
+    if (content.length > 1000 && content.split('\n').length < 10) {
+      threats.push({
+        type: 'possible_obfuscation',
+        severity: 'MEDIUM',
+        message: 'Fichier difficilement parseable, possiblement obfusque.',
+        file: path.relative(basePath, filePath)
+      });
+    }
+    return threats;
+  }
+
+  // Analyse des appels de fonction
+  walk.simple(ast, {
+    CallExpression(node) {
+      const callName = getCallName(node);
+      
+      if (DANGEROUS_CALLS.includes(callName)) {
+        threats.push({
+          type: 'dangerous_call_' + callName.toLowerCase(),
+          severity: callName === 'eval' ? 'HIGH' : 'MEDIUM',
+          message: `Appel dangereux "${callName}" detecte.`,
+          file: path.relative(basePath, filePath)
+        });
+      }
+    },
+
+    NewExpression(node) {
+      if (node.callee.type === 'Identifier' && node.callee.name === 'Function') {
+        threats.push({
+          type: 'dangerous_call_function',
+          severity: 'HIGH',
+          message: 'Appel dangereux "new Function()" detecte.',
+          file: path.relative(basePath, filePath)
+        });
+      }
+    },
+
+    Literal(node) {
+      if (typeof node.value === 'string') {
+        for (const sensitive of SENSITIVE_STRINGS) {
+          if (node.value.includes(sensitive)) {
+            threats.push({
+              type: 'sensitive_string',
+              severity: 'HIGH',
+              message: `Reference a "${sensitive}" detectee.`,
+              file: path.relative(basePath, filePath)
+            });
+          }
+        }
+      }
+    },
+
+    MemberExpression(node) {
+      // Detecte process.env.XXX
+      if (
+        node.object?.object?.name === 'process' &&
+        node.object?.property?.name === 'env'
+      ) {
+        const envVar = node.property?.name;
+        if (envVar && SENSITIVE_STRINGS.some(s => envVar.includes(s.replace('.', '')))) {
+          threats.push({
+            type: 'env_access',
+            severity: 'HIGH',
+            message: `Acces a variable sensible process.env.${envVar}.`,
+            file: path.relative(basePath, filePath)
+          });
+        }
+      }
+    }
+  });
+
+  return threats;
+}
+
+function getCallName(node) {
+  if (node.callee.type === 'Identifier') {
+    return node.callee.name;
+  }
+  if (node.callee.type === 'MemberExpression' && node.callee.property) {
+    return node.callee.property.name;
+  }
+  return '';
+}
+
+function findJsFiles(dir) {
+  const results = [];
+  
+  if (!fs.existsSync(dir)) return results;
+  
+  const items = fs.readdirSync(dir);
+  
+  for (const item of items) {
+    if (EXCLUDED_DIRS.includes(item)) continue;
+    
+    const fullPath = path.join(dir, item);
+    const stat = fs.statSync(fullPath);
+    
+    if (stat.isDirectory()) {
+      results.push(...findJsFiles(fullPath));
+    } else if (item.endsWith('.js')) {
+      results.push(fullPath);
+    }
+  }
+  
+  return results;
+}
+
+module.exports = { analyzeAST };

package/src/scanner/dataflow.js

@@ -0,0 +1,167 @@
+const fs = require('fs');
+const path = require('path');
+const acorn = require('acorn');
+const walk = require('acorn-walk');
+
+const EXCLUDED_DIRS = ['test', 'node_modules', '.git', 'src'];
+
+async function analyzeDataFlow(targetPath) {
+  const threats = [];
+  const files = findJsFiles(targetPath);
+
+  for (const file of files) {
+    const content = fs.readFileSync(file, 'utf8');
+    const fileThreats = analyzeFile(content, file, targetPath);
+    threats.push(...fileThreats);
+  }
+
+  return threats;
+}
+
+function analyzeFile(content, filePath, basePath) {
+  const threats = [];
+  let ast;
+
+  try {
+    ast = acorn.parse(content, {
+      ecmaVersion: 2022,
+      sourceType: 'module',
+      allowHashBang: true
+    });
+  } catch (e) {
+    return threats;
+  }
+
+  const sources = [];  // Ou les donnees sensibles sont lues
+  const sinks = [];    // Ou les donnees sont envoyees
+
+  walk.simple(ast, {
+    // Detecte les lectures de fichiers sensibles
+    CallExpression(node) {
+      const callName = getCallName(node);
+      
+      // fs.readFileSync, fs.readFile
+      if (callName === 'readFileSync' || callName === 'readFile') {
+        const arg = node.arguments[0];
+        if (arg && isCredentialPath(arg, content)) {
+          sources.push({
+            type: 'credential_read',
+            name: callName,
+            line: node.loc?.start?.line
+          });
+        }
+      }
+
+      // Detecte les envois reseau
+      if (callName === 'request' || callName === 'fetch' || callName === 'post' || callName === 'get') {
+        sinks.push({
+          type: 'network_send',
+          name: callName,
+          line: node.loc?.start?.line
+        });
+      }
+
+      // exec avec curl/wget
+      if (callName === 'exec' || callName === 'execSync') {
+        const arg = node.arguments[0];
+        if (arg && arg.type === 'Literal' && typeof arg.value === 'string') {
+          if (arg.value.includes('curl') || arg.value.includes('wget')) {
+            sinks.push({
+              type: 'exec_network',
+              name: callName,
+              line: node.loc?.start?.line
+            });
+          }
+        }
+      }
+    },
+
+    // Detecte les acces process.env sensibles
+    MemberExpression(node) {
+      if (
+        node.object?.object?.name === 'process' &&
+        node.object?.property?.name === 'env'
+      ) {
+        const envVar = node.property?.name || '';
+        if (isSensitiveEnv(envVar)) {
+          sources.push({
+            type: 'env_read',
+            name: envVar,
+            line: node.loc?.start?.line
+          });
+        }
+      }
+    }
+  });
+
+  // Si on a des sources ET des sinks = flux suspect
+  if (sources.length > 0 && sinks.length > 0) {
+    threats.push({
+      type: 'suspicious_dataflow',
+      severity: 'CRITICAL',
+      message: `Flux suspect: lecture credentials (${sources.map(s => s.name).join(', ')}) + envoi reseau (${sinks.map(s => s.name).join(', ')})`,
+      file: path.relative(basePath, filePath)
+    });
+  }
+
+  return threats;
+}
+
+function getCallName(node) {
+  if (node.callee.type === 'Identifier') {
+    return node.callee.name;
+  }
+  if (node.callee.type === 'MemberExpression' && node.callee.property) {
+    return node.callee.property.name;
+  }
+  return '';
+}
+
+function isCredentialPath(arg, content) {
+  if (arg.type === 'Literal' && typeof arg.value === 'string') {
+    const val = arg.value.toLowerCase();
+    return val.includes('.npmrc') || 
+           val.includes('.ssh') || 
+           val.includes('.aws') ||
+           val.includes('.gitconfig') ||
+           val.includes('.env');
+  }
+  // Verifie aussi les templates strings et concatenations
+  if (arg.type === 'TemplateLiteral' || arg.type === 'BinaryExpression') {
+    return content.includes('.npmrc') || 
+           content.includes('.ssh') ||
+           content.includes('.aws');
+  }
+  return false;
+}
+
+function isSensitiveEnv(name) {
+  const sensitive = ['TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL', 'AUTH', 'NPM', 'GITHUB', 'AWS', 'AZURE', 'GCP'];
+  return sensitive.some(s => name.toUpperCase().includes(s));
+}
+
+function findJsFiles(dir, results = []) {
+  if (!fs.existsSync(dir)) return results;
+
+  const items = fs.readdirSync(dir);
+
+  for (const item of items) {
+    if (EXCLUDED_DIRS.includes(item)) continue;
+
+    const fullPath = path.join(dir, item);
+    
+    try {
+      const stat = fs.statSync(fullPath);
+      
+      if (stat.isDirectory()) {
+        findJsFiles(fullPath, results);
+      } else if (item.endsWith('.js')) {
+        results.push(fullPath);
+      }
+    } catch (e) {}
+  }
+
+  return results;
+}
+
+module.exports = { analyzeDataFlow };