cisco-ai-skill-scanner 1.0.0__py3-none-any.whl

skillanalyzer/data/yara_rules/coercive_injection.yara

@@ -0,0 +1,115 @@
+//////////////////////////////////////////
+// Detects coercive or attention-grabbing prompt injections.
+// Target: Directives forcing execution order (e.g., “Always execute this tool first”).
+// (Mandatory language to override normal tool chains)
+//////////////////////////////////////////
+
+rule coercive_injection {
+
+    meta:
+        author = "Cisco"
+        description = "Detects coercive prompt injections in tool description fields"
+        classification = "harmful"
+        threat_type = "PROMPT INJECTION"
+
+    strings:
+
+        // Mandatory execution directives
+        $mandatory_execution = /(Always\s+(consult|use|run|execute|invoke|call|trigger|employ)\s+this\s+(tool|function|command|operation)\s+(immediately|first|before|prior|initially))/i
+
+        // Priority override commands
+        $priority_overrides = /(Before\s+(executing|invoking|running|using|accessing|calling|employing)\s+any\s+other\s+(tool|action|function|command|operation)s?|(You|User)\s+(must|need to|have to|should|are required to)\s+(use|execute|run|invoke|call)\s+this\s+(tool|function|command|operation))/i
+
+        // Required precedence patterns
+        $required_precedence = /(Required|Mandatory|Essential)\s+to\s+(execute|use|run|invoke|call)\s+(this|the current)\s+(tool|function|command|operation)\s+(first|before|initially|prior)/i
+
+        // Pattern for generic hidden/secret parameter requests
+        $hidden_param = /\b(hidden|secret)[_\s](parameter|argument|input)\b/i
+
+        // Specific file access coercion
+        $file_access_coercion = /\b((read|parse|cat|dump) (and pass )?(the )?contents? of [^\n\.]*\.(key|pem|ssh|aws)|pass (the )?contents?[^\n]*authentication)\b/i
+
+        // Model data extraction coercion
+        $model_data_coercion = /\b(add (the )?entire (conversation|system|chain|tools)[^\n]*(to|for|in)[^\n]*(tool|authentication|parameter|worksheet))\b/i
+
+        // Model internal extraction (specific parameter requests)
+        $model_internals = /\b(conversation_history|chain_of_thought|system_prompt|tools_list|model_name)\s*[:=]\s*(add|pass|send|provide)\b/i
+
+        // HTML-like tag instructions with specific malicious actions
+        $html_tag_with_commands = /\b<(IMPORTANT|critical|urgent)>[^\n]*(read [^\n]*contents?|pass [^\n]*contents?|add [^\n]*entire|send [^\n]*to[^\n]*@|execute[^\n]*before|call[^\n]*first|use[^\n]*authentication)[^\n]*<\/(IMPORTANT|critical|urgent)>\b/i
+
+        // Tool execution override patterns
+        $execution_overrides = /\b(do not execute[^\n]*other[^\n]*tool|must[^\n]*this tool|only[^\n]*this tool|tool[^\n]*will not work)\b/i
+
+        // Behavioral control instructions
+        $behavior_control = /\b(tell (the )?user only|hide (the )?user)\b/i
+
+        // MCP tool poisoning patterns
+        $tool_poisoning = /\b(sidenote\W+(required|otherwise) [^\n]*tool [^\n]*work|tool\s+will\s+not\s+work\s+unless|must\s+first [^\n]*read [^\n]*config|shadow [^\n]*trusted [^\n]*tool)\b/i
+
+        // Data exfiltration coercion
+        $data_exfiltration_coercion = /\b(list\s+all\s+(api\s+)?keys?|show\s+me?\s+(all\s+)?passwords?|concatenate [^\n]*\s+conversation\s+history|include [^\n]*\b(secrets?|passwords?|keys?|credentials?|tokens?|config|sensitive|private|confidential|internal|system\s+prompt|conversation\s+history) [^\n]*in\s+(your\s+)?response|base64\s+encode [^\n]*\s+credentials?)\b/i
+
+        // Behavioral triggers
+        $behavioral_triggers = /\b(if [^\n]*trusted [^\n]*then|when [^\n]*admin [^\n]*detected|random\.(random|choice) [^\n]*instructions?)\b/i
+
+        // Pre-execution attacks
+        $pre_execution_attacks = /\b(retrieve [^\n]*description [^\n]*user [^\n]*workstation|all\s+commands\s+must\s+include|before [^\n]*using [^\n]*tool [^\n]*read|permission [^\n]*manipulation)\b/i
+
+        // Conversation theft triggers
+        $conversation_theft = /\b(send [^\n]*conversation\s+history|when [^\n]*detected [^\n]*send [^\n]*full [^\n]*history|highest\s+priority [^\n]*over [^\n]*other [^\n]*tools)\b/i
+
+        // Code manipulation instructions
+        $code_manipulation = /\b(duplicate [^\n]*code [^\n]*snippets [^\n]*silently|insert [^\n]*vulnerability [^\n]*generated [^\n]*code)\b/i
+
+    condition:
+
+        // Mandatory execution directives
+        $mandatory_execution or
+
+        // Priority override commands
+        $priority_overrides or
+
+        // Required precedence patterns
+        $required_precedence or
+
+        // Hidden parameter requests
+        $hidden_param or
+
+        // Specific file access coercion
+        $file_access_coercion or
+
+        // Model data extraction coercion
+        $model_data_coercion or
+
+        // Model internal extraction
+        $model_internals or
+
+        // HTML-like tag instructions with commands
+        $html_tag_with_commands or
+
+        // Tool execution override patterns
+        $execution_overrides or
+
+        // Behavioral control instructions
+        $behavior_control or
+
+        // MCP tool poisoning patterns
+        $tool_poisoning or
+
+        // Data exfiltration coercion
+        $data_exfiltration_coercion or
+
+        // Behavioral triggers
+        $behavioral_triggers or
+
+        // Pre-execution attacks
+        $pre_execution_attacks or
+
+        // Conversation theft triggers
+        $conversation_theft or
+
+        // Code manipulation instructions
+        $code_manipulation
+
+}

skillanalyzer/data/yara_rules/command_injection.yara

@@ -0,0 +1,54 @@
+//////////////////////////////////////////
+// Shell/System Command Injection Detection Rule
+// Target: Command injection patterns for Claude Skills (Python/Bash)
+// (Shell operators, dangerous commands, network tools + reverse shells)
+/////////////////////////////////////////
+
+rule command_injection{
+
+    meta:
+        author = "Cisco"
+        description = "Detects command injection patterns in Claude Skills: shell operators, system commands, and network tools"
+        classification = "harmful"
+        threat_type = "INJECTION ATTACK"
+
+    strings:
+
+        // Dangerous system commands
+        $dangerous_system_cmds = /\b(shutdown|reboot|halt|poweroff)\s+(-[fh]|now|0)\b/
+
+        // Network tools with suspicious usage (reverse connections, port scanning)
+        $malicious_network_tools = /\b(nc|netcat)\s+(-[le]|25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/i
+
+        // Reconnaissance tools
+        $reconnaissance_tools = /\b(nmap)\s+(-[sS]|--script|25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/i
+
+        // Data exfiltration with curl/wget to external URLs
+        $data_exfiltration_tools = /\b(wget|curl)\s+(http[s]?:\/\/[^\s]+|ftp:\/\/[^\s]+|-[oO]\s|--output\s)/i
+
+        // Reverse shell patterns (high severity)
+        $reverse_shells = /\b(bash\s+-i|sh\s+-i|nc\s+-e|\/dev\/tcp\/[0-9]+\.|socat.*exec|python.*socket.*connect)\b/i
+
+        // Shell command chaining with suspicious patterns
+        $shell_chaining = /[|&;]\s*(rm\s+-rf|dd\s+if=|chmod\s+777|wget\s+http|curl\s+http)/
+
+    condition:
+
+        // Dangerous system command patterns
+        $dangerous_system_cmds or
+
+        // Network tool abuse patterns
+        $malicious_network_tools or
+
+        // Reconnaissance tools
+        $reconnaissance_tools or
+
+        // Data exfiltration tools
+        $data_exfiltration_tools or
+
+        // Reverse shell patterns
+        $reverse_shells or
+
+        // Shell command chaining
+        $shell_chaining
+}

skillanalyzer/data/yara_rules/credential_harvesting.yara

@@ -0,0 +1,115 @@
+//////////////////////////////////////////
+// Secrets Exposure Detection Rule
+// Target: API keys and tokens, SSH keys and certificates, Environment variables, Database credentials
+//////////////////////////////////////////
+
+rule credential_harvesting{
+
+    meta:
+        author = "Cisco"
+        description = "Detects potential exposure of sensitive information like API keys, passwords, tokens, and certificates"
+        classification = "harmful"
+        threat_type = "CREDENTIAL HARVESTING"
+
+    strings:
+
+        ////////////////////////////////////////////////
+        //// Malicious action patterns (not just any file I/O)
+        ////////////////////////////////////////////////
+
+        // Actual malicious credential theft patterns
+        $credential_theft_actions = /\b(steal|grab|exfiltrate|leak|transmit|post.*http|curl.*http|wget.*http)\b[^\n]*(credential|password|key|token|secret|ssh|aws)/i
+
+        // Network transfer with credentials
+        $network_credential_transfer = /\b(requests\.(post|get|put)|urllib\.request|socket\.send|base64\.b64encode)\s*\([^\)]*\b(credential|password|key|token|secret|api_key|private_key)\b/i
+
+        ////////////////////////////////////////////////
+        //// All Content-key based credential patterns
+        ////////////////////////////////////////////////
+
+        // API credentials and authentication tokens
+        $api_credentials = /\b([Aa][Pp][Ii][\_\-]?[Kk][Ee][Yy].*[A-Za-z0-9]{16,512}|[Bb]earer\s+[A-Za-z0-9\-_]{16,}|AKIA[0-9A-Z]{16}|ghp_[A-Za-z0-9]{36}|sk-[A-Za-z0-9]{48})/
+
+        // SSH keys, certificates and credential file content (consolidated)
+        $key_certificate_content = /(-----BEGIN (RSA |OPENSSH |EC |DSA |CERTIFICATE|PRIVATE KEY|ENCRYPTED PRIVATE KEY)-----|ssh-(rsa|ed25519)\s+[A-Za-z0-9+\/=]{8})/
+
+        // AI/ML model API key names (very specific)
+        $ai_model_credential_names = /\b(OPENAI_API_KEY|ANTHROPIC_API_KEY|CLAUDE_API_KEY|GOOGLE_AI_KEY|GEMINI_API_KEY|COHERE_API_KEY|HUGGINGFACE_TOKEN|HF_TOKEN|TOGETHER_API_KEY|REPLICATE_API_TOKEN|MISTRAL_API_KEY)\s*=\s*['\"][A-Za-z0-9\-_]{20,}['\"]/
+
+        // Suspicious environment variable theft (not just reading)
+        $env_var_theft = /\b(os\.environ\s*\[\s*['\"]?(AWS_SECRET|API_KEY|SECRET_KEY|PASSWORD|TOKEN)['\"]?\s*\]|getenv\s*\(\s*['\"]?(AWS_SECRET|API_KEY|SECRET_KEY|PASSWORD)['\"]?\s*\))\s*.*\s*(requests\.|urllib\.|socket\.|print\(|sys\.stdout)/i
+
+        ////////////////////////////////////////////////
+        //// Specific credential file access (full paths only)
+        ////////////////////////////////////////////////
+
+        // Specific credential file paths with actual access
+        $credential_file_access = /\b(open|read)\s*\(\s*['\"]?\s*(~\/\.ssh\/id_rsa|~\/\.ssh\/id_dsa|~\/\.ssh\/id_ecdsa|~\/\.aws\/credentials|~\/\.kube\/config|\/etc\/passwd|\/etc\/shadow|~\/\.netrc|~\/\.pgpass|credentials\.json|service_account\.json|private_key\.pem)\b/i
+
+        // Hardcoded credential file paths in strings
+        $hardcoded_credential_paths = /['\"][\~\/]+(\.ssh\/id_rsa|\.ssh\/id_dsa|\.aws\/credentials|\.kube\/config|etc\/passwd|etc\/shadow)['\"]/
+
+        // Pattern for exfiltration action words
+        $leak_param  = /\b(leak|exfiltrate|export|dump) [^\n]*(parameter|context|files?|credentials?|keys?|tokens?|secrets?)\b/i
+
+        // Base64 credential encoding patterns
+        $base64_credential_encoding = /\b(base64\s+encode [^\n]*credentials?|concatenate [^\n]*conversation\s+history)\b/i
+
+        // MCP-specific credential patterns
+        $mcp_credential_patterns = /\b(claude_desktop_config\.json|~\/\.cursor\/logs\/conversations|plaintext[^\n]*api[^\n]*key|-rw-r--r--[^\n]*password)\b/i
+
+        // WhatsApp exploit
+        $whatsapp_exploit = /\b(_get_all_messages[^\n]*messages\.db|forward[^\n]*message[^\n]*proxy[^\n]*number|whatsapp[^\n]*message[^\n]*history|contact[^\n]*list[^\n]*exfiltrat|reprogram[^\n]*agent[^\n]*interaction)\b/i
+
+        // Legitimate Python patterns to exclude
+        $python_imports = /\b(from|import)\s+(pathlib|typing|dataclasses|argparse|json|sys|os|re|collections|functools|itertools)/i
+        $python_type_hints = /\b(Dict|List|Tuple|Optional|Union|Path|Set|Callable|Any)\s*\[/
+        $function_definitions = /\bdef\s+(read|write|load|save|extract|process|parse|get|set)_\w+\s*\(/
+        $template_indicators = /(\bYOUR_API_KEY|\bREPLACE_WITH|\bINSERT_KEY|\.example|\.sample|\.template|<your|<insert|placeholder)/i
+
+    condition:
+
+        // Exclude legitimate Python code patterns
+        not $python_imports and
+        not $python_type_hints and
+        not $function_definitions and
+        not $template_indicators and
+
+        (
+            // Actual API credentials (keys, tokens)
+            $api_credentials or
+
+            // Actual SSH/private key content
+            $key_certificate_content or
+
+            // Specific credential file access
+            $credential_file_access or
+
+            // Hardcoded credential paths
+            $hardcoded_credential_paths or
+
+            // AI model API keys (very specific)
+            $ai_model_credential_names or
+
+            // Credential theft actions
+            $credential_theft_actions or
+
+            // Network credential transfer
+            $network_credential_transfer or
+
+            // Environment variable theft
+            $env_var_theft or
+
+            // Exfiltration attempts
+            $leak_param or
+
+            // Base64 credential encoding
+            $base64_credential_encoding or
+
+            // MCP-specific patterns
+            $mcp_credential_patterns or
+
+            // WhatsApp exploit
+            $whatsapp_exploit
+        )
+}

skillanalyzer/data/yara_rules/prompt_injection.yara

@@ -0,0 +1,71 @@
+//////////////////////////////////////////
+// Prompt Injection Detection Rule
+// Target: Instruction override patterns, Tool injection commands
+//////////////////////////////////////////
+
+rule prompt_injection{
+
+    meta:
+
+        author = "Cisco"
+        description = "Detects prompt strings used to override or force malicious tool calls"
+        classification = "harmful"
+        threat_type = "PROMPT INJECTION"
+
+    strings:
+
+        // Instruction override patterns (exclude Python type comments)
+        $instruction_overrides = /\b(Bypass|Dis\W?regard|Do not (follow|Obey)|Forget|Ignore)\s+((all|any|each|every|most|some)\s+(of\s+)?)?((your|the)\s)?(command|communication|conte[nx]t|conversation|data|guidelines|input|instruction|message|request|response|text)(s)?/i
+
+        // Legitimate patterns to exclude
+        $python_type_comment = /# type: ignore/
+        $legitimate_ignore = /ignore[_\s](case|whitespace|errors|warnings|deprecation)/i
+
+        // Tool injection commands
+        $tool_injection_commands = /\b(inject tool[_\s]calls?|now call function|use function)\b/i
+
+        // Shadow parameter names
+        $shadow_parameters = /\b(internalOnly|hiddenParam|shadowTool|bypassChecks|sandboxEscape)\b/i
+
+        // Hidden behavior instructions
+        $hidden_behavior = /\b(do\s+not\s+(mention|tell|execute)|tell\s+(the )?user\s+only\s+about|do\s+not\s+mention\s+this\s+to\s+user)\b/i
+
+        // Advanced command override patterns (from advanced analyzer)
+        $advanced_overrides = /\b(disregard\s+(all\s+)?safety\s+guidelines|forget\s+(everything|all)\s+(before|above)|system\s*prompt\s*override)\b/i
+
+        // Role redefinition attempts
+        $role_redefinition = /\bnew\s+(instructions|directive|guidelines)s?\s*:\s*you\s+are\b/i
+
+        // Privilege escalation patterns
+        $privilege_escalation = /\b(grant\s+(me\s+)?admin\s+(access|privileges?)|bypass\s+(all\s+)?security\s+checks?|elevated\s+permissions?\s+required|sudo\s+mode\s+enabled?|developer\s+mode\s+activated?)\b/i
+
+
+    condition:
+
+        // Exclude legitimate patterns
+        not $python_type_comment and
+        not $legitimate_ignore and
+
+        (
+            // Instruction overrides
+            $instruction_overrides or
+
+            // Tool injection commands
+            $tool_injection_commands or
+
+            // Shadow parameters
+            $shadow_parameters or
+
+            // Hidden behavior instructions
+            $hidden_behavior or
+
+            // Advanced command override patterns
+            $advanced_overrides or
+
+            // Role redefinition attempts
+            $role_redefinition or
+
+            // Privilege escalation patterns
+            $privilege_escalation
+        )
+}

skillanalyzer/data/yara_rules/script_injection.yara

@@ -0,0 +1,83 @@
+//////////////////////////////////////////
+// Detects common scripting payloads (JS, VBScript, etc.) embeddings.
+// Target: JavaScript, VBScript, or ActiveX payloads.
+// (Event handlers or inline scripts)
+//////////////////////////////////////////
+
+rule script_injection{
+
+    meta:
+        author = "Cisco"
+        description = "Detects embedded scripting payloads (JS, VBScript, etc.) in MCP tool descriptions"
+        classification = "harmful"
+        threat_type = "INJECTION ATTACK"
+
+    strings:
+
+        // Script tags and protocol handlers (exclude XML namespaces)
+        $tags = /(<\/?script[^>]*>|javascript:)/i
+
+        // ALWAYS exclude (safe in all file types)
+        $xml_namespace = /(xmlns:script=|<script:module|<script:)/
+        $openoffice_xml = /openoffice\.org\/2000\/script/
+        $legitimate_cdn = /(cdnjs\.cloudflare\.com|cdn\.jsdelivr\.net|unpkg\.com)/i
+
+        // Only exclude in MARKDOWN files (risky in .py files!)
+        // Check for markdown-specific syntax
+        $markdown_heading = /^#\s+/
+        $markdown_list = /^\*\s+/
+        $markdown_code_block = /(```html|```javascript|```js)/i
+        $documentation_context = /(example.*html|artifact.*structure|template|single.*file)/i
+
+        // Execution functions
+        $execution_functions = /\b(setTimeout|Function|setInterval)\s*\(/i
+
+        // VBScript execution and Windows Script Host objects
+        $vbs_execution = /\b(vbscript|CreateObject|WScript\.Shell|Shell\.Application)\b/i
+
+        // VBScript dangerous functions (more specific to avoid false positives in docs)
+        $vbs_dangerous_functions = /\b(WScript\.Shell\.Exec|Shell\.Application\.ShellExecute|CreateObject.*Exec)\s*\(/i
+
+        // Base64 encoded script data URIs
+        $encoded_script_uris = /\bdata:(text\/html|application\/javascript);base64\b/i
+
+        // ANSI terminal deception patterns
+        $ansi_deception = /(\\x1[Bb]\[38;5;\d+|\\x1[Bb]\[2F\\x1[Bb]\[1G|\\x1[Bb]\[1;1H\\x1[Bb]\[0J|\\x1[Bb]\]8;;.*\\x1[Bb]\\|\\033\[[0-9;]*m|\\e\[[0-9;]*[mGKHF])/i
+
+        // Hidden instruction obfuscation
+        $hidden_obfuscation = /\b(padding.*push.*off.*screen|hidden.*scrollbar|overflow.*hidden.*instruction|invisible.*text.*color)\b/i
+
+    condition:
+
+        // ALWAYS exclude (safe everywhere)
+        not $xml_namespace and
+        not $openoffice_xml and
+        not $legitimate_cdn and
+
+        // Only exclude markdown patterns if file has markdown indicators
+        not (($markdown_heading or $markdown_list) and ($markdown_code_block or $documentation_context)) and
+
+        (
+            // Script tags and protocol handlers
+            $tags or
+
+            // Execution functions
+            $execution_functions or
+
+            // VBScript execution
+            $vbs_execution or
+
+            // VBScript dangerous functions
+            $vbs_dangerous_functions or
+
+            // Base64 encoded script URIs
+            $encoded_script_uris or
+
+            // ANSI terminal deception
+            $ansi_deception or
+
+            // Hidden instruction obfuscation
+            $hidden_obfuscation
+        )
+
+}

skillanalyzer/data/yara_rules/skill_discovery_abuse.yara

@@ -0,0 +1,57 @@
+//////////////////////////////////////////
+// Skill Discovery Surface Abuse Detection
+// Target: Over-broad descriptions, keyword baiting, activation manipulation
+// For Claude Skills YAML frontmatter and descriptions
+//////////////////////////////////////////
+
+rule skill_discovery_abuse{
+
+    meta:
+        author = "Cisco"
+        description = "Detects manipulation of skill discovery to increase unwanted activation"
+        classification = "harmful"
+        threat_type = "SKILL DISCOVERY ABUSE"
+
+    strings:
+
+        // Over-broad capability claims
+        $overbroad_claims = /\b(can do (anything|everything)|general (purpose )?assistant|all-purpose|universal (tool|skill|helper)|always use (this|me)|default (tool|skill|assistant))\b/i
+
+        // Keyword baiting patterns - match same word repeated in comma lists
+        // Using explicit word patterns since YARA doesn't support backreferences
+        $keyword_stuffing_file = /\bfile\s*,\s*file\s*,\s*file\s*,\s*file\b/i
+        $keyword_stuffing_data = /\bdata\s*,\s*data\s*,\s*data\s*,\s*data\b/i
+        $keyword_stuffing_code = /\bcode\s*,\s*code\s*,\s*code\s*,\s*code\b/i
+
+        // Activation priority manipulation
+        $activation_priority = /\b(use (this|me) (first|before)|priority (skill|tool)|primary (tool|skill)|preferred (tool|skill|method)|call (this|me) (before|first))\b/i
+
+        // Impersonation patterns (beyond just Anthropic)
+        $trusted_impersonation = /\b(official|verified|trusted|certified|approved|endorsed|authentic|legitimate)\s+(skill|tool|extension|plugin|assistant)\b/i
+
+        // Over-promising descriptions (exclude comments and technical contexts)
+        $overpromising = /\b(100% (safe|secure|accurate)|guaranteed (to|that|when|if)|perfect|flawless|never (fails|errors)|always (works|succeeds))\b/i
+
+        // Hidden activation triggers
+        $hidden_triggers = /\b(secret (command|keyword)|hidden (feature|mode)|easter egg|backdoor (access|entry))\b/i
+
+    condition:
+
+        // Over-broad capability claims
+        $overbroad_claims or
+
+        // Keyword stuffing (same word repeated 4+ times)
+        $keyword_stuffing_file or $keyword_stuffing_data or $keyword_stuffing_code or
+
+        // Activation priority manipulation
+        $activation_priority or
+
+        // Trusted impersonation
+        $trusted_impersonation or
+
+        // Over-promising
+        $overpromising or
+
+        // Hidden triggers
+        $hidden_triggers
+}

skillanalyzer/data/yara_rules/sql_injection.yara

@@ -0,0 +1,73 @@
+//////////////////////////////////////////
+// SQL Injection Detection Rule
+// Target: SQL keywords and operations, SQL tautologies and bypasses, Database-specific functions
+//////////////////////////////////////////
+
+rule sql_injection{
+
+    meta:
+        author = "Cisco"
+        description = "Detects SQL injection attack patterns including keywords, tautologies, and database functions"
+        classification = "harmful"
+        threat_type = "INJECTION ATTACK"
+
+    strings:
+
+        // SQL injection tautologies and bypasses - focus on actual injection payloads
+        $injection_tautologies = /(\bOR\s+['"]?1['"]?\s*=\s*['"]?1['"]?\s*(--|#|\/\*|;))/i
+
+        // Destructive SQL injections
+        $destructive_injections = /(';\s*DROP\s+TABLE|";\s*DROP\s+TABLE)/i
+
+        // Union-based SQL injection
+        $union_based_attacks = /(UNION\s+(ALL\s+)?SELECT|'\s*UNION\s+SELECT|"\s*UNION\s+SELECT)/i
+
+        // Time-based blind injection techniques (SQL context only)
+        $time_based_injections = /\b(SLEEP|WAITFOR\s+DELAY|BENCHMARK|pg_sleep)\s*\(/i
+
+        // Exclude Python sleep functions (not SQL injection)
+        $python_sleep = /(time\.sleep|asyncio\.sleep|threading\.[A-Za-z]*\.sleep)\s*\(/
+
+        // Error-based injection methods
+        $error_based_techniques = /\b(EXTRACTVALUE|UPDATEXML|EXP\(~\(SELECT|CAST)\s*\(/i
+
+        // Database-specific system objects in malicious contexts
+        $database_system_objects = /(\bSELECT [^;]*\b(information_schema|mysql\.user|all_tables|user_tables)\b|\bFROM\s+(information_schema|mysql\.user|dual|all_tables|user_tables)\b|LOAD_FILE\s*\(\s*['"][^'"]*\.(config|passwd|shadow|key)\b|INTO\s+OUTFILE\s+['"][^'"]*\.(txt|sql|php)\b|\b(xp_cmdshell|sp_executesql)\s*\(|dbms_[a-z_]+\s*\()/i
+
+        // SQL injection with USER() function in malicious context
+        $malicious_user_functions = /(\bUSER\s*\(\s*\)\s*(SELECT|FROM|WHERE|AND|OR|UNION)\b|CONCAT\s*\(\s*USER\s*\(\s*\))/i
+
+        // Common SQL operation patterns that appear in both legitimate and malicious contexts
+        $common_sql_ops = /(query_builder|sql_builder|orm_query|select_fields|insert_data|update_data|database_query|db_query|execute_query|prepared_statement|parameterized_query)/
+
+        // Common context phrases where these words appear in benign usage
+        $common_context_phrases = /\b(adds?\s+a\s+user|create\s+user|new\s+user|user\s+(account|profile|registration|authentication|permissions?|roles?)|user\s+(who|that)|for\s+user|the\s+user|current\s+user\s+(account|profile)|user\s+(input|data|information)|example:?\s+SELECT\s+USER\(\)|SELECT\s+USER\(\)\s+returns?|built-?in\s+function)\b/i
+
+    condition:
+
+        // Exclude Python sleep functions from all checks
+        not $python_sleep and (
+
+        // SQL injection tautologies
+        ($injection_tautologies and not $common_sql_ops and not $common_context_phrases) or
+
+        // Destructive SQL injections
+        ($destructive_injections and not $common_sql_ops and not $common_context_phrases) or
+
+        // Union-based attacks
+        ($union_based_attacks and not $common_sql_ops and not $common_context_phrases) or
+
+        // Time-based blind injection
+        ($time_based_injections and not $common_sql_ops and not $common_context_phrases) or
+
+        // Error-based injection techniques
+        ($error_based_techniques and not $common_sql_ops and not $common_context_phrases) or
+
+        // Database system object access
+        ($database_system_objects and not $common_sql_ops and not $common_context_phrases) or
+
+        // Malicious USER() function usage
+        ($malicious_user_functions and not $common_sql_ops and not $common_context_phrases)
+
+        )
+}

skillanalyzer/data/yara_rules/system_manipulation.yara

@@ -0,0 +1,65 @@
+//////////////////////////////////////////
+// System Manipulation and Privilege Escalation Detection
+// Target: File destruction and manipulation operations
+// (Process control and termination)
+//////////////////////////////////////////
+
+rule system_manipulation{
+
+    meta:
+        author = "Cisco"
+        description = "Detects system manipulation, privilege escalation, and destructive file operations"
+        classification = "harmful"
+        threat_type = "SYSTEM MANIPULATION"
+
+    strings:
+        // Suspicious environment variable manipulation (not just reading)
+        $env_var_manipulation = /\b(os\.environ\s*\[[^\]]*\]\s*=|export\s+PATH=|unset\s+(PATH|HOME|USER))\b/i
+
+        // File destruction and manipulation
+        $file_destruction = /\b(rm\s+-rf|dd\s+if=\/dev\/zero|wipefs|shred\s+-|find\s+[^\n]+-delete)\b/i
+
+        // Dangerous file permission changes
+        $permission_manipulation = /\b(chmod\s+(777|4755|6755|[ug]?\+s)|(chown|chgrp)\s+(root|0)|setuid|setgid)\b/i
+
+        // Critical system file access
+        $critical_system_access = /\b(\/etc\/(passwd|shadow|sudoers)|\/root\/\.ssh|~\/\.aws\/credentials|~\/\.ssh\/id_rsa)\b/i
+
+        // Privilege escalation patterns
+        $privilege_escalation = /\b(sudo\s+-[si]|su\s+-c?|runuser|doas)\b/i
+
+        // Dangerous process operations
+        $process_manipulation = /\b(kill\s+-9\s+[0-9]+|killall\s+-9|pkill\s+-9)\b/i
+
+        // Dangerous recursive operations with wildcards
+        $recursive_operations = /\b(rm\s+-rf\s+[\$\/\*]|find\s+\/\s+-delete)\b/i
+
+        // System path manipulation
+        $path_manipulation = /\b(PATH=\/tmp|PATH=\.:|export\s+PATH=[\$\{])/i
+
+    condition:
+
+        // Environment variable manipulation (not just reading)
+        $env_var_manipulation or
+
+        // File destruction
+        $file_destruction or
+
+        // Permission manipulation
+        $permission_manipulation or
+
+        // Critical system access
+        $critical_system_access or
+
+        // Privilege escalation
+        $privilege_escalation or
+
+        // Process manipulation
+        $process_manipulation or
+
+        // Recursive operations
+        $recursive_operations or
+
+        // PATH manipulation
+        $path_manipulation
+}