A malicious file detection engine written with Python and Yara.
- Free software: Apache-2.0
- Documentation: https://jeffallan.github.io/badfiles/
At some point most applications need to accept files from a third party. Since we do not have absolute control over these files they can present a serious threat vector.
The aim of this project is to provide a flexible and expandable solution to triage these files so they can be handled accordingly.
Currently, this project focuses on detecting the following:
✔️ Mime type confusion.
🔲 Files with a root UID or GID (*NIX only).
🔲 Sticky, setuid, or setgit bit (*NIX only).
✔️ CSV Injection.
🔲 Files with a root UID or GID (*NIX only).
🔲 Sticky, setuid, or setgit bit (*NIX only).
✔️ DDE injection.
✔️ Files with a root UID or GID (*NIX only).
✔️ Sticky, setuid, or setgit bit (*NIX only).
✔️ Symlink attacks.
✔️ Zip slips.
✔️ Nested zip bombs.
✔️ Flat zip bombs.
✔️ Sticky, setuid, or setgit bit (*NIX only).
✔️ Files with a root UID or GID (*NIX only).
✔️ Files with a root UID or GID (*NIX only).
✔️ Sticky, setuid, or setgit bit (*NIX only).
🔲 Files with absolute paths (*Nix only).
Please file an issue or a pull request especially if you have found or created malicious files that bypass these detection mechanisms. Please see the contributing guidelines for more details.
This package was created with This Cookiecutter template.
This project uses zip-bomb to create the nested and flat zip bombs for unit testing and detection rules.
This project uses a custom Yara rule from Reversing Labs to detect obfuscated CSV injection payloads.