Skip to main content

A malicious file detection engine written with Python and Yara.

Project description

badfiles

Release Status CI Status

A malicious file detection engine written with Python and Yara.

Introduction

At some point most applications need to accept files from a third party. Since we do not have absolute control over these files they can present a serious threat vector.

The aim of this project is to provide a flexible and expandable solution to triage these files so they can be handled accordingly.

Features

Currently, this project focuses on detecting the following:

Generally Suspicious Files:

:heavy_check_mark: Mime type confusion.

:black_square_button: Files with a root UID or GID (*NIX only).

:black_square_button: Sticky, setuid, or setgit bit (*NIX only).

CSV Files

:heavy_check_mark: CSV Injection.

:black_square_button: Files with a root UID or GID (*NIX only).

:black_square_button: Sticky, setuid, or setgit bit (*NIX only).

Office Documents

:heavy_check_mark: DDE injection.

:heavy_check_mark: Files with a root UID or GID (*NIX only).

:heavy_check_mark: Sticky, setuid, or setgit bit (*NIX only).

Zip Files

:heavy_check_mark: Symlink attacks.

:heavy_check_mark: Zip slips.

:heavy_check_mark: Nested zip bombs.

:heavy_check_mark: Flat zip bombs.

:heavy_check_mark: Sticky, setuid, or setgit bit (*NIX only).

:heavy_check_mark: Files with a root UID or GID (*NIX only).

Tar Files

:heavy_check_mark: Files with a root UID or GID (*NIX only).

:heavy_check_mark: Sticky, setuid, or setgit bit (*NIX only).

:black_square_button: Files with absolute paths (*Nix only).

Additional Features

Please file an issue or a pull request especially if you have found or created malicious files that bypass these detection mechanisms. Please see the contributing guidelines for more details.

Getting Started

Usage

Credits

This package was created with This Cookiecutter template.

This project uses zip-bomb to create the nested and flat zip bombs for unit testing and detection rules.

This project uses a custom Yara rule from Reversing Labs to detect obfuscated CSV injection payloads.

Contributors

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

badfiles-0.3.0.tar.gz (36.5 kB view hashes)

Uploaded Source

Built Distribution

badfiles-0.3.0-py3-none-any.whl (11.0 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page