Lines 924-964javascript
924 prefilter: ["sekurlsa", "mimikatz", "procdump", "lsass", "hklm\\sam"]
927 id: "malware.disable_defense",
928 label: "Security-control tampering",
930 regex: /Set-MpPreference\b[\s\S]{0,40}?-Disable(?:RealtimeMonitoring|IOAVProtection|BehaviorMonitoring)|\bsetenforce\s+0\b|\bsystemctl\s+(?:stop|disable)\s+(?:falcon|crowdstrike|auditd|osquery)/i,
931 prefilter: ["set-mppreference", "setenforce", "systemctl"]
934 id: "malware.persistence",
935 label: "Persistence mechanism",
937 regex: /\bschtasks\b[\s\S]{0,20}?\/create|\breg\s+add\b[\s\S]{0,80}?\\CurrentVersion\\Run\b|\bNew-Service\b|>>?\s*\/etc\/(?:rc\.local|cron\.d)/i,
938 prefilter: ["schtasks", "currentversion\\run", "new-service", "rc.local", "cron.d"]
941 id: "malware.base64_eval",
942 label: "Obfuscated eval of encoded payload",
944 regex: /\beval\s*\(\s*(?:atob|base64_decode|Buffer\.from)\s*\(|\bexec\s*\(\s*__import__\s*\(\s*['"]base64/i,
945 prefilter: ["eval(", "exec("]
946 },
LowEval
Package source references a known benign dynamic code generation pattern.
dist/chunk-RE65MQXY.jsView on unpkg · L944 948 id: "malware.obfuscated_shell",
949 label: "Obfuscated shell decode-and-run",
951 regex: /\$\{IFS\}|\bbase64\s+-d\b[\s\S]{0,20}?\|\s*(?:ba)?sh\b|\bxxd\s+-r\b[\s\S]{0,20}?\|\s*(?:ba)?sh\b/i,
952 prefilter: ["${ifs}", "base64 -d", "xxd -r"]
955 id: "malware.fork_bomb",
958 regex: /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:/,
959 prefilter: [":(){", ":|:&"]
962var malwareDetector = {