{
"version": "0.2.0",
"updated_at": "2026-01-25",
"signatures": [
{
"id": "MW-001",
"name": "GTG-1002 C2 Beacon Pattern",
"description": "Pattern associated with GTG-1002 cyber espionage campaign targeting Claude Code",
"pattern": "(telegram\\.org|discord\\.com|pastebin\\.com).*\\$[A-Z_]",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": "https://assets.anthropic.com/m/ec212e6566a0d47/original/Disrupting-the-first-reported-AI-orchestrated-cyber-espionage-campaign.pdf"
},
{
"id": "MW-002",
"name": "Reverse Shell - Bash TCP",
"description": "Bash reverse shell using /dev/tcp",
"pattern": "bash\\s+-i\\s+>&\\s*/dev/tcp/",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-003",
"name": "Cryptocurrency Miner Download",
"description": "Download patterns for known cryptominers",
"pattern": "(xmrig|minerd|cpuminer|cgminer|ethminer|phoenixminer).*\\.(tar\\.gz|zip|exe)",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-004",
"name": "Known Malicious Domain Pattern",
"description": "Requests to domains associated with malware distribution",
"pattern": "(raw\\.githubusercontent\\.com|gist\\.githubusercontent\\.com).*\\.(sh|py|ps1)\\?",
"severity": "high",
"category": "supply-chain",
"confidence": "tentative",
"reference": null
},
{
"id": "MW-005",
"name": "Credential Harvesting - AWS",
"description": "Access to AWS credential files with piping",
"pattern": "(cat|type|grep).*\\.aws/credentials.*\\|",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-006",
"name": "Browser Data Theft",
"description": "Access to browser profiles and cookies",
"pattern": "(Chrome|Firefox|Safari).*(Cookies|Login Data|History)",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-007",
"name": "Keylogger Installation",
"description": "Patterns associated with keylogger installation",
"pattern": "(xinput|pynput|keyboard\\.hook|GetAsyncKeyState)",
"severity": "critical",
"category": "persistence",
"confidence": "firm",
"reference": null
},
{
"id": "MW-008",
"name": "Hidden File Creation in Home",
"description": "Creating hidden files in user directories",
"pattern": "(mkdir|touch)\\s+[~$HOME/]*\\.[a-z]+/(\\.[a-z]|\\$)",
"severity": "high",
"category": "persistence",
"confidence": "tentative",
"reference": null
},
{
"id": "MW-009",
"name": "Process Injection - Linux",
"description": "Linux process injection techniques",
"pattern": "(ptrace|LD_PRELOAD|DYLD_INSERT_LIBRARIES)",
"severity": "critical",
"category": "privilege-escalation",
"confidence": "firm",
"reference": null
},
{
"id": "MW-010",
"name": "Anti-Analysis VM Detection",
"description": "Checks for VM/sandbox detection",
"pattern": "(vmware|virtualbox|vbox|qemu|sandbox).*detect",
"severity": "high",
"category": "obfuscation",
"confidence": "tentative",
"reference": null
},
{
"id": "MW-011",
"name": "Reverse Shell - Netcat",
"description": "Netcat reverse shell pattern",
"pattern": "nc\\s+(-e|--exec)\\s*/bin/(sh|bash)",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-012",
"name": "Reverse Shell - Python",
"description": "Python reverse shell using socket",
"pattern": "python.*-c.*socket.*connect.*exec",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-013",
"name": "Reverse Shell - Perl",
"description": "Perl reverse shell pattern",
"pattern": "perl.*-e.*socket.*INET.*exec",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-014",
"name": "Reverse Shell - Ruby",
"description": "Ruby reverse shell pattern",
"pattern": "ruby.*-rsocket.*TCPSocket.*exec",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-015",
"name": "Reverse Shell - PHP",
"description": "PHP reverse shell pattern",
"pattern": "php.*-r.*fsockopen.*exec",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-016",
"name": "Reverse Shell - PowerShell",
"description": "PowerShell reverse shell pattern",
"pattern": "powershell.*Net\\.Sockets\\.TCPClient.*GetStream",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-017",
"name": "Reverse Shell - Node.js",
"description": "Node.js reverse shell pattern",
"pattern": "node.*-e.*net\\.Socket.*connect.*child_process",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-018",
"name": "Credential Theft - /etc/passwd",
"description": "Reading system password files",
"pattern": "cat.*/etc/(passwd|shadow).*\\|",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-019",
"name": "Credential Theft - SSH Keys",
"description": "Exfiltrating SSH private keys",
"pattern": "cat.*\\.ssh/(id_rsa|id_ed25519|id_ecdsa).*\\|",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-020",
"name": "Credential Theft - GPG Keys",
"description": "Exfiltrating GPG private keys",
"pattern": "(cat|tar).*\\.gnupg.*(\\||curl|wget)",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-021",
"name": "Credential Theft - Docker Config",
"description": "Exfiltrating Docker credentials",
"pattern": "cat.*\\.docker/config\\.json.*\\|",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-022",
"name": "Credential Theft - Kubernetes",
"description": "Exfiltrating Kubernetes credentials",
"pattern": "cat.*\\.kube/config.*\\|",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-023",
"name": "Credential Theft - GCP",
"description": "Exfiltrating GCP credentials",
"pattern": "cat.*application_default_credentials\\.json.*\\|",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-024",
"name": "Credential Theft - Azure",
"description": "Exfiltrating Azure credentials",
"pattern": "cat.*\\.azure/(credentials|accessTokens).*\\|",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-025",
"name": "Data Exfil - DNS Tunneling",
"description": "DNS tunneling for data exfiltration",
"pattern": "(nslookup|dig|host)\\s+.*\\$.*\\.",
"severity": "high",
"category": "exfiltration",
"confidence": "tentative",
"reference": null
},
{
"id": "MW-026",
"name": "Data Exfil - ICMP Tunneling",
"description": "ICMP tunneling for data exfiltration",
"pattern": "(ping|icmp).*-p.*\\$",
"severity": "high",
"category": "exfiltration",
"confidence": "tentative",
"reference": null
},
{
"id": "MW-027",
"name": "Persistence - Crontab Modification",
"description": "Adding malicious cron jobs",
"pattern": "(crontab|echo.*>>.*cron)",
"severity": "critical",
"category": "persistence",
"confidence": "firm",
"reference": null
},
{
"id": "MW-028",
"name": "Persistence - Systemd Service",
"description": "Creating malicious systemd services",
"pattern": "(systemctl\\s+enable|cp.*\\.service.*/etc/systemd)",
"severity": "critical",
"category": "persistence",
"confidence": "firm",
"reference": null
},
{
"id": "MW-029",
"name": "Persistence - Shell RC Modification",
"description": "Modifying shell startup files",
"pattern": "echo.*>>.*\\.(bashrc|zshrc|profile|bash_profile)",
"severity": "critical",
"category": "persistence",
"confidence": "firm",
"reference": null
},
{
"id": "MW-030",
"name": "Persistence - SSH Authorized Keys",
"description": "Adding unauthorized SSH keys",
"pattern": "echo.*>>.*authorized_keys",
"severity": "critical",
"category": "persistence",
"confidence": "certain",
"reference": null
},
{
"id": "MW-031",
"name": "Persistence - LaunchAgent macOS",
"description": "Creating malicious LaunchAgents",
"pattern": "(cp|mv).*LaunchAgents.*\\.plist",
"severity": "critical",
"category": "persistence",
"confidence": "firm",
"reference": null
},
{
"id": "MW-032",
"name": "Persistence - LaunchDaemon macOS",
"description": "Creating malicious LaunchDaemons",
"pattern": "(cp|mv).*LaunchDaemons.*\\.plist",
"severity": "critical",
"category": "persistence",
"confidence": "firm",
"reference": null
},
{
"id": "MW-033",
"name": "Persistence - Windows Registry Run",
"description": "Adding registry run keys",
"pattern": "reg\\s+add.*\\\\Run",
"severity": "critical",
"category": "persistence",
"confidence": "firm",
"reference": null
},
{
"id": "MW-034",
"name": "Persistence - Windows Task Scheduler",
"description": "Creating scheduled tasks",
"pattern": "schtasks\\s+/create",
"severity": "critical",
"category": "persistence",
"confidence": "firm",
"reference": null
},
{
"id": "MW-035",
"name": "Privilege Escalation - SUID Binary",
"description": "Finding or creating SUID binaries",
"pattern": "(find.*-perm.*4000|chmod\\s+[47][0-7]{2}\\s)",
"severity": "critical",
"category": "privilege-escalation",
"confidence": "firm",
"reference": null
},
{
"id": "MW-036",
"name": "Privilege Escalation - Capabilities",
"description": "Manipulating Linux capabilities",
"pattern": "setcap.*cap_setuid",
"severity": "critical",
"category": "privilege-escalation",
"confidence": "certain",
"reference": null
},
{
"id": "MW-037",
"name": "Privilege Escalation - sudoers",
"description": "Modifying sudoers file",
"pattern": "echo.*>>.*sudoers",
"severity": "critical",
"category": "privilege-escalation",
"confidence": "certain",
"reference": null
},
{
"id": "MW-038",
"name": "Privilege Escalation - Docker Escape",
"description": "Docker container escape techniques",
"pattern": "(docker.*--privileged|mount.*-o.*bind.*/)",
"severity": "critical",
"category": "privilege-escalation",
"confidence": "firm",
"reference": null
},
{
"id": "MW-039",
"name": "Web Shell - PHP",
"description": "PHP web shell patterns",
"pattern": "<\\?php.*(eval|exec|system|passthru|shell_exec).*\\$_(GET|POST|REQUEST)",
"severity": "critical",
"category": "persistence",
"confidence": "certain",
"reference": null
},
{
"id": "MW-040",
"name": "Web Shell - JSP",
"description": "JSP web shell patterns",
"pattern": "Runtime\\.getRuntime\\(\\)\\.exec.*request\\.getParameter",
"severity": "critical",
"category": "persistence",
"confidence": "certain",
"reference": null
},
{
"id": "MW-041",
"name": "Web Shell - ASPX",
"description": "ASPX web shell patterns",
"pattern": "Process\\.Start.*Request\\[",
"severity": "critical",
"category": "persistence",
"confidence": "certain",
"reference": null
},
{
"id": "MW-042",
"name": "Ransomware - File Encryption",
"description": "Bulk file encryption patterns",
"pattern": "(openssl|gpg)\\s+(enc|encrypt).*-aes.*find.*-type\\s+f",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-043",
"name": "Ransomware - Shadow Copy Delete",
"description": "Deleting Windows shadow copies",
"pattern": "vssadmin\\s+delete\\s+shadows",
"severity": "critical",
"category": "persistence",
"confidence": "certain",
"reference": null
},
{
"id": "MW-044",
"name": "Lateral Movement - SSH Spray",
"description": "SSH password spraying",
"pattern": "sshpass.*-p.*ssh",
"severity": "high",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-045",
"name": "Lateral Movement - PSExec",
"description": "PSExec remote execution",
"pattern": "psexec.*\\\\\\\\.*cmd",
"severity": "high",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-046",
"name": "Lateral Movement - WMI",
"description": "WMI remote execution",
"pattern": "wmic.*process\\s+call\\s+create",
"severity": "high",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-047",
"name": "Defense Evasion - History Clear",
"description": "Clearing command history",
"pattern": "(history\\s+-c|rm.*\\.bash_history|unset\\s+HISTFILE)",
"severity": "high",
"category": "obfuscation",
"confidence": "firm",
"reference": null
},
{
"id": "MW-048",
"name": "Defense Evasion - Log Deletion",
"description": "Deleting system logs",
"pattern": "rm.*/var/log/",
"severity": "high",
"category": "obfuscation",
"confidence": "firm",
"reference": null
},
{
"id": "MW-049",
"name": "Defense Evasion - Timestomping",
"description": "Modifying file timestamps",
"pattern": "touch\\s+-[rdat]",
"severity": "medium",
"category": "obfuscation",
"confidence": "tentative",
"reference": null
},
{
"id": "MW-050",
"name": "C2 - Cobalt Strike Beacon",
"description": "Cobalt Strike beacon patterns",
"pattern": "cobaltstrike|beacon\\.dll|rundll32.*http",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-051",
"name": "C2 - Metasploit Meterpreter",
"description": "Metasploit meterpreter patterns",
"pattern": "meterpreter|msfvenom|msfconsole",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-052",
"name": "C2 - Empire Framework",
"description": "PowerShell Empire framework",
"pattern": "powershell.*empire|invoke-empire",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-053",
"name": "C2 - Sliver Framework",
"description": "Sliver C2 framework",
"pattern": "sliver-client|sliver-server",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-054",
"name": "Cryptojacking - Monero Pool",
"description": "Monero mining pool connections",
"pattern": "(pool\\.minexmr|xmrpool\\.eu|supportxmr\\.com|nanopool\\.org)",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-055",
"name": "Cryptojacking - Stratum Protocol",
"description": "Stratum mining protocol",
"pattern": "stratum\\+tcp://",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-056",
"name": "Data Exfil - Pastebin Upload",
"description": "Uploading data to Pastebin",
"pattern": "(curl|wget).*pastebin\\.com/api",
"severity": "high",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-057",
"name": "Data Exfil - Transfer.sh",
"description": "Uploading data to transfer.sh",
"pattern": "(curl|wget).*transfer\\.sh",
"severity": "high",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-058",
"name": "Data Exfil - File.io",
"description": "Uploading data to file.io",
"pattern": "(curl|wget).*file\\.io",
"severity": "high",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-059",
"name": "Data Exfil - 0x0.st",
"description": "Uploading data to 0x0.st",
"pattern": "(curl|wget).*0x0\\.st",
"severity": "high",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-060",
"name": "Data Exfil - Webhook",
"description": "Exfiltration via Discord webhook",
"pattern": "discord\\.com/api/webhooks.*\\$",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-061",
"name": "Data Exfil - Telegram Bot",
"description": "Exfiltration via Telegram bot",
"pattern": "api\\.telegram\\.org/bot.*sendDocument",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-062",
"name": "Data Exfil - Slack Webhook",
"description": "Exfiltration via Slack webhook",
"pattern": "hooks\\.slack\\.com/services.*\\$",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-063",
"name": "Recon - Network Scan nmap",
"description": "Network scanning with nmap",
"pattern": "nmap\\s+(-s[STUFN]|-p-|-A)",
"severity": "medium",
"category": "exfiltration",
"confidence": "tentative",
"reference": null
},
{
"id": "MW-064",
"name": "Recon - Port Scan Masscan",
"description": "Network scanning with masscan",
"pattern": "masscan.*--rate",
"severity": "medium",
"category": "exfiltration",
"confidence": "tentative",
"reference": null
},
{
"id": "MW-065",
"name": "Recon - Subdomain Enumeration",
"description": "Subdomain enumeration tools",
"pattern": "(subfinder|amass|sublist3r)\\s+-d",
"severity": "medium",
"category": "exfiltration",
"confidence": "tentative",
"reference": null
},
{
"id": "MW-066",
"name": "Password Cracking - Hashcat",
"description": "Hashcat password cracking",
"pattern": "hashcat.*-m\\s+\\d+",
"severity": "high",
"category": "privilege-escalation",
"confidence": "firm",
"reference": null
},
{
"id": "MW-067",
"name": "Password Cracking - John",
"description": "John the Ripper password cracking",
"pattern": "john\\s+(--wordlist|--format)",
"severity": "high",
"category": "privilege-escalation",
"confidence": "firm",
"reference": null
},
{
"id": "MW-068",
"name": "Credential Dumping - Mimikatz",
"description": "Mimikatz credential dumping",
"pattern": "(mimikatz|sekurlsa::logonpasswords|lsadump::sam)",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-069",
"name": "Credential Dumping - LaZagne",
"description": "LaZagne credential dumping",
"pattern": "lazagne\\.exe|laZagne\\.py",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-070",
"name": "Credential Dumping - pypykatz",
"description": "pypykatz LSASS dumping",
"pattern": "pypykatz\\s+lsa",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-071",
"name": "Exploit Tool - SQLMap",
"description": "SQL injection tool",
"pattern": "sqlmap\\s+(-u|--url)",
"severity": "high",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-072",
"name": "Exploit Tool - Burp",
"description": "Burp Suite proxy tool",
"pattern": "burpsuite|burp-rest-api",
"severity": "medium",
"category": "exfiltration",
"confidence": "tentative",
"reference": null
},
{
"id": "MW-073",
"name": "Exploit Tool - Nuclei",
"description": "Nuclei vulnerability scanner",
"pattern": "nuclei\\s+(-t|--templates)",
"severity": "medium",
"category": "exfiltration",
"confidence": "tentative",
"reference": null
},
{
"id": "MW-074",
"name": "Remote Access - ngrok",
"description": "ngrok tunneling service",
"pattern": "ngrok\\s+(http|tcp|authtoken)",
"severity": "high",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-075",
"name": "Remote Access - Chisel",
"description": "Chisel tunneling tool",
"pattern": "chisel\\s+(server|client)",
"severity": "high",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-076",
"name": "Remote Access - Ligolo",
"description": "Ligolo tunneling tool",
"pattern": "ligolo(-ng)?\\s+(agent|proxy)",
"severity": "high",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-077",
"name": "Encoded Payload - PowerShell Base64",
"description": "Base64 encoded PowerShell commands",
"pattern": "powershell.*-[eE]nc(odedCommand)?\\s+[A-Za-z0-9+/=]{50,}",
"severity": "critical",
"category": "obfuscation",
"confidence": "firm",
"reference": null
},
{
"id": "MW-078",
"name": "Encoded Payload - Bash Base64 Exec",
"description": "Base64 decoded and executed in bash",
"pattern": "echo\\s+[A-Za-z0-9+/=]{30,}.*base64\\s+-d.*\\|\\s*(bash|sh)",
"severity": "critical",
"category": "obfuscation",
"confidence": "certain",
"reference": null
},
{
"id": "MW-079",
"name": "Obfuscation - Hex Encoded",
"description": "Hex encoded shell commands",
"pattern": "\\$'\\\\x[0-9a-fA-F]{2}(\\\\x[0-9a-fA-F]{2}){10,}'",
"severity": "high",
"category": "obfuscation",
"confidence": "firm",
"reference": null
},
{
"id": "MW-080",
"name": "Obfuscation - Python Compile",
"description": "Compiled Python execution",
"pattern": "exec\\(compile\\(.*,.*'exec'\\)",
"severity": "high",
"category": "obfuscation",
"confidence": "firm",
"reference": null
},
{
"id": "MW-081",
"name": "Container Escape - Mount Host",
"description": "Mounting host filesystem in container",
"pattern": "mount.*-t.*ext4.*/dev/[sv]d[a-z]",
"severity": "critical",
"category": "privilege-escalation",
"confidence": "firm",
"reference": null
},
{
"id": "MW-082",
"name": "Container Escape - nsenter",
"description": "Using nsenter for container escape",
"pattern": "nsenter.*--target\\s+1",
"severity": "critical",
"category": "privilege-escalation",
"confidence": "certain",
"reference": null
},
{
"id": "MW-083",
"name": "K8s Attack - Service Account Token",
"description": "Accessing Kubernetes service account token",
"pattern": "cat.*/var/run/secrets/kubernetes\\.io",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-084",
"name": "K8s Attack - kubectl exec",
"description": "Malicious kubectl exec commands",
"pattern": "kubectl\\s+exec.*--\\s*(bash|sh|cmd)",
"severity": "high",
"category": "exfiltration",
"confidence": "tentative",
"reference": null
},
{
"id": "MW-085",
"name": "Cloud Attack - IMDS Access",
"description": "Accessing cloud metadata service",
"pattern": "(curl|wget).*169\\.254\\.169\\.254",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-086",
"name": "Cloud Attack - AWS STS Token",
"description": "Exfiltrating AWS STS tokens",
"pattern": "aws\\s+sts\\s+get-session-token.*\\|",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-087",
"name": "Backdoor - LD_PRELOAD",
"description": "Using LD_PRELOAD for persistence",
"pattern": "echo.*LD_PRELOAD.*>>.*/etc/environment",
"severity": "critical",
"category": "persistence",
"confidence": "certain",
"reference": null
},
{
"id": "MW-088",
"name": "Backdoor - PAM Module",
"description": "Installing malicious PAM module",
"pattern": "(cp|mv).*\\.so.*/lib.*/security",
"severity": "critical",
"category": "persistence",
"confidence": "firm",
"reference": null
},
{
"id": "MW-089",
"name": "Backdoor - Kernel Module",
"description": "Loading malicious kernel module",
"pattern": "insmod.*\\.ko",
"severity": "critical",
"category": "persistence",
"confidence": "firm",
"reference": null
},
{
"id": "MW-090",
"name": "Backdoor - Git Hook",
"description": "Malicious git hook installation",
"pattern": "echo.*(\\|\\s*sh|bash).*>.*\\.git/hooks",
"severity": "critical",
"category": "persistence",
"confidence": "firm",
"reference": null
},
{
"id": "MW-091",
"name": "Supply Chain - npm Postinstall",
"description": "Malicious npm postinstall script",
"pattern": "\"postinstall\".*:.*\"(curl|wget|bash|sh|node -e)",
"severity": "high",
"category": "supply-chain",
"confidence": "firm",
"reference": null
},
{
"id": "MW-092",
"name": "Supply Chain - pip setup.py",
"description": "Malicious pip setup.py execution",
"pattern": "setup\\(.*cmdclass.*install.*exec",
"severity": "high",
"category": "supply-chain",
"confidence": "firm",
"reference": null
},
{
"id": "MW-093",
"name": "Supply Chain - Composer Scripts",
"description": "Malicious Composer post-install script",
"pattern": "\"post-install-cmd\".*:.*\"(curl|wget|bash|php -r)",
"severity": "high",
"category": "supply-chain",
"confidence": "firm",
"reference": null
},
{
"id": "MW-094",
"name": "Supply Chain - Gem Extconf",
"description": "Malicious Ruby gem extconf.rb",
"pattern": "extconf\\.rb.*system\\(",
"severity": "high",
"category": "supply-chain",
"confidence": "firm",
"reference": null
},
{
"id": "MW-095",
"name": "Exfil - Screenshot Capture",
"description": "Taking and exfiltrating screenshots",
"pattern": "(scrot|screencapture|import -window).*\\|.*(curl|wget)",
"severity": "high",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-096",
"name": "Exfil - Clipboard Access",
"description": "Accessing and exfiltrating clipboard",
"pattern": "(xclip|pbpaste|xsel).*\\|.*(curl|wget)",
"severity": "high",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-097",
"name": "Exfil - Webcam Access",
"description": "Capturing webcam images",
"pattern": "(ffmpeg.*video4linux|imagesnap|fswebcam)",
"severity": "high",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-098",
"name": "Exfil - Microphone Access",
"description": "Recording audio from microphone",
"pattern": "(arecord|sox.*-d|ffmpeg.*-f\\s+alsa)",
"severity": "high",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-099",
"name": "Botnet - IRC C2",
"description": "IRC-based command and control",
"pattern": "(irc\\..*:[0-9]+|PRIVMSG.*:!|JOIN #)",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-100",
"name": "Botnet - Tor Hidden Service",
"description": "Tor hidden service communication",
"pattern": "(torify|proxychains).*\\.onion",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-101",
"name": "DoS - Fork Bomb",
"description": "Fork bomb denial of service",
"pattern": ":\\(\\)\\{\\s*:\\|:\\s*&\\s*\\};:",
"severity": "critical",
"category": "persistence",
"confidence": "certain",
"reference": null
},
{
"id": "MW-102",
"name": "DoS - Disk Fill",
"description": "Filling disk with data",
"pattern": "(yes|cat /dev/zero|dd.*if=/dev/zero).*>>",
"severity": "critical",
"category": "persistence",
"confidence": "firm",
"reference": null
},
{
"id": "MW-103",
"name": "Wiper - Disk Overwrite",
"description": "Overwriting disk with zeros",
"pattern": "dd.*if=/dev/(zero|urandom).*of=/dev/[sv]d[a-z]",
"severity": "critical",
"category": "persistence",
"confidence": "certain",
"reference": null
},
{
"id": "MW-104",
"name": "Wiper - MBR Overwrite",
"description": "Overwriting Master Boot Record",
"pattern": "dd.*of=/dev/[sv]d[a-z].*bs=512.*count=1",
"severity": "critical",
"category": "persistence",
"confidence": "certain",
"reference": null
},
{
"id": "MW-105",
"name": "Credential Theft - .netrc",
"description": "Exfiltrating .netrc credentials",
"pattern": "cat.*\\.netrc.*\\|",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-106",
"name": "Credential Theft - .npmrc",
"description": "Exfiltrating npm tokens",
"pattern": "cat.*\\.npmrc.*\\|",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-107",
"name": "Credential Theft - .pypirc",
"description": "Exfiltrating PyPI credentials",
"pattern": "cat.*\\.pypirc.*\\|",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-108",
"name": "Credential Theft - gem credentials",
"description": "Exfiltrating RubyGems credentials",
"pattern": "cat.*\\.gem/credentials.*\\|",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-109",
"name": "Credential Theft - Git Credentials",
"description": "Exfiltrating git credentials",
"pattern": "cat.*\\.git-credentials.*\\|",
"severity": "critical",
"category": "exfiltration",
"confidence": "firm",
"reference": null
},
{
"id": "MW-110",
"name": "Reverse Shell - OpenSSL",
"description": "OpenSSL encrypted reverse shell",
"pattern": "openssl.*s_client.*-connect.*exec",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-111",
"name": "Reverse Shell - Socat",
"description": "Socat reverse shell",
"pattern": "socat.*exec.*pty.*tcp:",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-112",
"name": "AI API Abuse - Key Exfiltration",
"description": "Exfiltrating AI API keys",
"pattern": "(ANTHROPIC|OPENAI|CLAUDE)_API_KEY.*\\|.*(curl|wget|nc)",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-113",
"name": "Reverse Shell - Python dup2",
"description": "Python reverse shell using os.dup2 for fd redirection",
"pattern": "python.*os\\.dup2\\(.*\\.fileno\\(\\)",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-114",
"name": "Reverse Shell - Bash exec fd",
"description": "Bash reverse shell using exec with file descriptors",
"pattern": "exec\\s+[0-9]+<>/dev/tcp/",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-115",
"name": "Reverse Shell - Awk",
"description": "Awk-based reverse shell",
"pattern": "awk.*BEGIN.*inet/tcp.*getline",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-116",
"name": "Reverse Shell - Lua",
"description": "Lua-based reverse shell",
"pattern": "lua.*socket\\.tcp.*connect.*os\\.execute",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-117",
"name": "Reverse Shell - mkfifo telnet",
"description": "Reverse shell using mkfifo and telnet",
"pattern": "mkfifo.*/tmp/.*telnet.*>",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-118",
"name": "Reverse Shell - Python heredoc",
"description": "Python reverse shell in heredoc",
"pattern": "python.*<<.*socket\\.socket.*connect.*dup2",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
},
{
"id": "MW-119",
"name": "Obfuscation - Command from rev",
"description": "Command construction using rev (reverse string)",
"pattern": "\\$\\(.*\\|\\s*rev\\s*\\).*https?://",
"severity": "high",
"category": "obfuscation",
"confidence": "firm",
"reference": null
},
{
"id": "MW-120",
"name": "Obfuscation - Base32 decode exec",
"description": "Base32 decoding piped to execution",
"pattern": "base32.*-d.*\\|\\s*(bash|sh|eval)",
"severity": "high",
"category": "obfuscation",
"confidence": "firm",
"reference": null
},
{
"id": "MW-121",
"name": "Delayed Execution - at command",
"description": "Scheduling command execution with at",
"pattern": "\\|\\s*at\\s+(now|midnight|\\d)",
"severity": "high",
"category": "persistence",
"confidence": "firm",
"reference": null
},
{
"id": "MW-122",
"name": "Hidden Session - screen detached",
"description": "Running commands in detached screen session",
"pattern": "screen\\s+-[dDm]+S.*bash.*-c",
"severity": "high",
"category": "persistence",
"confidence": "firm",
"reference": null
},
{
"id": "MW-123",
"name": "Hidden Session - tmux detached",
"description": "Running commands in detached tmux session",
"pattern": "tmux\\s+(new-session|new)\\s+-d.*(curl|wget|nc|bash)",
"severity": "high",
"category": "persistence",
"confidence": "firm",
"reference": null
},
{
"id": "MW-124",
"name": "Reverse Shell - Python spawn",
"description": "Python reverse shell with pty spawn",
"pattern": "python.*pty\\.spawn.*/bin/(bash|sh)",
"severity": "critical",
"category": "exfiltration",
"confidence": "certain",
"reference": null
}
]
}