Skip to content

feat(security): add detection rules for destructive shell commands #1484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pzlav wants to merge 8 commits into
base: main
Choose a base branch
from
+96 −5
Open

feat(security): add detection rules for destructive shell commands #1484

Changes from 3 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
405f7ec
feat(security): add detection rules for destructive shell commands
pzlav Mar 14, 2026
3c75232
update description of TOOL_CMD_SYSTEM_TAMPERING
pzlav Mar 14, 2026
27f7545
adding word boundaries around the shell names
pzlav Mar 15, 2026
1222e82
-h replaced it with --merge and --keep
pzlav Mar 15, 2026
5451b13
improve mkfs detection to cover mke2fs alias
pzlav Mar 15, 2026
9bf45ee
improve pattern precision across shell detection rules
pzlav Mar 15, 2026
affe341
Update file header and refine shell command detection rules. Remove U…
pzlav Mar 16, 2026
e414890
update file header
pzlav Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
102 changes: 102 additions & 0 deletions src/copaw/security/tool_guard/rules/dangerous_shell_commands.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,105 @@
- "\\bmv\\b"
description: "Shell command contains 'mv' which may move or overwrite files unexpectedly"
remediation: "Confirm with the user before moving or renaming files"

# ── Filesystem & Block Device Destruction ─────────────────────────────
- id: TOOL_CMD_FS_DESTRUCTION
tools: [execute_shell_command]
params: [command]
category: command_injection
severity: CRITICAL
patterns:
- "\\bmkfs\\b"
- "\\bdd\\s+.*of=\\/dev\\/"
- ">\\s*\\/dev\\/(sda|nvme|vd)"
description: "Detects low-level disk formatting or wiping commands"
remediation: "Block operation. Agents should not format or overwrite raw block devices."

# ── Git Data Loss ─────────────────────────────────────────────────────
- id: TOOL_CMD_GIT_DATA_LOSS
tools: [execute_shell_command]
params: [command]
category: command_injection
severity: HIGH
patterns:
- "\\bgit\\s+reset\\s+(--hard|-h\\b)"
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The pattern for git reset incorrectly includes -h as a destructive option. The -h flag is an alias for --help and is not a destructive operation. git does not have a short option for --hard. Removing |-h\b will make the rule more accurate and prevent potential false positives on users trying to get help for the command.

    - "\\bgit\\s+reset\\s+--hard"

- "\\bgit\\s+checkout\\s+(--\\s+\\.|\\.)"
- "\\bgit\\s+clean\\s+-[a-zA-Z]*f"
- "\\bgit\\s+push\\s+.*(--force|-f\\b)"
- "\\bgit\\s+stash\\s+(drop|clear)"
description: "Detects destructive Git operations that discard uncommitted work or rewrite remote history"
remediation: "Suggest using 'git stash' instead of reset/checkout, or 'git push --force-with-lease'."

# ── Denial of Service & Fork Bombs ────────────────────────────────────
- id: TOOL_CMD_DOS_FORK_BOMB
tools: [execute_shell_command]
params: [command]
category: resource_abuse
severity: CRITICAL
patterns:
- ":\\(\\)\\{\\s*:\\|:&\\s*\\};:"
- "\\bkill\\s+-9\\s+(-1|1\\b)"
description: "Detects classic Bash fork bombs and mass process termination"
remediation: "Block immediately. These commands will crash the host system."

# ── Network Loaders (Pipe to Shell) ───────────────────────────────────
- id: TOOL_CMD_PIPE_TO_SHELL
tools: [execute_shell_command]
params: [command]
category: code_execution
severity: CRITICAL
patterns:
- "\\b(curl|wget)\\b\\s+.*\\|\\s*\\b(bash|sh|zsh|ash|dash)\\b"
description: "Detects 'curl | bash' patterns used to download and immediately execute remote payloads"
remediation: "Confirm with user. Agents should inspect scripts before executing them."

# ── Reverse Shell & Network Tunnels ───────────────────────────────────
- id: TOOL_CMD_REVERSE_SHELL
tools: [execute_shell_command]
params: [command]
category: network_abuse
severity: CRITICAL
patterns:
- "\\/dev\\/(tcp|udp)\\/"
- "\\bnc\\s+.*-e\\s+"
- "\\bncat\\s+.*-e\\s+"
- "\\bsocat\\s+.*EXEC:"
description: "Detects attempts to establish reverse shells or unauthorized network tunnels"
remediation: "Block operation. Agents do not need to bind interactive shells to network sockets."

# ── Persistence & Privilege Escalation ────────────────────────────────
- id: TOOL_CMD_SYSTEM_TAMPERING
tools: [execute_shell_command]
params: [command]
category: sensitive_file_access
severity: HIGH
patterns:
- "\\bcrontab\\b"
- "authorized_keys"
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The pattern authorized_keys is a bit too broad and could lead to false positives by matching substrings within other words (e.g., a script named update_authorized_keys_format.sh). Using word boundaries (\b) will ensure that it only matches the whole word authorized_keys, improving the rule's precision.

    - "\\bauthorized_keys\\b"

- "\\/etc\\/sudoers"
- "\\/etc\\/crontab"
description: "Detects access to cron jobs, SSH keys, or sudo permissions (including reads and modifications)"
remediation: "Confirm with user. Treat any access to credential and scheduling files as sensitive and restrict when possible."

# ── Dangerous Permission Changes ──────────────────────────────────────
- id: TOOL_CMD_UNSAFE_PERMISSIONS
tools: [execute_shell_command]
params: [command]
category: privilege_escalation
severity: HIGH
patterns:
- "\\bchmod\\s+-[a-zA-Z]*R[a-zA-Z]*\\s+(777|a\\+rwx)\\s+\\/"
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The current chmod pattern is very specific, only detecting recursive changes to the root directory (/). This misses many other dangerous scenarios, such as chmod 777 /etc/shadow or chmod -R 777 . in a sensitive directory. A more general pattern would provide much broader protection against unsafe permission changes.

    - "\\bchmod\\s+.*(777|a\\+rwx)"

- "\\bchattr\\s+\\+i"
description: "Detects global permission downgrades (chmod 777) or setting immutable flags"
remediation: "Prompt for confirmation. Suggest least-privilege permission models."

# ── Obfuscation & Defense Evasion ─────────────────────────────────────
- id: TOOL_CMD_OBFUSCATED_EXEC
tools: [execute_shell_command]
params: [command]
category: code_execution
severity: HIGH
patterns:
- "\\bbase64\\s+(-d|--decode)\\s*\\|\\s*\\b(bash|sh|zsh)\\b"
description: "Detects execution of base64 encoded strings passed directly to a shell interpreter"
remediation: "Block execution. Agents should use plain text commands."
Loading