feat: new malware sourcecode detection for anti-analysis behaviour

[art1f1c3R]

Summary

This PR introduces a new type of source code detection rule called anti-analysis, which focuses on malware that performs operations to check if it is being analysed to inform behavioural decisions.

Description of changes

The anti-analysis rules developed for this PR are informed from analysis of multiple malware samples. The general behaviour observed in these malware included blacklisting known analysis and virtualization tools (e.g. processes, MAC addresses, users, IP addresses) and system characteristics, and actively looking for ways to disable them (e.g. disable Antivirus or remove your signature, elevate privileges to do so). Included in this PR are behaviours that could be generalised into rules that were highly unlikely to appear in a benign python package:

• anti_analysis-known-ouis: some malware samples included a blacklist of MAC addresses that would prevent it from running, evidently targeted at detecting MAC addresses often assigned to virtual machines. This rules includes the OUIs of some well-known services (VMware, Virtualbox, Hyper-V) and looks for hard-coded instances of MAC addresses with those OUIs, which likely form such a blacklist.
• anti_analysis-defender-evasion: some malware samples used Microsoft tools (PowerShell, Registry editing, WMI, CIM classes) to disable part or all of Windows Defender capabilities to evade detection, or remove evidence of detection. Included in this rule are some common patterns used in these code snippets that play a key role in their execution.
• anti_analysis-ip-checkers: some malware samples would use public, benign IP information services to extract information about the machine they were running on, and evade detection based on this. This sample includes some of the commonly observed domains used for this purpose. This rule is currently disabled in Macaron, however, since matching on the existence of the string domain in a file alone is too broad and prone to false positives (e.g. this would fail when run against the azure-cli package). At this stage, no useful pattern from the malware samples was observed that could be generalised into a Semgrep rule. defaults.ini is updated to, by default, exclude this rule.

Appropriate unit tests have been added to ensure the accuracy of these rules and demonstrate examples of what they are looking for.

Checklist

• I have reviewed the contribution guide.
• My PR title and commits follow the Conventional Commits convention.
• My commits include the "Signed-off-by" line.
• I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
• I have updated the relevant documentation, if applicable.
• I have tested my changes and verified they work as expected.