Add curl macro

Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
This commit is contained in:
Erick Cheng 2021-11-16 10:09:16 +01:00 committed by poiana
parent af6f3bfeab
commit 851033c5f4

View File

@ -3084,23 +3084,27 @@
tags: [syscall, mitre_defense_evasion]
- list: ingress_remote_file_copy_binaries
items: [wget, curl]
items: [wget]
- macro: ingress_remote_file_copy_procs
condition: (proc.name in (remote_file_copy_binaries))
condition: (proc.name in (ingress_remote_file_copy_binaries))
# Users should overwrite this macro to specify conditions under which a
# Custom condition for use of ingress remote file copy tool in container
- macro: user_known_ingress_remote_file_copy_activities
condition: (never_true)
- macro: curl_download
condition: proc.name = curl and (proc.cmdline contains (" > ") or proc.cmdline contains (" >> ") or proc.cmdline contains (" | "))
- rule: Launch Ingress Remote File Copy Tools in Container
desc: Detect ingress remote file copy tools launched in container
condition: >
spawned_process
and container
and ingress_remote_file_copy_procs
and not user_known_ingress_remote_file_copy_activities
spawned_process and
container and
((ingress_remote_file_copy_procs and
not user_known_ingress_remote_file_copy_activities) or
(curl_download))
output: >
Ingress remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)