From af6f3bfeab8ac7d5ac25c533d04e564f93c85a95 Mon Sep 17 00:00:00 2001 From: Erick Cheng <19863605+ec4n6@users.noreply.github.com> Date: Wed, 10 Nov 2021 09:44:56 +0100 Subject: [PATCH] Move wget and curl to own rule Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com> --- rules/falco_rules.yaml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 93d50ac2..f63b5ba2 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2676,7 +2676,7 @@ tags: [file, mitre_persistence] - list: remote_file_copy_binaries - items: [rsync, scp, sftp, dcp, wget, curl] + items: [rsync, scp, sftp, dcp] - macro: remote_file_copy_procs condition: (proc.name in (remote_file_copy_binaries)) @@ -3083,6 +3083,30 @@ priority: CRITICAL tags: [syscall, mitre_defense_evasion] +- list: ingress_remote_file_copy_binaries + items: [wget, curl] + +- macro: ingress_remote_file_copy_procs + condition: (proc.name in (remote_file_copy_binaries)) + +# Users should overwrite this macro to specify conditions under which a +# Custom condition for use of ingress remote file copy tool in container +- macro: user_known_ingress_remote_file_copy_activities + condition: (never_true) + +- rule: Launch Ingress Remote File Copy Tools in Container + desc: Detect ingress remote file copy tools launched in container + condition: > + spawned_process + and container + and ingress_remote_file_copy_procs + and not user_known_ingress_remote_file_copy_activities + output: > + Ingress remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname + container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + priority: NOTICE + tags: [network, process, mitre_command_and_control] + # Application rules have moved to application_rules.yaml. Please look # there if you want to enable them by adding to # falco_rules.local.yaml.