mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-18 07:51:12 +00:00
Adding user.loginuid to the default falco rules in any place user.name exists
This update will provide information as to which process uid intitiated the event. This is really important for processes that are started by a different user name. Signed-off-by: Chuck Schweizer <chuck.schweizer.lvk2@statefarm.com>
This commit is contained in:
Chuck Schweizer
poiana
@@ -368,7 +368,7 @@
|
||||
- rule: Disallowed SSH Connection
|
||||
desc: Detect any new ssh connection to a host other than those in an allowed group of hosts
|
||||
condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts
|
||||
output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
|
||||
output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
|
||||
priority: NOTICE
|
||||
tags: [network, mitre_remote_service]
|
||||
|
||||
@@ -399,7 +399,7 @@
|
||||
((fd.sip in (allowed_outbound_destination_ipaddrs)) or
|
||||
(fd.snet in (allowed_outbound_destination_networks)) or
|
||||
(fd.sip.name in (allowed_outbound_destination_domains)))
|
||||
output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
|
||||
output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
|
||||
priority: NOTICE
|
||||
tags: [network]
|
||||
|
||||
@@ -422,7 +422,7 @@
|
||||
((fd.cip in (allowed_inbound_source_ipaddrs)) or
|
||||
(fd.cnet in (allowed_inbound_source_networks)) or
|
||||
(fd.cip.name in (allowed_inbound_source_domains)))
|
||||
output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
|
||||
output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
|
||||
priority: NOTICE
|
||||
tags: [network]
|
||||
|
||||
@@ -461,7 +461,7 @@
|
||||
and not proc.name in (shell_binaries)
|
||||
and not exe_running_docker_save
|
||||
output: >
|
||||
a shell configuration file has been modified (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
|
||||
a shell configuration file has been modified (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
|
||||
priority:
|
||||
WARNING
|
||||
tags: [file, mitre_persistence]
|
||||
@@ -483,7 +483,7 @@
|
||||
fd.directory in (shell_config_directories)) and
|
||||
(not proc.name in (shell_binaries))
|
||||
output: >
|
||||
a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
|
||||
a shell configuration file was read by a non-shell program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
|
||||
priority:
|
||||
WARNING
|
||||
tags: [file, mitre_discovery]
|
||||
@@ -502,7 +502,7 @@
|
||||
consider_all_cron_jobs and
|
||||
not user_known_cron_jobs
|
||||
output: >
|
||||
Cron jobs were scheduled to run (user=%user.name command=%proc.cmdline
|
||||
Cron jobs were scheduled to run (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
|
||||
file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
|
||||
priority:
|
||||
NOTICE
|
||||
@@ -512,8 +512,8 @@
|
||||
|
||||
# When displaying container information in the output field, use
|
||||
# %container.info, without any leading term (file=%fd.name
|
||||
# %container.info user=%user.name, and not file=%fd.name
|
||||
# container=%container.info user=%user.name). The output will change
|
||||
# %container.info user=%user.name user_loginuid=%user.loginuid, and not file=%fd.name
|
||||
# container=%container.info user=%user.name user_loginuid=%user.loginuid). The output will change
|
||||
# based on the context and whether or not -pk/-pm/-pc was specified on
|
||||
# the command line.
|
||||
- macro: container
|
||||
@@ -947,7 +947,7 @@
|
||||
and not exe_running_docker_save
|
||||
and not user_known_update_package_registry
|
||||
output: >
|
||||
Repository files get updated (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository)
|
||||
Repository files get updated (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository)
|
||||
priority:
|
||||
NOTICE
|
||||
tags: [filesystem, mitre_persistence]
|
||||
@@ -968,7 +968,7 @@
|
||||
and not python_running_ms_oms
|
||||
and not user_known_write_below_binary_dir_activities
|
||||
output: >
|
||||
File below a known binary directory opened for writing (user=%user.name
|
||||
File below a known binary directory opened for writing (user=%user.name user_loginuid=%user.loginuid
|
||||
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
|
||||
priority: ERROR
|
||||
tags: [filesystem, mitre_persistence]
|
||||
@@ -1026,7 +1026,7 @@
|
||||
and not cloud_init_writing_ssh
|
||||
and not user_known_write_monitored_dir_conditions
|
||||
output: >
|
||||
File below a monitored directory opened for writing (user=%user.name
|
||||
File below a monitored directory opened for writing (user=%user.name user_loginuid=%user.loginuid
|
||||
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
|
||||
priority: ERROR
|
||||
tags: [filesystem, mitre_persistence]
|
||||
@@ -1049,7 +1049,7 @@
|
||||
not user_known_read_ssh_information_activities and
|
||||
not proc.name in (ssh_binaries))
|
||||
output: >
|
||||
ssh-related file/directory read by non-ssh program (user=%user.name
|
||||
ssh-related file/directory read by non-ssh program (user=%user.name user_loginuid=%user.loginuid
|
||||
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)
|
||||
priority: ERROR
|
||||
tags: [filesystem, mitre_discovery]
|
||||
@@ -1324,7 +1324,7 @@
|
||||
- rule: Write below etc
|
||||
desc: an attempt to write to any file below /etc
|
||||
condition: write_etc_common
|
||||
output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)"
|
||||
output: "File below /etc opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)"
|
||||
priority: ERROR
|
||||
tags: [filesystem, mitre_persistence]
|
||||
|
||||
@@ -1416,7 +1416,7 @@
|
||||
and not known_root_conditions
|
||||
and not user_known_write_root_conditions
|
||||
and not user_known_write_below_root_activities
|
||||
output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)"
|
||||
output: "File below / or /root opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)"
|
||||
priority: ERROR
|
||||
tags: [filesystem, mitre_persistence]
|
||||
|
||||
@@ -1433,7 +1433,7 @@
|
||||
at startup to load initial state, but not afterwards.
|
||||
condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" and not user_known_read_sensitive_files_activities
|
||||
output: >
|
||||
Sensitive file opened for reading by trusted program after startup (user=%user.name
|
||||
Sensitive file opened for reading by trusted program after startup (user=%user.name user_loginuid=%user.loginuid
|
||||
command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
|
||||
priority: WARNING
|
||||
tags: [filesystem, mitre_credential_access]
|
||||
@@ -1491,7 +1491,7 @@
|
||||
and not user_known_read_sensitive_files_activities
|
||||
and not user_read_sensitive_file_containers
|
||||
output: >
|
||||
Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name
|
||||
Sensitive file opened for reading by non-trusted program (user=%user.name user_loginuid=%user.loginuid program=%proc.name
|
||||
command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)
|
||||
priority: WARNING
|
||||
tags: [filesystem, mitre_credential_access, mitre_discovery]
|
||||
@@ -1554,7 +1554,7 @@
|
||||
and not postgres_running_wal_e
|
||||
and not user_known_db_spawned_processes
|
||||
output: >
|
||||
Database-related program spawned process other than itself (user=%user.name
|
||||
Database-related program spawned process other than itself (user=%user.name user_loginuid=%user.loginuid
|
||||
program=%proc.cmdline parent=%proc.pname container_id=%container.id image=%container.image.repository)
|
||||
priority: NOTICE
|
||||
tags: [process, database, mitre_execution]
|
||||
@@ -1566,7 +1566,7 @@
|
||||
desc: an attempt to modify any file below a set of binary directories.
|
||||
condition: bin_dir_rename and modify and not package_mgmt_procs and not exe_running_docker_save and not user_known_modify_bin_dir_activities
|
||||
output: >
|
||||
File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline
|
||||
File below known binary directory renamed/removed (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
|
||||
pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args container_id=%container.id image=%container.image.repository)
|
||||
priority: ERROR
|
||||
tags: [filesystem, mitre_persistence]
|
||||
@@ -1578,7 +1578,7 @@
|
||||
desc: an attempt to create a directory below a set of binary directories.
|
||||
condition: mkdir and bin_dir_mkdir and not package_mgmt_procs and not user_known_mkdir_bin_dir_activities
|
||||
output: >
|
||||
Directory below known binary directory created (user=%user.name
|
||||
Directory below known binary directory created (user=%user.name user_loginuid=%user.loginuid
|
||||
command=%proc.cmdline directory=%evt.arg.path container_id=%container.id image=%container.image.repository)
|
||||
priority: ERROR
|
||||
tags: [filesystem, mitre_persistence]
|
||||
@@ -1622,7 +1622,7 @@
|
||||
and not weaveworks_scope
|
||||
and not user_known_change_thread_namespace_activities
|
||||
output: >
|
||||
Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline
|
||||
Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
|
||||
parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
|
||||
priority: NOTICE
|
||||
tags: [process, mitre_privilege_escalation, mitre_lateral_movement]
|
||||
@@ -1768,7 +1768,7 @@
|
||||
and not run_by_appdynamics
|
||||
and not user_shell_container_exclusions
|
||||
output: >
|
||||
Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
|
||||
Shell spawned by untrusted binary (user=%user.name user_loginuid=%user.loginuid shell=%proc.name parent=%proc.pname
|
||||
cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
|
||||
aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] container_id=%container.id image=%container.image.repository)
|
||||
priority: DEBUG
|
||||
@@ -1912,7 +1912,7 @@
|
||||
and container.privileged=true
|
||||
and not falco_privileged_containers
|
||||
and not user_privileged_containers
|
||||
output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
|
||||
output: Privileged container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
|
||||
priority: INFO
|
||||
tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]
|
||||
|
||||
@@ -1956,7 +1956,7 @@
|
||||
and sensitive_mount
|
||||
and not falco_sensitive_mount_containers
|
||||
and not user_sensitive_mount_containers
|
||||
output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts)
|
||||
output: Container with sensitive mount started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts)
|
||||
priority: INFO
|
||||
tags: [container, cis, mitre_lateral_movement]
|
||||
|
||||
@@ -1976,7 +1976,7 @@
|
||||
desc: >
|
||||
Detect the initial process started by a container that is not in a list of allowed containers.
|
||||
condition: container_started and container and not allowed_containers
|
||||
output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
|
||||
output: Container started and not in allowed list (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
|
||||
priority: WARNING
|
||||
tags: [container, mitre_lateral_movement]
|
||||
|
||||
@@ -1991,7 +1991,7 @@
|
||||
- rule: System user interactive
|
||||
desc: an attempt to run interactive commands by a system (i.e. non-login) user
|
||||
condition: spawned_process and system_users and interactive and not user_known_system_user_login
|
||||
output: "System user ran an interactive command (user=%user.name command=%proc.cmdline container_id=%container.id image=%container.image.repository)"
|
||||
output: "System user ran an interactive command (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id image=%container.image.repository)"
|
||||
priority: INFO
|
||||
tags: [users, mitre_remote_access_tools]
|
||||
|
||||
@@ -2008,7 +2008,7 @@
|
||||
and container_entrypoint
|
||||
and not user_expected_terminal_shell_in_container_conditions
|
||||
output: >
|
||||
A shell was spawned in a container with an attached terminal (user=%user.name %container.info
|
||||
A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info
|
||||
shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)
|
||||
priority: NOTICE
|
||||
tags: [container, shell, mitre_execution]
|
||||
@@ -2084,7 +2084,7 @@
|
||||
and not user_expected_system_procs_network_activity_conditions
|
||||
output: >
|
||||
Known system binary sent/received network traffic
|
||||
(user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
|
||||
(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
|
||||
priority: NOTICE
|
||||
tags: [network, mitre_exfiltration]
|
||||
|
||||
@@ -2122,7 +2122,7 @@
|
||||
proc.env icontains HTTP_PROXY
|
||||
output: >
|
||||
Program run with disallowed HTTP_PROXY environment variable
|
||||
(user=%user.name command=%proc.cmdline env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository)
|
||||
(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository)
|
||||
priority: NOTICE
|
||||
tags: [host, users]
|
||||
|
||||
@@ -2145,7 +2145,7 @@
|
||||
and interpreted_procs)
|
||||
output: >
|
||||
Interpreted program received/listened for network traffic
|
||||
(user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
|
||||
(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
|
||||
priority: NOTICE
|
||||
tags: [network, mitre_exfiltration]
|
||||
|
||||
@@ -2156,7 +2156,7 @@
|
||||
and interpreted_procs)
|
||||
output: >
|
||||
Interpreted program performed outgoing network connection
|
||||
(user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
|
||||
(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
|
||||
priority: NOTICE
|
||||
tags: [network, mitre_exfiltration]
|
||||
|
||||
@@ -2197,7 +2197,7 @@
|
||||
condition: (inbound_outbound) and do_unexpected_udp_check and fd.l4proto=udp and not expected_udp_traffic
|
||||
output: >
|
||||
Unexpected UDP Traffic Seen
|
||||
(user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository)
|
||||
(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository)
|
||||
priority: NOTICE
|
||||
tags: [network, mitre_exfiltration]
|
||||
|
||||
@@ -2256,7 +2256,7 @@
|
||||
and not nrpe_becoming_nagios
|
||||
and not user_known_non_sudo_setuid_conditions
|
||||
output: >
|
||||
Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname
|
||||
Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
|
||||
command=%proc.cmdline uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
|
||||
priority: NOTICE
|
||||
tags: [users, mitre_privilege_escalation]
|
||||
@@ -2285,7 +2285,7 @@
|
||||
not user_known_user_management_activities
|
||||
output: >
|
||||
User management binary command run outside of container
|
||||
(user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
|
||||
(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
|
||||
priority: NOTICE
|
||||
tags: [host, users, mitre_persistence]
|
||||
|
||||
@@ -2309,7 +2309,7 @@
|
||||
and not fd.name in (allowed_dev_files)
|
||||
and not fd.name startswith /dev/tty
|
||||
and not user_known_create_files_below_dev_activities
|
||||
output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)"
|
||||
output: "File created below /dev by untrusted program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)"
|
||||
priority: ERROR
|
||||
tags: [filesystem, mitre_persistence]
|
||||
|
||||
@@ -2427,7 +2427,7 @@
|
||||
and not package_mgmt_ancestor_procs
|
||||
and not user_known_package_manager_in_container
|
||||
output: >
|
||||
Package management process launched in container (user=%user.name
|
||||
Package management process launched in container (user=%user.name user_loginuid=%user.loginuid
|
||||
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
|
||||
priority: ERROR
|
||||
tags: [process, mitre_persistence]
|
||||
@@ -2441,7 +2441,7 @@
|
||||
or proc.args contains "-c " or proc.args contains "--lua-exec"))
|
||||
)
|
||||
output: >
|
||||
Netcat runs inside container that allows remote code execution (user=%user.name
|
||||
Netcat runs inside container that allows remote code execution (user=%user.name user_loginuid=%user.loginuid
|
||||
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
|
||||
priority: WARNING
|
||||
tags: [network, process, mitre_execution]
|
||||
@@ -2454,7 +2454,7 @@
|
||||
condition: >
|
||||
spawned_process and container and network_tool_procs and not user_known_network_tool_activities
|
||||
output: >
|
||||
Network tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname
|
||||
Network tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
|
||||
container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
|
||||
priority: NOTICE
|
||||
tags: [network, process, mitre_discovery, mitre_exfiltration]
|
||||
@@ -2474,7 +2474,7 @@
|
||||
network_tool_procs and
|
||||
not user_known_network_tool_activities
|
||||
output: >
|
||||
Network tool launched on host (user=%user.name command=%proc.cmdline parent_process=%proc.pname)
|
||||
Network tool launched on host (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname)
|
||||
priority: NOTICE
|
||||
tags: [network, process, mitre_discovery, mitre_exfiltration]
|
||||
|
||||
@@ -2510,7 +2510,7 @@
|
||||
)
|
||||
output: >
|
||||
Grep private keys or passwords activities found
|
||||
(user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name
|
||||
(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id container_name=%container.name
|
||||
image=%container.image.repository:%container.image.tag)
|
||||
priority:
|
||||
WARNING
|
||||
@@ -2544,7 +2544,7 @@
|
||||
not trusted_logging_images and
|
||||
not allowed_clear_log_files
|
||||
output: >
|
||||
Log files were tampered (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
|
||||
Log files were tampered (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
|
||||
priority:
|
||||
WARNING
|
||||
tags: [file, mitre_defense_evasion]
|
||||
@@ -2562,7 +2562,7 @@
|
||||
desc: Detect process running to clear bulk data from disk
|
||||
condition: spawned_process and clear_data_procs and not user_known_remove_data_activities
|
||||
output: >
|
||||
Bulk data has been removed from disk (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
|
||||
Bulk data has been removed from disk (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
|
||||
priority:
|
||||
WARNING
|
||||
tags: [process, mitre_persistence]
|
||||
@@ -2589,7 +2589,7 @@
|
||||
fd.name contains "fish_read_history" or
|
||||
fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC")
|
||||
output: >
|
||||
Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
|
||||
Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
|
||||
priority:
|
||||
WARNING
|
||||
tags: [process, mitre_defense_evasion]
|
||||
@@ -2602,7 +2602,7 @@
|
||||
((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or
|
||||
(open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
|
||||
output: >
|
||||
Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
|
||||
Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
|
||||
priority:
|
||||
WARNING
|
||||
tags: [process, mitre_defense_evasion]
|
||||
@@ -2630,7 +2630,7 @@
|
||||
and not exe_running_docker_save
|
||||
and not user_known_set_setuid_or_setgid_bit_conditions
|
||||
output: >
|
||||
Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name process=%proc.name
|
||||
Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name user_loginuid=%user.loginuid process=%proc.name
|
||||
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
|
||||
priority:
|
||||
NOTICE
|
||||
@@ -2655,7 +2655,7 @@
|
||||
consider_hidden_file_creation and
|
||||
not user_known_create_hidden_file_activities
|
||||
output: >
|
||||
Hidden file or directory created (user=%user.name command=%proc.cmdline
|
||||
Hidden file or directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
|
||||
file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
|
||||
priority:
|
||||
NOTICE
|
||||
@@ -2672,7 +2672,7 @@
|
||||
condition: >
|
||||
spawned_process and container and remote_file_copy_procs
|
||||
output: >
|
||||
Remote file copy tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname
|
||||
Remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
|
||||
container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
|
||||
priority: NOTICE
|
||||
tags: [network, process, mitre_lateral_movement, mitre_exfiltration]
|
||||
@@ -2683,7 +2683,7 @@
|
||||
create_symlink and
|
||||
(evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names))
|
||||
output: >
|
||||
Symlinks created over senstivie files (user=%user.name command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
|
||||
Symlinks created over senstivie files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
|
||||
priority: NOTICE
|
||||
tags: [file, mitre_exfiltration]
|
||||
|
||||
@@ -2806,7 +2806,7 @@
|
||||
- rule: The docker client is executed in a container
|
||||
desc: Detect a k8s client tool executed inside a container
|
||||
condition: spawned_process and container and not user_known_k8s_client_container_parens and proc.name in (k8s_client_binaries)
|
||||
output: "Docker or kubernetes client executed in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag)"
|
||||
output: "Docker or kubernetes client executed in container (user=%user.name user_loginuid=%user.loginuid %container.info parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag)"
|
||||
priority: WARNING
|
||||
tags: [container, mitre_execution]
|
||||
|
||||
@@ -2823,7 +2823,7 @@
|
||||
- rule: Packet socket created in container
|
||||
desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used to do ARP Spoofing by attacker.
|
||||
condition: evt.type=socket and evt.arg[0]=AF_PACKET and consider_packet_socket_communication and container and not proc.name in (user_known_packet_socket_binaries)
|
||||
output: Packet socket was created in a container (user=%user.name command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
|
||||
output: Packet socket was created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
|
||||
priority: NOTICE
|
||||
tags: [network, mitre_discovery]
|
||||
|
||||
@@ -2862,7 +2862,7 @@
|
||||
k8s.ns.name in (namespace_scope_network_only_subnet)
|
||||
output: >
|
||||
Network connection outside local subnet
|
||||
(command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id
|
||||
(command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id
|
||||
image=%container.image.repository namespace=%k8s.ns.name
|
||||
fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name)
|
||||
priority: WARNING
|
||||
@@ -2902,7 +2902,7 @@
|
||||
not fd.sport in (authorized_server_port)
|
||||
output: >
|
||||
Network connection outside authorized port and binary
|
||||
(command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id
|
||||
(command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id
|
||||
image=%container.image.repository)
|
||||
priority: WARNING
|
||||
tags: [network]
|
||||
@@ -2914,7 +2914,7 @@
|
||||
desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell).
|
||||
condition: evt.type=dup and evt.dir=> and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities
|
||||
output: >
|
||||
Redirect stdout/stdin to network connection (user=%user.name %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
|
||||
Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
|
||||
priority: WARNING
|
||||
|
||||
# The two Container Drift rules below will fire when a new executable is created in a container.
|
||||
@@ -2943,7 +2943,7 @@
|
||||
((evt.arg.mode contains "S_IXUSR") or
|
||||
(evt.arg.mode contains "S_IXGRP") or
|
||||
(evt.arg.mode contains "S_IXOTH"))
|
||||
output: Drift detected (chmod), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
|
||||
output: Drift detected (chmod), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
|
||||
priority: ERROR
|
||||
|
||||
# ****************************************************************************
|
||||
@@ -2959,7 +2959,7 @@
|
||||
not runc_writing_var_lib_docker and
|
||||
not user_known_container_drift_activities and
|
||||
evt.rawres>=0
|
||||
output: Drift detected (open+create), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
|
||||
output: Drift detected (open+create), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
|
||||
priority: ERROR
|
||||
|
||||
|
||||
|
||||
@@ -18,5 +18,5 @@
|
||||
desc: Detect any connect to the localhost network, using fd.net and the in operator
|
||||
condition: evt.type=connect and fd.net in ("127.0.0.1/24")
|
||||
output: Program connected to localhost network
|
||||
(user=%user.name command=%proc.cmdline connection=%fd.name)
|
||||
(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name)
|
||||
priority: INFO
|
||||
|
||||
Reference in New Issue
Block a user