diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 2d579e1f..1237d731 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -327,7 +327,33 @@ condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name) priority: NOTICE - tags: [network] + tags: [network, mitre_remote_service] + +- list: user_context_files + items: [.bashrc, .bash_profile] + +- rule: Modify User Context + desc: Detect attempt to modify .bashrc file or .bash_profile file + condition: > + open_write and fd.filename in (user_context_files) + output: > + .bash_profile or .bashrc has been modified (user=%user.name command=%proc.cmdline file=%fd.name + container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + priority: + WARNING + tag: [file, mitre_persistence] + +- rule: Schedule Cron Jobs in Container + desc: Detect cron jobs scheduled in container + condition: > + ((open_write and fd.name startswith /etc/cron) or + (spawned_process and proc.name = "crontab")) and container + output: > + Cron jobs were scheduled to run inside container (user=%user.name command=%proc.cmdline + file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + priority: + NOTICE + tag: [file, mitre_persistence] # Use this to test whether the event occurred within a container. @@ -736,7 +762,7 @@ File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2]) priority: ERROR - tags: [filesystem] + tags: [filesystem, mitre_persistence] # If you'd like to generally monitor a wider set of directories on top # of the ones covered by the rule Write below binary dir, you can use @@ -794,7 +820,7 @@ File below a monitored directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2]) priority: ERROR - tags: [filesystem] + tags: [filesystem, mitre_persistence] - list: safe_etc_dirs items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig] @@ -1018,7 +1044,7 @@ condition: write_etc_common output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])" priority: ERROR - tags: [filesystem] + tags: [filesystem, mitre_persistence] - list: known_root_files items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials, @@ -1095,7 +1121,7 @@ and not user_known_write_root_conditions output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)" priority: ERROR - tags: [filesystem] + tags: [filesystem, mitre_persistence] - macro: cmp_cp_by_passwd condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts) @@ -1110,7 +1136,7 @@ Sensitive file opened for reading by trusted program after startup (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2]) priority: WARNING - tags: [filesystem] + tags: [filesystem, mitre_credential_access] - list: read_sensitive_file_binaries items: [ @@ -1159,7 +1185,7 @@ Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) priority: WARNING - tags: [filesystem] + tags: [filesystem, mitre_credential_access] # Only let rpm-related programs write to the rpm database - rule: Write below rpm database @@ -1172,7 +1198,7 @@ and not exe_running_docker_save output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline)" priority: ERROR - tags: [filesystem, software_mgmt] + tags: [filesystem, software_mgmt, mitre_persistence] - macro: postgres_running_wal_e condition: (proc.pname=postgres and proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e") @@ -1207,7 +1233,7 @@ Database-related program spawned process other than itself (user=%user.name program=%proc.cmdline parent=%proc.pname) priority: NOTICE - tags: [process, database] + tags: [process, database, mitre_execution] - rule: Modify binary dirs desc: an attempt to modify any file below a set of binary directories. @@ -1216,7 +1242,7 @@ File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args) priority: ERROR - tags: [filesystem] + tags: [filesystem, mitre_persistence] - rule: Mkdir binary dirs desc: an attempt to create a directory below a set of binary directories. @@ -1225,7 +1251,7 @@ Directory below known binary directory created (user=%user.name command=%proc.cmdline directory=%evt.arg.path) priority: ERROR - tags: [filesystem] + tags: [filesystem, mitre_persistence] # This list allows for easy additions to the set of commands allowed # to change thread namespace without having to copy and override the @@ -1398,7 +1424,7 @@ cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7]) priority: DEBUG - tags: [shell] + tags: [shell, mitre_execution] - macro: allowed_openshift_registry_root condition: > @@ -1473,7 +1499,7 @@ and not user_trusted_containers output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) priority: INFO - tags: [container, cis] + tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement] # For now, only considering a full mount of /etc as # sensitive. Ideally, this would also consider all subdirectories @@ -1513,7 +1539,7 @@ and not user_sensitive_mount_containers output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts) priority: INFO - tags: [container, cis] + tags: [container, cis, mitre_lateral_movement] # In a local/user rules file, you could override this macro to # explicitly enumerate the container images that you want to run in @@ -1533,7 +1559,7 @@ condition: container_started and container and not allowed_containers output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) priority: WARNING - tags: [container] + tags: [container, mitre_lateral_movement] # Anything run interactively by root # - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive @@ -1545,7 +1571,7 @@ condition: spawned_process and system_users and interactive output: "System user ran an interactive command (user=%user.name command=%proc.cmdline)" priority: INFO - tags: [users] + tags: [users, mitre_remote_access_tools] - rule: Terminal shell in container desc: A shell was used as the entrypoint/exec point into a container with an attached terminal. @@ -1557,7 +1583,7 @@ A shell was spawned in a container with an attached terminal (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty) priority: NOTICE - tags: [container, shell] + tags: [container, shell, mitre_execution] # For some container types (mesos), there isn't a container image to # work with, and the container name is autogenerated, so there isn't @@ -1631,7 +1657,7 @@ Known system binary sent/received network traffic (user=%user.name command=%proc.cmdline connection=%fd.name) priority: NOTICE - tags: [network] + tags: [network, mitre_exfiltration] - list: openvpn_udp_ports items: [1194, 1197, 1198, 8080, 9201] @@ -1672,7 +1698,7 @@ Unexpected UDP Traffic Seen (user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args) priority: NOTICE - tags: [network] + tags: [network, mitre_exfiltration] # With the current restriction on system calls handled by falco # (e.g. excluding read/write/sendto/recvfrom/etc, this rule won't @@ -1731,7 +1757,7 @@ Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname command=%proc.cmdline uid=%evt.arg.uid) priority: NOTICE - tags: [users] + tags: [users, mitre_privilege_escalation] - rule: User mgmt binaries desc: > @@ -1755,7 +1781,7 @@ User management binary command run outside of container (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) priority: NOTICE - tags: [host, users] + tags: [host, users, mitre_persistence] - list: allowed_dev_files items: [ @@ -1775,7 +1801,7 @@ and not fd.name startswith /dev/tty output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)" priority: ERROR - tags: [filesystem] + tags: [filesystem, mitre_persistence] # In a local/user rules file, you could override this macro to @@ -1797,7 +1823,7 @@ condition: outbound and fd.sip="169.254.169.254" and container and not ec2_metadata_containers output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline connection=%fd.name %container.info image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [network, aws, container] + tags: [network, aws, container, mitre_discovery] # In a local/user rules file, you should override this macro with the # IP address of your k8s api server. The IP 1.2.3.4 is a placeholder @@ -1820,7 +1846,7 @@ condition: outbound and k8s_api_server and container and not k8s_containers output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag connection=%fd.name) priority: NOTICE - tags: [network, k8s, container] + tags: [network, k8s, container, mitre_discovery] # In a local/user rules file, list the container images that are # allowed to contact NodePort services from within a container. This @@ -1836,10 +1862,10 @@ condition: (inbound_outbound) and fd.sport >= 30000 and fd.sport <= 32767 and container and not nodeport_containers output: Unexpected K8s NodePort Connection (command=%proc.cmdline connection=%fd.name) priority: NOTICE - tags: [network, k8s, container] + tags: [network, k8s, container, mitre_port_knocking] - list: network_tool_binaries - items: [nc, ncat, nmap] + items: [nc, ncat, nmap, dig] - macro: network_tool_procs condition: proc.name in (network_tool_binaries) @@ -1853,7 +1879,7 @@ Package management process launched in container (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: ERROR - tags: [process] + tags: [process, mitre_persistence] - rule: Netcat Remote Code Execution in Container desc: Netcat Program runs inside container that allows remote code execution @@ -1866,17 +1892,60 @@ Netcat runs inside container that allows remote code execution (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: WARNING - tags: [network, process] + tags: [network, process, mitre_execution] - rule: Lauch Suspicious Network Tool in Container desc: Detect network tools launched inside container condition: > spawned_process and container and network_tool_procs output: > - Network tool launched in container (user=%user.name - command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + Network tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname + container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [network, process] + tags: [network, process, mitre_discovery, mitre_exfiltration] + +- list: grep_binaries + items: [grep, egre, fgrep] + +- macro: grep_commands + condition: (proc.name in (grep_binaries)) + +- macro: private_key_or_password + condition: > + (proc.args icontains "BEGIN PRIVATE" or + proc.args icontains "BEGIN RSA PRIVATE" or + proc.args icontains "BEGIN DSA PRIVATE" or + proc.args icontains "BEGIN EC PRIVATE" or + proc.args icontains "pass" or + proc.args icontains "ssh" + ) + +- rule: Search Private Keys or Passwords + desc: > + Detect grep private keys or passwords activity. + condition: > + (spawned_process and container and + ((grep_commands and private_key_or_password) or + (proc.name = "find" and (proc.args contains "id_rsa" or proc.args contains "id_dsa"))) + ) + output: > + Grep private keys or passwords activities found + (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name + image=%container.image.repository:%container.image.tag) + priority: + WARNING + tags: [process, mitre_credential_access] + +- rule: Delete Bash History + desc: Detect bash history deletetion + condition: > + (spawned_process and proc.name in (shred, rm) and proc.args contains "bash_history") + output: > + Bash history has been deleted (user=%user.name command=%proc.cmdline + container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + priority: + WARNING + tag: [process, mitre_defense_evation] # Application rules have moved to application_rules.yaml. Please look # there if you want to enable them by adding to