new(rules): Create Hardlink Over Sensitive Files

New rule to prevent hardlink bypass and symlink rule set to WARNING for consistency Signed-off-by: Shay Berkovich <sberkovich@blackberry.com> Co-authored-by: Meera Balsara <mbalsara@blackberry.com>
2025-06-28 07:37:32 +00:00 · 2021-10-13 10:41:52 +03:00 · 2021-10-13 10:41:52 +03:00 · d989e9c2d5
commit d989e9c2d5
parent 996ccf555c
1 changed files with 14 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@ -68,6 +68,9 @@
 - macro: create_symlink
  condition: evt.type in (symlink, symlinkat) and evt.dir=<

+- macro: create_hardlink
+  condition: evt.type in (link, linkat) and evt.dir=<
+
 - macro: chmod
  condition: (evt.type in (chmod, fchmod, fchmodat) and evt.dir=<)

@ -2696,7 +2699,17 @@
    (evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names))
  output: >
    Symlinks created over sensitive files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
-  priority: NOTICE
+  priority: WARNING
+  tags: [file, mitre_exfiltration]
+
+- rule: Create Hardlink Over Sensitive Files
+  desc: Detect hardlink created over sensitive files
+  condition: >
+    create_hardlink and
+    (evt.arg.oldpath in (sensitive_file_names))
+  output: >
+    Hardlinks created over sensitive files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.oldpath linkpath=%evt.arg.newpath parent_process=%proc.pname)
+  priority: WARNING
  tags: [file, mitre_exfiltration]

 - list: miner_ports