mirror of
https://github.com/falcosecurity/falco.git
synced 2025-08-02 06:52:10 +00:00
Added PTRACE_SEIZE, PTRACE_POKETEXT, PTRACE_POKEDATA, PTRACE_SETREGS and whitelist macro
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
This commit is contained in:
parent
d95e36b526
commit
e76c31b493
@ -3241,9 +3241,15 @@
|
|||||||
priority: WARNING
|
priority: WARNING
|
||||||
tags: [filesystem, mitre_credential_access, mitre_discovery]
|
tags: [filesystem, mitre_credential_access, mitre_discovery]
|
||||||
|
|
||||||
|
- list: known_ptrace_binaries
|
||||||
|
items: []
|
||||||
|
|
||||||
|
- marco: known_ptrace_procs
|
||||||
|
condition: (proc.name in (known_ptrace_binaries))
|
||||||
|
|
||||||
- rule: PTRACE attached to process
|
- rule: PTRACE attached to process
|
||||||
desc: "This rule detects an attempt to inject code into a process using PTRACE."
|
desc: "This rule detects an attempt to inject code into a process using PTRACE."
|
||||||
condition: evt.type=ptrace and evt.dir=> and evt.arg.request=11 and proc_name_exists
|
condition: evt.type=ptrace and evt.dir=> and evt.arg.request in (5, 6, 11, 20, 27) and proc_name_exists and not known_ptrace_procs
|
||||||
output: Detected ptrace PTRACE_ATTACH attempt (proc.cmdline=%proc.cmdline container=%container.info evt.type=%evt.type evt.arg.request=%evt.arg.request proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginuid=%user.loginuid user.loginname=%user.loginname user.name=%user.name group.gid=%group.gid group.name=%group.name container.id=%container.id container.name=%container.name image=%container.image.repository)
|
output: Detected ptrace PTRACE_ATTACH attempt (proc.cmdline=%proc.cmdline container=%container.info evt.type=%evt.type evt.arg.request=%evt.arg.request proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginuid=%user.loginuid user.loginname=%user.loginname user.name=%user.name group.gid=%group.gid group.name=%group.name container.id=%container.id container.name=%container.name image=%container.image.repository)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
tags: [process]
|
tags: [process]
|
Loading…
Reference in New Issue
Block a user