From cd4110f0c099b848479747eae2cb27faa5d4240a Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Fri, 15 Jul 2022 08:47:50 -0700 Subject: [PATCH 1/3] new(rules): Directory traversal monitored file read Signed-off-by: Melissa Kilby --- rules/falco_rules.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 7aa7bb0a901..f6ef9af1a58 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1366,6 +1366,19 @@ - macro: user_known_read_sensitive_files_activities condition: (never_true) +- rule: Directory traversal monitored file read + desc: > + Web applications can be vulnerable to directory traversal attacks that allow accessing files outside of the web app's root directory (e.g. Arbitrary File Read bugs). + System directories like /etc are typically accessed via absolute paths. Access patterns outside of this (here path traversal) can be regarded as suspicious. + condition: open_read and (fd.directory startswith "/etc" or fd.name contains ".ssh/" or fd.name contains "id_rsa") and fd.nameraw contains "../" and fd.nameraw glob *../*../* and not proc.pname in (shell_binaries) + enabled: true + output: > + Read monitored file via directory traversal (username=%user.name useruid=%user.uid user_loginuid=%user.loginuid program=%proc.name exe=%proc.exepath + command=%proc.cmdline parent=%proc.pname file=%fd.name fileraw=%fd.nameraw parent=%proc.pname + gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository returncode=%evt.res cwd=%proc.cwd) + priority: WARNING + tags: [filesystem, mitre_discovery, mitre_exfiltration, mitre_credential_access] + - rule: Read sensitive file trusted after startup desc: > an attempt to read any sensitive file (e.g. files containing user/password/authentication From 796fdec971a9f4559a8f4f4f1753e8586c800aff Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Wed, 3 Aug 2022 13:59:58 -0700 Subject: [PATCH 2/3] cleanup(rules): Directory traversal monitored file read Signed-off-by: Melissa Kilby --- rules/falco_rules.yaml | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index f6ef9af1a58..8d4f6a2b790 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -912,7 +912,10 @@ items: [/boot, /lib, /lib64, /usr/lib, /usr/local/lib, /usr/local/sbin, /usr/local/bin, /root/.ssh] - macro: user_ssh_directory - condition: (fd.name glob '/home/*/.ssh/*') + condition: (fd.name contains '/.ssh/' and fd.name glob '/home/*/.ssh/*') + +- macro: directory_traversal + condition: (fd.nameraw contains '../' and fd.nameraw glob '*../*../*') # google_accounts_(daemon) - macro: google_accounts_daemon_writing_ssh @@ -957,6 +960,19 @@ priority: ERROR tags: [filesystem, mitre_persistence] +- rule: Directory traversal monitored file read + desc: > + Web applications can be vulnerable to directory traversal attacks that allow accessing files outside of the web app's root directory (e.g. Arbitrary File Read bugs). + System directories like /etc are typically accessed via absolute paths. Access patterns outside of this (here path traversal) can be regarded as suspicious. + condition: open_read and (etc_dir or user_ssh_directory or fd.name startswith /root/.ssh or fd.name contains "id_rsa") and directory_traversal and not proc.pname in (shell_binaries) + enabled: true + output: > + Read monitored file via directory traversal (username=%user.name useruid=%user.uid user_loginuid=%user.loginuid program=%proc.name exe=%proc.exepath + command=%proc.cmdline parent=%proc.pname file=%fd.name fileraw=%fd.nameraw parent=%proc.pname + gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository returncode=%evt.res cwd=%proc.cwd) + priority: WARNING + tags: [filesystem, mitre_discovery, mitre_exfiltration, mitre_credential_access] + # This rule is disabled by default as many system management tools # like ansible, etc can read these files/paths. Enable it using this macro. @@ -1366,19 +1382,6 @@ - macro: user_known_read_sensitive_files_activities condition: (never_true) -- rule: Directory traversal monitored file read - desc: > - Web applications can be vulnerable to directory traversal attacks that allow accessing files outside of the web app's root directory (e.g. Arbitrary File Read bugs). - System directories like /etc are typically accessed via absolute paths. Access patterns outside of this (here path traversal) can be regarded as suspicious. - condition: open_read and (fd.directory startswith "/etc" or fd.name contains ".ssh/" or fd.name contains "id_rsa") and fd.nameraw contains "../" and fd.nameraw glob *../*../* and not proc.pname in (shell_binaries) - enabled: true - output: > - Read monitored file via directory traversal (username=%user.name useruid=%user.uid user_loginuid=%user.loginuid program=%proc.name exe=%proc.exepath - command=%proc.cmdline parent=%proc.pname file=%fd.name fileraw=%fd.nameraw parent=%proc.pname - gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository returncode=%evt.res cwd=%proc.cwd) - priority: WARNING - tags: [filesystem, mitre_discovery, mitre_exfiltration, mitre_credential_access] - - rule: Read sensitive file trusted after startup desc: > an attempt to read any sensitive file (e.g. files containing user/password/authentication From 16b81425928e856188ebb33496ae6a8fa6b07c20 Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Sun, 21 Aug 2022 23:44:49 -0700 Subject: [PATCH 3/3] update(rules): Directory traversal monitored file read - include failed open attempts w/ new macro open_file_failed Signed-off-by: Melissa Kilby --- rules/falco_rules.yaml | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 8d4f6a2b790..28b3373c0f9 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -29,13 +29,20 @@ # condition: (syscall.type=read and evt.dir=> and fd.type in (file, directory)) - macro: open_write - condition: evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0 + condition: (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0) - macro: open_read - condition: evt.type in (open,openat,openat2) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0 + condition: (evt.type in (open,openat,openat2) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0) - macro: open_directory - condition: evt.type in (open,openat,openat2) and evt.is_open_read=true and fd.typechar='d' and fd.num>=0 + condition: (evt.type in (open,openat,openat2) and evt.is_open_read=true and fd.typechar='d' and fd.num>=0) + +# Failed file open attempts, useful to detect threat actors making mistakes +# https://man7.org/linux/man-pages/man3/errno.3.html +# evt.res=ENOENT - No such file or directory +# evt.res=EACCESS - Permission denied +- macro: open_file_failed + condition: (evt.type in (open,openat,openat2) and fd.typechar='f' and fd.num=-1 and evt.res startswith E) - macro: never_true condition: (evt.num=0) @@ -51,32 +58,32 @@ condition: (proc.name!="") - macro: rename - condition: evt.type in (rename, renameat, renameat2) + condition: (evt.type in (rename, renameat, renameat2)) - macro: mkdir - condition: evt.type in (mkdir, mkdirat) + condition: (evt.type in (mkdir, mkdirat)) - macro: remove - condition: evt.type in (rmdir, unlink, unlinkat) + condition: (evt.type in (rmdir, unlink, unlinkat)) - macro: modify - condition: rename or remove + condition: (rename or remove) - macro: spawned_process - condition: evt.type in (execve, execveat) and evt.dir=< + condition: (evt.type in (execve, execveat) and evt.dir=<) - macro: create_symlink - condition: evt.type in (symlink, symlinkat) and evt.dir=< + condition: (evt.type in (symlink, symlinkat) and evt.dir=<) - macro: create_hardlink - condition: evt.type in (link, linkat) and evt.dir=< + condition: (evt.type in (link, linkat) and evt.dir=<) - macro: chmod condition: (evt.type in (chmod, fchmod, fchmodat) and evt.dir=<) # File categories - macro: bin_dir - condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) + condition: (fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)) - macro: bin_dir_mkdir condition: > @@ -105,7 +112,7 @@ evt.arg.newpath startswith /usr/sbin/) - macro: etc_dir - condition: fd.name startswith /etc/ + condition: (fd.name startswith /etc/) # This detects writes immediately below / or any write anywhere below /root - macro: root_dir @@ -964,7 +971,8 @@ desc: > Web applications can be vulnerable to directory traversal attacks that allow accessing files outside of the web app's root directory (e.g. Arbitrary File Read bugs). System directories like /etc are typically accessed via absolute paths. Access patterns outside of this (here path traversal) can be regarded as suspicious. - condition: open_read and (etc_dir or user_ssh_directory or fd.name startswith /root/.ssh or fd.name contains "id_rsa") and directory_traversal and not proc.pname in (shell_binaries) + This rule includes failed file open attempts. + condition: (open_read or open_file_failed) and (etc_dir or user_ssh_directory or fd.name startswith /root/.ssh or fd.name contains "id_rsa") and directory_traversal and not proc.pname in (shell_binaries) enabled: true output: > Read monitored file via directory traversal (username=%user.name useruid=%user.uid user_loginuid=%user.loginuid program=%proc.name exe=%proc.exepath