From 8ce3716e2d6c6587f7e8d0ff3de78154dd7ac5c1 Mon Sep 17 00:00:00 2001 From: Dario Martins Silva Date: Thu, 23 May 2019 12:37:36 -0400 Subject: [PATCH 1/2] fix egrep rule and ncat rule falco-CLA-1.0-signed-off-by: Dario Martins Silva --- rules/falco_rules.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 34daced230f..61a76948874 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2114,7 +2114,7 @@ condition: > spawned_process and container and ((proc.name = "nc" and (proc.args contains "-e" or proc.args contains "-c")) or - (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec")) + (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec" or proc.args contains "-e" or proc.args contains "-c")) ) output: > Netcat runs inside container that allows remote code execution (user=%user.name @@ -2151,7 +2151,7 @@ tags: [network, process, mitre_discovery, mitre_exfiltration] - list: grep_binaries - items: [grep, egre, fgrep] + items: [grep, egrep, fgrep] - macro: grep_commands condition: (proc.name in (grep_binaries)) From d023ce194348f53b0bee75a0c3ed88f30ad03425 Mon Sep 17 00:00:00 2001 From: Dario Martins Silva Date: Fri, 31 May 2019 18:19:16 -0400 Subject: [PATCH 2/2] add space after arguments, add --lua-exec falco-CLA-1.0-signed-off-by: Dario Martins Silva --- rules/falco_rules.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 61a76948874..1942297b402 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2114,7 +2114,8 @@ condition: > spawned_process and container and ((proc.name = "nc" and (proc.args contains "-e" or proc.args contains "-c")) or - (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec" or proc.args contains "-e" or proc.args contains "-c")) + (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec" or proc.args contains "-e " + or proc.args contains "-c " or proc.args contains "--lua-exec")) ) output: > Netcat runs inside container that allows remote code execution (user=%user.name