From 8a664e4064a31c76eb14031a735475b5e9a09f31 Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Thu, 20 Jul 2023 21:25:09 -0700 Subject: [PATCH 1/2] cleanup(rules): initial tagging of stable rules round1 Includes: * enhanced desc * more complete output fields * cleanup of tags if applicable * add new maturity_stable tag Signed-off-by: Melissa Kilby --- rules/falco_rules.yaml | 85 ++++++++++++++++++++++++++++-------------- 1 file changed, 58 insertions(+), 27 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 9a98ca20f..91fdcb2d6 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2067,17 +2067,23 @@ condition: (never_true) - rule: Terminal shell in container - desc: A shell was used as the entrypoint/exec point into a container with an attached terminal. + desc: > + A shell was used as the entrypoint/exec point into a container with an attached terminal. Parent process may have + legitimately already exited and be null (read container_entrypoint macro). Common when using 'kubectl exec' in Kubernetes. + Correlate with k8saudit exec logs if possible to find user or serviceaccount token used (fuzzy correlation by namespace and pod name). + Rather than considering it a standalone rule, it may be best used when checking for other triggered rules in this container/tty. condition: > spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint and not user_expected_terminal_shell_in_container_conditions output: > - A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info - shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pid=%proc.pid terminal=%proc.tty container_id=%container.id image=%container.image.repository exe_flags=%evt.arg.flags) + A shell was spawned in a container with an attached terminal (user=%user.name uid=%user.uid + user_loginuid=%user.loginuid container_info=%container.info shell=%proc.name parent=%proc.pname + cmdline=%proc.cmdline pid=%proc.pid terminal=%proc.tty container_id=%container.id + image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name exe_flags=%evt.arg.flags) priority: NOTICE - tags: [container, shell, mitre_execution, T1059] + tags: [maturity_stable, container, shell, mitre_execution, T1059] # For some container types (mesos), there isn't a container image to # work with, and the container name is autogenerated, so there isn't @@ -2521,7 +2527,12 @@ tags: [container, process, software_mgmt, mitre_persistence, T1505] - rule: Netcat Remote Code Execution in Container - desc: Netcat Program runs inside container that allows remote code execution + desc: > + Netcat Program runs inside container that allows remote code execution and may be utilized + as a part of a variety of reverse shell payload https://github.com/swisskyrepo/PayloadsAllTheThings/. + These programs are of higher relevance as they are commonly installed on UNIX-like operating systems. + Can fire in combination with the "Redirect STDOUT/STDIN to Network Connection in Container" + rule as it utilizes a different evt.type. condition: > spawned_process and container and ((proc.name = "nc" and (proc.args contains "-e" or proc.args contains "-c")) or @@ -2529,10 +2540,12 @@ or proc.args contains "-c " or proc.args contains "--lua-exec")) ) output: > - Netcat runs inside container that allows remote code execution (user=%user.name user_loginuid=%user.loginuid - command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags) + Netcat runs inside container that allows remote code execution (user=%user.name uid=%user.uid user_loginuid=%user.loginuid + terminal=%proc.tty command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name + image=%container.image.repository:%container.image.tag namespace=%k8s.ns.name pod_name=%k8s.pod.name + exe_flags=%evt.arg.flags) priority: WARNING - tags: [container, network, process, mitre_execution, T1059] + tags: [maturity_stable, container, network, process, mitre_execution, T1059] - macro: user_known_network_tool_activities condition: (never_true) @@ -3042,12 +3055,21 @@ condition: evt.type in (dup, dup2, dup3) - rule: Redirect STDOUT/STDIN to Network Connection in Container - desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell). + desc: > + Detect redirecting stdout/stdin to network connection in container (potential reverse shell + or remote code execution https://github.com/swisskyrepo/PayloadsAllTheThings/). + This detection is behavior-based and may generate noise in the system, and can be adjusted + using the user_known_stand_streams_redirect_activities template macro. Tuning can be performed + similarly to existing detections based on process lineage or container images, and/or it can be + limited to interactive tty (tty != 0). condition: dup and container and evt.rawres in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities output: > - Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline pid=%proc.pid terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip) + Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid + %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline pid=%proc.pid + terminal=%proc.tty container_id=%container.id image=%container.image.repository namespace=%k8s.ns.name + pod_name=%k8s.pod.name fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip) priority: NOTICE - tags: [container, network, process, mitre_discovery, mitre_execution, T1059] + tags: [maturity_stable, container, network, process, mitre_execution, T1059] # The two Container Drift rules below will fire when a new executable is created in a container. # There are two ways to create executables - file is created with execution permissions or permissions change of existing file. @@ -3140,18 +3162,21 @@ - list: allowed_container_images_loading_kernel_module items: [] -# init_module and finit_module syscalls are available since Falco 0.35.0 -# rule coverage now extends to modprobe usage via init_module logging -# and previous alerting on spawned_process and insmod is now covered -# by finit_module syscall - rule: Linux Kernel Module Injection Detected - desc: Detect kernel module was injected (from container). + desc: > + Inject Linux Kernel Modules from containers using insmod or modprobe with init_module and finit_module + syscalls, given the precondition of sys_module effective capabilities. Profile the environment and consider + allowed_container_images_loading_kernel_module to reduce noise and account for legitimate cases. condition: kernel_module_load and container and not container.image.repository in (allowed_container_images_loading_kernel_module) and thread.cap_effective icontains sys_module - output: Linux Kernel Module injection from container detected (user=%user.name uid=%user.uid user_loginuid=%user.loginuid process_name=%proc.name parent_process_name=%proc.pname parent_exepath=%proc.pexepath %proc.aname[2] %proc.aexepath[2] module=%proc.args %container.info image=%container.image.repository:%container.image.tag res=%evt.res syscall=%evt.type) + output: > + Linux Kernel Module injection from container (user=%user.name uid=%user.uid user_loginuid=%user.loginuid + process_name=%proc.name parent_process_name=%proc.pname parent_exepath=%proc.pexepath gparent=%proc.aname[2] + gexepath=%proc.aexepath[2] module=%proc.args %container.info image=%container.image.repository:%container.image.tag + namespace=%k8s.ns.name pod_name=%k8s.pod.name res=%evt.res syscall=%evt.type terminal=%proc.tty) priority: WARNING - tags: [host, container, process, mitre_execution, mitre_persistence, TA0002] + tags: [maturity_stable, host, container, process, mitre_persistence, TA0003] - list: run_as_root_image_list items: [] @@ -3394,28 +3419,34 @@ tags: [host, container, mitre_execution, mitre_defense_evasion, T1036.005, T1059.004] # List of allowed container images that are known to execute binaries not part of their base image. -# Users can use this list to better tune the rule below (i.e reducing false positives) by considering their workloads, -# since this requires application specific knowledge. - list: known_drop_and_execute_containers items: [] - rule: Drop and execute new binary in container - desc: + desc: > Detect if an executable not belonging to the base image of a container is being executed. The drop and execute pattern can be observed very often after an attacker gained an initial foothold. is_exe_upper_layer filter field only applies for container runtimes that use overlayfs as union mount filesystem. + Adopters can utilize the provided template list known_drop_and_execute_containers containing allowed container + images known to execute binaries not included in their base image. Alternatively, you could exclude non-production + namespaces in Kubernetes settings by adjusting the rule further. This helps reduce noise by applying application + and environment-specific knowledge to this rule. Common anti-patterns include administrators or SREs performing + ad-hoc debugging. condition: > spawned_process and container and proc.is_exe_upper_layer=true and not container.image.repository in (known_drop_and_execute_containers) output: > - Executing binary not part of base image (user=%user.name user_loginuid=%user.loginuid user_uid=%user.uid comm=%proc.cmdline exe=%proc.exe container_id=%container.id - image=%container.image.repository proc.name=%proc.name proc.sname=%proc.sname proc.pname=%proc.pname proc.aname[2]=%proc.aname[2] exe_flags=%evt.arg.flags - proc.exe_ino=%proc.exe_ino proc.exe_ino.ctime=%proc.exe_ino.ctime proc.exe_ino.mtime=%proc.exe_ino.mtime proc.exe_ino.ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start - proc.exepath=%proc.exepath proc.cwd=%proc.cwd proc.tty=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid evt.res=%evt.res) - priority: CRITICAL - tags: [container, mitre_persistence, TA0003] + Executing binary not part of base image (user=%user.name user_loginuid=%user.loginuid user_uid=%user.uid comm=%proc.cmdline + exe=%proc.exe container_id=%container.id image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name + proc.name=%proc.name proc.sname=%proc.sname proc.pname=%proc.pname proc.aname[2]=%proc.aname[2] exe_flags=%evt.arg.flags + proc.exe_ino=%proc.exe_ino proc.exe_ino.ctime=%proc.exe_ino.ctime proc.exe_ino.mtime=%proc.exe_ino.mtime + proc.exe_ino.ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start proc.exepath=%proc.exepath + proc.cwd=%proc.cwd terminal=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid + proc.vpid=%proc.vpid evt.res=%evt.res) + priority: CRITICAL + tags: [maturity_stable, container, process, mitre_persistence, TA0003] # Application rules have moved to application_rules.yaml. Please look # there if you want to enable them by adding to From 3ccb05cb31533df5c4f03a8e12e474a94f35677c Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Thu, 20 Jul 2023 21:42:53 -0700 Subject: [PATCH 2/2] cleanup(rules): reduce string mismatching in 'Netcat Remote Code Execution in Container' Signed-off-by: Melissa Kilby --- rules/falco_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 91fdcb2d6..049de593d 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -2535,7 +2535,7 @@ rule as it utilizes a different evt.type. condition: > spawned_process and container and - ((proc.name = "nc" and (proc.args contains "-e" or proc.args contains "-c")) or + ((proc.name = "nc" and (proc.cmdline contains " -e" or proc.cmdline contains " -c")) or (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec" or proc.args contains "-e " or proc.args contains "-c " or proc.args contains "--lua-exec")) )