falcosecurity · poiana · Jul 24, 2023 · Jul 21, 2023 · Jul 21, 2023 · incertum
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -2067,17 +2067,23 @@
   condition: (never_true)
 
 - rule: Terminal shell in container
-  desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
+  desc: >
+    A shell was used as the entrypoint/exec point into a container with an attached terminal. Parent process may have 
+    legitimately already exited and be null (read container_entrypoint macro). Common when using 'kubectl exec' in Kubernetes. 
+    Correlate with k8saudit exec logs if possible to find user or serviceaccount token used (fuzzy correlation by namespace and pod name). 
+    Rather than considering it a standalone rule, it may be best used when checking for other triggered rules in this container/tty.
   condition: >
     spawned_process and container
     and shell_procs and proc.tty != 0
     and container_entrypoint
     and not user_expected_terminal_shell_in_container_conditions
   output: >
-    A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info
-    shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pid=%proc.pid terminal=%proc.tty container_id=%container.id image=%container.image.repository exe_flags=%evt.arg.flags)
+    A shell was spawned in a container with an attached terminal (user=%user.name uid=%user.uid 
+    user_loginuid=%user.loginuid container_info=%container.info shell=%proc.name parent=%proc.pname 
+    cmdline=%proc.cmdline pid=%proc.pid terminal=%proc.tty container_id=%container.id 
+    image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name exe_flags=%evt.arg.flags)
   priority: NOTICE
-  tags: [container, shell, mitre_execution, T1059]
+  tags: [maturity_stable, container, shell, mitre_execution, T1059]
 
 # For some container types (mesos), there isn't a container image to
 # work with, and the container name is autogenerated, so there isn't
@@ -2521,18 +2527,25 @@
   tags: [container, process, software_mgmt, mitre_persistence, T1505]
 
 - rule: Netcat Remote Code Execution in Container
-  desc: Netcat Program runs inside container that allows remote code execution
+  desc: > 
+    Netcat Program runs inside container that allows remote code execution and may be utilized 
+    as a part of a variety of reverse shell payload https://github.com/swisskyrepo/PayloadsAllTheThings/.
+    These programs are of higher relevance as they are commonly installed on UNIX-like operating systems.
+    Can fire in combination with the "Redirect STDOUT/STDIN to Network Connection in Container" 
+    rule as it utilizes a different evt.type.
   condition: >
     spawned_process and container and
-    ((proc.name = "nc" and (proc.args contains "-e" or proc.args contains "-c")) or
+    ((proc.name = "nc" and (proc.cmdline contains " -e" or proc.cmdline contains " -c")) or
      (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec" or proc.args contains "-e "
                               or proc.args contains "-c " or proc.args contains "--lua-exec"))
     )
   output: >
-    Netcat runs inside container that allows remote code execution (user=%user.name user_loginuid=%user.loginuid
-    command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag exe_flags=%evt.arg.flags)
+    Netcat runs inside container that allows remote code execution (user=%user.name uid=%user.uid user_loginuid=%user.loginuid 
+    terminal=%proc.tty command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name 
+    image=%container.image.repository:%container.image.tag namespace=%k8s.ns.name pod_name=%k8s.pod.name 
+    exe_flags=%evt.arg.flags)
   priority: WARNING
-  tags: [container, network, process, mitre_execution, T1059]
+  tags: [maturity_stable, container, network, process, mitre_execution, T1059]
 
 - macro: user_known_network_tool_activities
   condition: (never_true)
@@ -3042,12 +3055,21 @@
   condition: evt.type in (dup, dup2, dup3)
 
 - rule: Redirect STDOUT/STDIN to Network Connection in Container
-  desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell).
+  desc: >
+    Detect redirecting stdout/stdin to network connection in container (potential reverse shell 
+    or remote code execution https://github.com/swisskyrepo/PayloadsAllTheThings/).
+    This detection is behavior-based and may generate noise in the system, and can be adjusted
+    using the user_known_stand_streams_redirect_activities template macro. Tuning can be performed
+    similarly to existing detections based on process lineage or container images, and/or it can be
+    limited to interactive tty (tty != 0).
   condition: dup and container and evt.rawres in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities
   output: >
-    Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline pid=%proc.pid terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
+    Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid 
+    %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline pid=%proc.pid 
+    terminal=%proc.tty container_id=%container.id image=%container.image.repository namespace=%k8s.ns.name  
+    pod_name=%k8s.pod.name fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
   priority: NOTICE
-  tags: [container, network, process, mitre_discovery, mitre_execution, T1059]
+  tags: [maturity_stable, container, network, process, mitre_execution, T1059]
 
 # The two Container Drift rules below will fire when a new executable is created in a container.
 # There are two ways to create executables - file is created with execution permissions or permissions change of existing file.
@@ -3140,18 +3162,21 @@
 - list: allowed_container_images_loading_kernel_module
   items: []
 
-# init_module and finit_module syscalls are available since Falco 0.35.0
-# rule coverage now extends to modprobe usage via init_module logging
-# and previous alerting on spawned_process and insmod is now covered
-# by finit_module syscall
 - rule: Linux Kernel Module Injection Detected
-  desc: Detect kernel module was injected (from container).
+  desc: >
+    Inject Linux Kernel Modules from containers using insmod or modprobe with init_module and finit_module
+    syscalls, given the precondition of sys_module effective capabilities. Profile the environment and consider
+    allowed_container_images_loading_kernel_module to reduce noise and account for legitimate cases.
   condition: kernel_module_load and container
     and not container.image.repository in (allowed_container_images_loading_kernel_module)
     and thread.cap_effective icontains sys_module
-  output: Linux Kernel Module injection from container detected (user=%user.name uid=%user.uid user_loginuid=%user.loginuid process_name=%proc.name parent_process_name=%proc.pname parent_exepath=%proc.pexepath %proc.aname[2] %proc.aexepath[2] module=%proc.args %container.info image=%container.image.repository:%container.image.tag res=%evt.res syscall=%evt.type)
+  output: >
+    Linux Kernel Module injection from container (user=%user.name uid=%user.uid user_loginuid=%user.loginuid 
+    process_name=%proc.name parent_process_name=%proc.pname parent_exepath=%proc.pexepath gparent=%proc.aname[2] 
+    gexepath=%proc.aexepath[2] module=%proc.args %container.info image=%container.image.repository:%container.image.tag 
+    namespace=%k8s.ns.name pod_name=%k8s.pod.name res=%evt.res syscall=%evt.type terminal=%proc.tty) 
   priority: WARNING
-  tags: [host, container, process, mitre_execution, mitre_persistence, TA0002]
+  tags: [maturity_stable, host, container, process, mitre_persistence, TA0003]
 
 - list: run_as_root_image_list
   items: []
@@ -3394,28 +3419,34 @@
   tags: [host, container, mitre_execution, mitre_defense_evasion, T1036.005, T1059.004]
 
 # List of allowed container images that are known to execute binaries not part of their base image.
-# Users can use this list to better tune the rule below (i.e reducing false positives) by considering their workloads, 
-# since this requires application specific knowledge.
 - list: known_drop_and_execute_containers
   items: []
 
 - rule: Drop and execute new binary in container
-  desc:
+  desc: >
     Detect if an executable not belonging to the base image of a container is being executed.
     The drop and execute pattern can be observed very often after an attacker gained an initial foothold.
     is_exe_upper_layer filter field only applies for container runtimes that use overlayfs as union mount filesystem.
+    Adopters can utilize the provided template list known_drop_and_execute_containers containing allowed container 
+    images known to execute binaries not included in their base image. Alternatively, you could exclude non-production
+    namespaces in Kubernetes settings by adjusting the rule further. This helps reduce noise by applying application 
+    and environment-specific knowledge to this rule. Common anti-patterns include administrators or SREs performing 
+    ad-hoc debugging.
   condition: >
     spawned_process
     and container
     and proc.is_exe_upper_layer=true 
     and not container.image.repository in (known_drop_and_execute_containers)
   output: > 
-    Executing binary not part of base image (user=%user.name user_loginuid=%user.loginuid user_uid=%user.uid comm=%proc.cmdline exe=%proc.exe container_id=%container.id
-    image=%container.image.repository proc.name=%proc.name proc.sname=%proc.sname proc.pname=%proc.pname proc.aname[2]=%proc.aname[2] exe_flags=%evt.arg.flags
-    proc.exe_ino=%proc.exe_ino proc.exe_ino.ctime=%proc.exe_ino.ctime proc.exe_ino.mtime=%proc.exe_ino.mtime proc.exe_ino.ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start
-    proc.exepath=%proc.exepath proc.cwd=%proc.cwd proc.tty=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid evt.res=%evt.res)
-  priority: CRITICAL 
-  tags: [container, mitre_persistence, TA0003]
+    Executing binary not part of base image (user=%user.name user_loginuid=%user.loginuid user_uid=%user.uid comm=%proc.cmdline 
+    exe=%proc.exe container_id=%container.id image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name 
+    proc.name=%proc.name proc.sname=%proc.sname proc.pname=%proc.pname proc.aname[2]=%proc.aname[2] exe_flags=%evt.arg.flags 
+    proc.exe_ino=%proc.exe_ino proc.exe_ino.ctime=%proc.exe_ino.ctime proc.exe_ino.mtime=%proc.exe_ino.mtime 
+    proc.exe_ino.ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start proc.exepath=%proc.exepath 
+    proc.cwd=%proc.cwd terminal=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid 
+    proc.vpid=%proc.vpid evt.res=%evt.res)
+  priority: CRITICAL
+  tags: [maturity_stable, container, process, mitre_persistence, TA0003]
 
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to