diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 2fef4ea9905..32de568c841 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -368,7 +368,7 @@ - rule: Disallowed SSH Connection desc: Detect any new ssh connection to a host other than those in an allowed group of hosts condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts - output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository) + output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [network, mitre_remote_service] @@ -399,7 +399,7 @@ ((fd.sip in (allowed_outbound_destination_ipaddrs)) or (fd.snet in (allowed_outbound_destination_networks)) or (fd.sip.name in (allowed_outbound_destination_domains))) - output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository) + output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [network] @@ -422,7 +422,7 @@ ((fd.cip in (allowed_inbound_source_ipaddrs)) or (fd.cnet in (allowed_inbound_source_networks)) or (fd.cip.name in (allowed_inbound_source_domains))) - output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository) + output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [network] @@ -461,7 +461,7 @@ and not proc.name in (shell_binaries) and not exe_running_docker_save output: > - a shell configuration file has been modified (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository) + a shell configuration file has been modified (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository) priority: WARNING tags: [file, mitre_persistence] @@ -483,7 +483,7 @@ fd.directory in (shell_config_directories)) and (not proc.name in (shell_binaries)) output: > - a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) + a shell configuration file was read by a non-shell program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) priority: WARNING tags: [file, mitre_discovery] @@ -502,7 +502,7 @@ consider_all_cron_jobs and not user_known_cron_jobs output: > - Cron jobs were scheduled to run (user=%user.name command=%proc.cmdline + Cron jobs were scheduled to run (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE @@ -512,8 +512,8 @@ # When displaying container information in the output field, use # %container.info, without any leading term (file=%fd.name -# %container.info user=%user.name, and not file=%fd.name -# container=%container.info user=%user.name). The output will change +# %container.info user=%user.name user_loginuid=%user.loginuid, and not file=%fd.name +# container=%container.info user=%user.name user_loginuid=%user.loginuid). The output will change # based on the context and whether or not -pk/-pm/-pc was specified on # the command line. - macro: container @@ -947,7 +947,7 @@ and not exe_running_docker_save and not user_known_update_package_registry output: > - Repository files get updated (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository) + Repository files get updated (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [filesystem, mitre_persistence] @@ -968,7 +968,7 @@ and not python_running_ms_oms and not user_known_write_below_binary_dir_activities output: > - File below a known binary directory opened for writing (user=%user.name + File below a known binary directory opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository) priority: ERROR tags: [filesystem, mitre_persistence] @@ -1026,7 +1026,7 @@ and not cloud_init_writing_ssh and not user_known_write_monitored_dir_conditions output: > - File below a monitored directory opened for writing (user=%user.name + File below a monitored directory opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository) priority: ERROR tags: [filesystem, mitre_persistence] @@ -1049,7 +1049,7 @@ not user_known_read_ssh_information_activities and not proc.name in (ssh_binaries)) output: > - ssh-related file/directory read by non-ssh program (user=%user.name + ssh-related file/directory read by non-ssh program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository) priority: ERROR tags: [filesystem, mitre_discovery] @@ -1324,7 +1324,7 @@ - rule: Write below etc desc: an attempt to write to any file below /etc condition: write_etc_common - output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)" + output: "File below /etc opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)" priority: ERROR tags: [filesystem, mitre_persistence] @@ -1416,7 +1416,7 @@ and not known_root_conditions and not user_known_write_root_conditions and not user_known_write_below_root_activities - output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)" + output: "File below / or /root opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)" priority: ERROR tags: [filesystem, mitre_persistence] @@ -1433,7 +1433,7 @@ at startup to load initial state, but not afterwards. condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" and not user_known_read_sensitive_files_activities output: > - Sensitive file opened for reading by trusted program after startup (user=%user.name + Sensitive file opened for reading by trusted program after startup (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository) priority: WARNING tags: [filesystem, mitre_credential_access] @@ -1491,7 +1491,7 @@ and not user_known_read_sensitive_files_activities and not user_read_sensitive_file_containers output: > - Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name + Sensitive file opened for reading by non-trusted program (user=%user.name user_loginuid=%user.loginuid program=%proc.name command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository) priority: WARNING tags: [filesystem, mitre_credential_access, mitre_discovery] @@ -1554,7 +1554,7 @@ and not postgres_running_wal_e and not user_known_db_spawned_processes output: > - Database-related program spawned process other than itself (user=%user.name + Database-related program spawned process other than itself (user=%user.name user_loginuid=%user.loginuid program=%proc.cmdline parent=%proc.pname container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [process, database, mitre_execution] @@ -1566,7 +1566,7 @@ desc: an attempt to modify any file below a set of binary directories. condition: bin_dir_rename and modify and not package_mgmt_procs and not exe_running_docker_save and not user_known_modify_bin_dir_activities output: > - File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline + File below known binary directory renamed/removed (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args container_id=%container.id image=%container.image.repository) priority: ERROR tags: [filesystem, mitre_persistence] @@ -1578,7 +1578,7 @@ desc: an attempt to create a directory below a set of binary directories. condition: mkdir and bin_dir_mkdir and not package_mgmt_procs and not user_known_mkdir_bin_dir_activities output: > - Directory below known binary directory created (user=%user.name + Directory below known binary directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline directory=%evt.arg.path container_id=%container.id image=%container.image.repository) priority: ERROR tags: [filesystem, mitre_persistence] @@ -1622,7 +1622,7 @@ and not weaveworks_scope and not user_known_change_thread_namespace_activities output: > - Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline + Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag) priority: NOTICE tags: [process, mitre_privilege_escalation, mitre_lateral_movement] @@ -1768,7 +1768,7 @@ and not run_by_appdynamics and not user_shell_container_exclusions output: > - Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname + Shell spawned by untrusted binary (user=%user.name user_loginuid=%user.loginuid shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] container_id=%container.id image=%container.image.repository) priority: DEBUG @@ -1912,7 +1912,7 @@ and container.privileged=true and not falco_privileged_containers and not user_privileged_containers - output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) + output: Privileged container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) priority: INFO tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement] @@ -1956,7 +1956,7 @@ and sensitive_mount and not falco_sensitive_mount_containers and not user_sensitive_mount_containers - output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts) + output: Container with sensitive mount started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts) priority: INFO tags: [container, cis, mitre_lateral_movement] @@ -1976,7 +1976,7 @@ desc: > Detect the initial process started by a container that is not in a list of allowed containers. condition: container_started and container and not allowed_containers - output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) + output: Container started and not in allowed list (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) priority: WARNING tags: [container, mitre_lateral_movement] @@ -1991,7 +1991,7 @@ - rule: System user interactive desc: an attempt to run interactive commands by a system (i.e. non-login) user condition: spawned_process and system_users and interactive and not user_known_system_user_login - output: "System user ran an interactive command (user=%user.name command=%proc.cmdline container_id=%container.id image=%container.image.repository)" + output: "System user ran an interactive command (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id image=%container.image.repository)" priority: INFO tags: [users, mitre_remote_access_tools] @@ -2008,7 +2008,7 @@ and container_entrypoint and not user_expected_terminal_shell_in_container_conditions output: > - A shell was spawned in a container with an attached terminal (user=%user.name %container.info + A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [container, shell, mitre_execution] @@ -2084,7 +2084,7 @@ and not user_expected_system_procs_network_activity_conditions output: > Known system binary sent/received network traffic - (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [network, mitre_exfiltration] @@ -2122,7 +2122,7 @@ proc.env icontains HTTP_PROXY output: > Program run with disallowed HTTP_PROXY environment variable - (user=%user.name command=%proc.cmdline env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository) + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [host, users] @@ -2145,7 +2145,7 @@ and interpreted_procs) output: > Interpreted program received/listened for network traffic - (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [network, mitre_exfiltration] @@ -2156,7 +2156,7 @@ and interpreted_procs) output: > Interpreted program performed outgoing network connection - (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [network, mitre_exfiltration] @@ -2197,7 +2197,7 @@ condition: (inbound_outbound) and do_unexpected_udp_check and fd.l4proto=udp and not expected_udp_traffic output: > Unexpected UDP Traffic Seen - (user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository) + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [network, mitre_exfiltration] @@ -2256,7 +2256,7 @@ and not nrpe_becoming_nagios and not user_known_non_sudo_setuid_conditions output: > - Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname + Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname command=%proc.cmdline uid=%evt.arg.uid container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [users, mitre_privilege_escalation] @@ -2285,7 +2285,7 @@ not user_known_user_management_activities output: > User management binary command run outside of container - (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) priority: NOTICE tags: [host, users, mitre_persistence] @@ -2309,7 +2309,7 @@ and not fd.name in (allowed_dev_files) and not fd.name startswith /dev/tty and not user_known_create_files_below_dev_activities - output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)" + output: "File created below /dev by untrusted program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)" priority: ERROR tags: [filesystem, mitre_persistence] @@ -2427,7 +2427,7 @@ and not package_mgmt_ancestor_procs and not user_known_package_manager_in_container output: > - Package management process launched in container (user=%user.name + Package management process launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: ERROR tags: [process, mitre_persistence] @@ -2441,7 +2441,7 @@ or proc.args contains "-c " or proc.args contains "--lua-exec")) ) output: > - Netcat runs inside container that allows remote code execution (user=%user.name + Netcat runs inside container that allows remote code execution (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: WARNING tags: [network, process, mitre_execution] @@ -2454,7 +2454,7 @@ condition: > spawned_process and container and network_tool_procs and not user_known_network_tool_activities output: > - Network tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname + Network tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE tags: [network, process, mitre_discovery, mitre_exfiltration] @@ -2474,7 +2474,7 @@ network_tool_procs and not user_known_network_tool_activities output: > - Network tool launched on host (user=%user.name command=%proc.cmdline parent_process=%proc.pname) + Network tool launched on host (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname) priority: NOTICE tags: [network, process, mitre_discovery, mitre_exfiltration] @@ -2510,7 +2510,7 @@ ) output: > Grep private keys or passwords activities found - (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: WARNING @@ -2544,7 +2544,7 @@ not trusted_logging_images and not allowed_clear_log_files output: > - Log files were tampered (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) + Log files were tampered (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) priority: WARNING tags: [file, mitre_defense_evasion] @@ -2562,7 +2562,7 @@ desc: Detect process running to clear bulk data from disk condition: spawned_process and clear_data_procs and not user_known_remove_data_activities output: > - Bulk data has been removed from disk (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) + Bulk data has been removed from disk (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) priority: WARNING tags: [process, mitre_persistence] @@ -2589,7 +2589,7 @@ fd.name contains "fish_read_history" or fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC") output: > - Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) + Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) priority: WARNING tags: [process, mitre_defense_evasion] @@ -2602,7 +2602,7 @@ ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC")) output: > - Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) + Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) priority: WARNING tags: [process, mitre_defense_evasion] @@ -2630,7 +2630,7 @@ and not exe_running_docker_save and not user_known_set_setuid_or_setgid_bit_conditions output: > - Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name process=%proc.name + Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name user_loginuid=%user.loginuid process=%proc.name command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE @@ -2655,7 +2655,7 @@ consider_hidden_file_creation and not user_known_create_hidden_file_activities output: > - Hidden file or directory created (user=%user.name command=%proc.cmdline + Hidden file or directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE @@ -2672,7 +2672,7 @@ condition: > spawned_process and container and remote_file_copy_procs output: > - Remote file copy tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname + Remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE tags: [network, process, mitre_lateral_movement, mitre_exfiltration] @@ -2683,7 +2683,7 @@ create_symlink and (evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names)) output: > - Symlinks created over senstivie files (user=%user.name command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname) + Symlinks created over senstivie files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname) priority: NOTICE tags: [file, mitre_exfiltration] @@ -2806,7 +2806,7 @@ - rule: The docker client is executed in a container desc: Detect a k8s client tool executed inside a container condition: spawned_process and container and not user_known_k8s_client_container_parens and proc.name in (k8s_client_binaries) - output: "Docker or kubernetes client executed in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag)" + output: "Docker or kubernetes client executed in container (user=%user.name user_loginuid=%user.loginuid %container.info parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag)" priority: WARNING tags: [container, mitre_execution] @@ -2823,7 +2823,7 @@ - rule: Packet socket created in container desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used to do ARP Spoofing by attacker. condition: evt.type=socket and evt.arg[0]=AF_PACKET and consider_packet_socket_communication and container and not proc.name in (user_known_packet_socket_binaries) - output: Packet socket was created in a container (user=%user.name command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + output: Packet socket was created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE tags: [network, mitre_discovery] @@ -2862,7 +2862,7 @@ k8s.ns.name in (namespace_scope_network_only_subnet) output: > Network connection outside local subnet - (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id + (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository namespace=%k8s.ns.name fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name) priority: WARNING @@ -2902,7 +2902,7 @@ not fd.sport in (authorized_server_port) output: > Network connection outside authorized port and binary - (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id + (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: WARNING tags: [network] @@ -2914,7 +2914,7 @@ desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell). condition: evt.type=dup and evt.dir=> and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities output: > - Redirect stdout/stdin to network connection (user=%user.name %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip) + Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip) priority: WARNING # The two Container Drift rules below will fire when a new executable is created in a container. @@ -2943,7 +2943,7 @@ ((evt.arg.mode contains "S_IXUSR") or (evt.arg.mode contains "S_IXGRP") or (evt.arg.mode contains "S_IXOTH")) - output: Drift detected (chmod), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) + output: Drift detected (chmod), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) priority: ERROR # **************************************************************************** @@ -2959,7 +2959,7 @@ not runc_writing_var_lib_docker and not user_known_container_drift_activities and evt.rawres>=0 - output: Drift detected (open+create), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) + output: Drift detected (open+create), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) priority: ERROR diff --git a/test/rules/detect_connect_using_in.yaml b/test/rules/detect_connect_using_in.yaml index 5e4b4dcf1f6..ad65bdc54c2 100644 --- a/test/rules/detect_connect_using_in.yaml +++ b/test/rules/detect_connect_using_in.yaml @@ -18,5 +18,5 @@ desc: Detect any connect to the localhost network, using fd.net and the in operator condition: evt.type=connect and fd.net in ("127.0.0.1/24") output: Program connected to localhost network - (user=%user.name command=%proc.cmdline connection=%fd.name) + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name) priority: INFO