From d678be5579674e057e5c82f2f8b3709118716b88 Mon Sep 17 00:00:00 2001 From: Chuck Schweizer Date: Tue, 25 Aug 2020 13:17:35 -0500 Subject: [PATCH] Adding user.loginuid to the default falco rules in any place user.name exists This update will provide information as to which process uid intitiated the event. This is really important for processes that are started by a different user name. Signed-off-by: Chuck Schweizer --- rules/falco_rules.yaml | 108 ++++++++++++------------ test/rules/detect_connect_using_in.yaml | 2 +- 2 files changed, 55 insertions(+), 55 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 2fef4ea9905..32de568c841 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -368,7 +368,7 @@ - rule: Disallowed SSH Connection desc: Detect any new ssh connection to a host other than those in an allowed group of hosts condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts - output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository) + output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [network, mitre_remote_service] @@ -399,7 +399,7 @@ ((fd.sip in (allowed_outbound_destination_ipaddrs)) or (fd.snet in (allowed_outbound_destination_networks)) or (fd.sip.name in (allowed_outbound_destination_domains))) - output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository) + output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [network] @@ -422,7 +422,7 @@ ((fd.cip in (allowed_inbound_source_ipaddrs)) or (fd.cnet in (allowed_inbound_source_networks)) or (fd.cip.name in (allowed_inbound_source_domains))) - output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository) + output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [network] @@ -461,7 +461,7 @@ and not proc.name in (shell_binaries) and not exe_running_docker_save output: > - a shell configuration file has been modified (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository) + a shell configuration file has been modified (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository) priority: WARNING tags: [file, mitre_persistence] @@ -483,7 +483,7 @@ fd.directory in (shell_config_directories)) and (not proc.name in (shell_binaries)) output: > - a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) + a shell configuration file was read by a non-shell program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) priority: WARNING tags: [file, mitre_discovery] @@ -502,7 +502,7 @@ consider_all_cron_jobs and not user_known_cron_jobs output: > - Cron jobs were scheduled to run (user=%user.name command=%proc.cmdline + Cron jobs were scheduled to run (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE @@ -512,8 +512,8 @@ # When displaying container information in the output field, use # %container.info, without any leading term (file=%fd.name -# %container.info user=%user.name, and not file=%fd.name -# container=%container.info user=%user.name). The output will change +# %container.info user=%user.name user_loginuid=%user.loginuid, and not file=%fd.name +# container=%container.info user=%user.name user_loginuid=%user.loginuid). The output will change # based on the context and whether or not -pk/-pm/-pc was specified on # the command line. - macro: container @@ -947,7 +947,7 @@ and not exe_running_docker_save and not user_known_update_package_registry output: > - Repository files get updated (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository) + Repository files get updated (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [filesystem, mitre_persistence] @@ -968,7 +968,7 @@ and not python_running_ms_oms and not user_known_write_below_binary_dir_activities output: > - File below a known binary directory opened for writing (user=%user.name + File below a known binary directory opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository) priority: ERROR tags: [filesystem, mitre_persistence] @@ -1026,7 +1026,7 @@ and not cloud_init_writing_ssh and not user_known_write_monitored_dir_conditions output: > - File below a monitored directory opened for writing (user=%user.name + File below a monitored directory opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository) priority: ERROR tags: [filesystem, mitre_persistence] @@ -1049,7 +1049,7 @@ not user_known_read_ssh_information_activities and not proc.name in (ssh_binaries)) output: > - ssh-related file/directory read by non-ssh program (user=%user.name + ssh-related file/directory read by non-ssh program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository) priority: ERROR tags: [filesystem, mitre_discovery] @@ -1324,7 +1324,7 @@ - rule: Write below etc desc: an attempt to write to any file below /etc condition: write_etc_common - output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)" + output: "File below /etc opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)" priority: ERROR tags: [filesystem, mitre_persistence] @@ -1416,7 +1416,7 @@ and not known_root_conditions and not user_known_write_root_conditions and not user_known_write_below_root_activities - output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)" + output: "File below / or /root opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)" priority: ERROR tags: [filesystem, mitre_persistence] @@ -1433,7 +1433,7 @@ at startup to load initial state, but not afterwards. condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" and not user_known_read_sensitive_files_activities output: > - Sensitive file opened for reading by trusted program after startup (user=%user.name + Sensitive file opened for reading by trusted program after startup (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository) priority: WARNING tags: [filesystem, mitre_credential_access] @@ -1491,7 +1491,7 @@ and not user_known_read_sensitive_files_activities and not user_read_sensitive_file_containers output: > - Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name + Sensitive file opened for reading by non-trusted program (user=%user.name user_loginuid=%user.loginuid program=%proc.name command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository) priority: WARNING tags: [filesystem, mitre_credential_access, mitre_discovery] @@ -1554,7 +1554,7 @@ and not postgres_running_wal_e and not user_known_db_spawned_processes output: > - Database-related program spawned process other than itself (user=%user.name + Database-related program spawned process other than itself (user=%user.name user_loginuid=%user.loginuid program=%proc.cmdline parent=%proc.pname container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [process, database, mitre_execution] @@ -1566,7 +1566,7 @@ desc: an attempt to modify any file below a set of binary directories. condition: bin_dir_rename and modify and not package_mgmt_procs and not exe_running_docker_save and not user_known_modify_bin_dir_activities output: > - File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline + File below known binary directory renamed/removed (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args container_id=%container.id image=%container.image.repository) priority: ERROR tags: [filesystem, mitre_persistence] @@ -1578,7 +1578,7 @@ desc: an attempt to create a directory below a set of binary directories. condition: mkdir and bin_dir_mkdir and not package_mgmt_procs and not user_known_mkdir_bin_dir_activities output: > - Directory below known binary directory created (user=%user.name + Directory below known binary directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline directory=%evt.arg.path container_id=%container.id image=%container.image.repository) priority: ERROR tags: [filesystem, mitre_persistence] @@ -1622,7 +1622,7 @@ and not weaveworks_scope and not user_known_change_thread_namespace_activities output: > - Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline + Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag) priority: NOTICE tags: [process, mitre_privilege_escalation, mitre_lateral_movement] @@ -1768,7 +1768,7 @@ and not run_by_appdynamics and not user_shell_container_exclusions output: > - Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname + Shell spawned by untrusted binary (user=%user.name user_loginuid=%user.loginuid shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] container_id=%container.id image=%container.image.repository) priority: DEBUG @@ -1912,7 +1912,7 @@ and container.privileged=true and not falco_privileged_containers and not user_privileged_containers - output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) + output: Privileged container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) priority: INFO tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement] @@ -1956,7 +1956,7 @@ and sensitive_mount and not falco_sensitive_mount_containers and not user_sensitive_mount_containers - output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts) + output: Container with sensitive mount started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts) priority: INFO tags: [container, cis, mitre_lateral_movement] @@ -1976,7 +1976,7 @@ desc: > Detect the initial process started by a container that is not in a list of allowed containers. condition: container_started and container and not allowed_containers - output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) + output: Container started and not in allowed list (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) priority: WARNING tags: [container, mitre_lateral_movement] @@ -1991,7 +1991,7 @@ - rule: System user interactive desc: an attempt to run interactive commands by a system (i.e. non-login) user condition: spawned_process and system_users and interactive and not user_known_system_user_login - output: "System user ran an interactive command (user=%user.name command=%proc.cmdline container_id=%container.id image=%container.image.repository)" + output: "System user ran an interactive command (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id image=%container.image.repository)" priority: INFO tags: [users, mitre_remote_access_tools] @@ -2008,7 +2008,7 @@ and container_entrypoint and not user_expected_terminal_shell_in_container_conditions output: > - A shell was spawned in a container with an attached terminal (user=%user.name %container.info + A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [container, shell, mitre_execution] @@ -2084,7 +2084,7 @@ and not user_expected_system_procs_network_activity_conditions output: > Known system binary sent/received network traffic - (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [network, mitre_exfiltration] @@ -2122,7 +2122,7 @@ proc.env icontains HTTP_PROXY output: > Program run with disallowed HTTP_PROXY environment variable - (user=%user.name command=%proc.cmdline env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository) + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [host, users] @@ -2145,7 +2145,7 @@ and interpreted_procs) output: > Interpreted program received/listened for network traffic - (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [network, mitre_exfiltration] @@ -2156,7 +2156,7 @@ and interpreted_procs) output: > Interpreted program performed outgoing network connection - (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [network, mitre_exfiltration] @@ -2197,7 +2197,7 @@ condition: (inbound_outbound) and do_unexpected_udp_check and fd.l4proto=udp and not expected_udp_traffic output: > Unexpected UDP Traffic Seen - (user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository) + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [network, mitre_exfiltration] @@ -2256,7 +2256,7 @@ and not nrpe_becoming_nagios and not user_known_non_sudo_setuid_conditions output: > - Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname + Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname command=%proc.cmdline uid=%evt.arg.uid container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [users, mitre_privilege_escalation] @@ -2285,7 +2285,7 @@ not user_known_user_management_activities output: > User management binary command run outside of container - (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) priority: NOTICE tags: [host, users, mitre_persistence] @@ -2309,7 +2309,7 @@ and not fd.name in (allowed_dev_files) and not fd.name startswith /dev/tty and not user_known_create_files_below_dev_activities - output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)" + output: "File created below /dev by untrusted program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)" priority: ERROR tags: [filesystem, mitre_persistence] @@ -2427,7 +2427,7 @@ and not package_mgmt_ancestor_procs and not user_known_package_manager_in_container output: > - Package management process launched in container (user=%user.name + Package management process launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: ERROR tags: [process, mitre_persistence] @@ -2441,7 +2441,7 @@ or proc.args contains "-c " or proc.args contains "--lua-exec")) ) output: > - Netcat runs inside container that allows remote code execution (user=%user.name + Netcat runs inside container that allows remote code execution (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: WARNING tags: [network, process, mitre_execution] @@ -2454,7 +2454,7 @@ condition: > spawned_process and container and network_tool_procs and not user_known_network_tool_activities output: > - Network tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname + Network tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE tags: [network, process, mitre_discovery, mitre_exfiltration] @@ -2474,7 +2474,7 @@ network_tool_procs and not user_known_network_tool_activities output: > - Network tool launched on host (user=%user.name command=%proc.cmdline parent_process=%proc.pname) + Network tool launched on host (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname) priority: NOTICE tags: [network, process, mitre_discovery, mitre_exfiltration] @@ -2510,7 +2510,7 @@ ) output: > Grep private keys or passwords activities found - (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: WARNING @@ -2544,7 +2544,7 @@ not trusted_logging_images and not allowed_clear_log_files output: > - Log files were tampered (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) + Log files were tampered (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) priority: WARNING tags: [file, mitre_defense_evasion] @@ -2562,7 +2562,7 @@ desc: Detect process running to clear bulk data from disk condition: spawned_process and clear_data_procs and not user_known_remove_data_activities output: > - Bulk data has been removed from disk (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) + Bulk data has been removed from disk (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository) priority: WARNING tags: [process, mitre_persistence] @@ -2589,7 +2589,7 @@ fd.name contains "fish_read_history" or fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC") output: > - Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) + Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) priority: WARNING tags: [process, mitre_defense_evasion] @@ -2602,7 +2602,7 @@ ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC")) output: > - Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) + Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) priority: WARNING tags: [process, mitre_defense_evasion] @@ -2630,7 +2630,7 @@ and not exe_running_docker_save and not user_known_set_setuid_or_setgid_bit_conditions output: > - Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name process=%proc.name + Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name user_loginuid=%user.loginuid process=%proc.name command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE @@ -2655,7 +2655,7 @@ consider_hidden_file_creation and not user_known_create_hidden_file_activities output: > - Hidden file or directory created (user=%user.name command=%proc.cmdline + Hidden file or directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE @@ -2672,7 +2672,7 @@ condition: > spawned_process and container and remote_file_copy_procs output: > - Remote file copy tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname + Remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE tags: [network, process, mitre_lateral_movement, mitre_exfiltration] @@ -2683,7 +2683,7 @@ create_symlink and (evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names)) output: > - Symlinks created over senstivie files (user=%user.name command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname) + Symlinks created over senstivie files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname) priority: NOTICE tags: [file, mitre_exfiltration] @@ -2806,7 +2806,7 @@ - rule: The docker client is executed in a container desc: Detect a k8s client tool executed inside a container condition: spawned_process and container and not user_known_k8s_client_container_parens and proc.name in (k8s_client_binaries) - output: "Docker or kubernetes client executed in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag)" + output: "Docker or kubernetes client executed in container (user=%user.name user_loginuid=%user.loginuid %container.info parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag)" priority: WARNING tags: [container, mitre_execution] @@ -2823,7 +2823,7 @@ - rule: Packet socket created in container desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used to do ARP Spoofing by attacker. condition: evt.type=socket and evt.arg[0]=AF_PACKET and consider_packet_socket_communication and container and not proc.name in (user_known_packet_socket_binaries) - output: Packet socket was created in a container (user=%user.name command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) + output: Packet socket was created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE tags: [network, mitre_discovery] @@ -2862,7 +2862,7 @@ k8s.ns.name in (namespace_scope_network_only_subnet) output: > Network connection outside local subnet - (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id + (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository namespace=%k8s.ns.name fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name) priority: WARNING @@ -2902,7 +2902,7 @@ not fd.sport in (authorized_server_port) output: > Network connection outside authorized port and binary - (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id + (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: WARNING tags: [network] @@ -2914,7 +2914,7 @@ desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell). condition: evt.type=dup and evt.dir=> and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities output: > - Redirect stdout/stdin to network connection (user=%user.name %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip) + Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip) priority: WARNING # The two Container Drift rules below will fire when a new executable is created in a container. @@ -2943,7 +2943,7 @@ ((evt.arg.mode contains "S_IXUSR") or (evt.arg.mode contains "S_IXGRP") or (evt.arg.mode contains "S_IXOTH")) - output: Drift detected (chmod), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) + output: Drift detected (chmod), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) priority: ERROR # **************************************************************************** @@ -2959,7 +2959,7 @@ not runc_writing_var_lib_docker and not user_known_container_drift_activities and evt.rawres>=0 - output: Drift detected (open+create), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) + output: Drift detected (open+create), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) priority: ERROR diff --git a/test/rules/detect_connect_using_in.yaml b/test/rules/detect_connect_using_in.yaml index 5e4b4dcf1f6..ad65bdc54c2 100644 --- a/test/rules/detect_connect_using_in.yaml +++ b/test/rules/detect_connect_using_in.yaml @@ -18,5 +18,5 @@ desc: Detect any connect to the localhost network, using fd.net and the in operator condition: evt.type=connect and fd.net in ("127.0.0.1/24") output: Program connected to localhost network - (user=%user.name command=%proc.cmdline connection=%fd.name) + (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name) priority: INFO