rule update: add MITRE tags for rules (#575)

* rule update: add MITRE tags for rules * update mitre tags with all lower case and add two more rules * add two more mitre_persistence rules plus minor changes * replace contains with icontains * limit search passwd in container
falcosecurity · Apr 11, 2019 · d83342a · d83342a
1 parent e26a950
commit d83342a
Showing 1 changed file with 100 additions and 31 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -327,7 +327,33 @@
   condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts
   output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name)
   priority: NOTICE
-  tags: [network]
+  tags: [network, mitre_remote_service]
+
+- list: user_context_files
+  items: [.bashrc, .bash_profile]
+
+- rule: Modify User Context
+  desc: Detect attempt to modify .bashrc file or .bash_profile file
+  condition: >
+    open_write and fd.filename in (user_context_files)
+  output: >
+    .bash_profile or .bashrc has been modified (user=%user.name command=%proc.cmdline file=%fd.name
+    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+  priority:
+    WARNING
+  tag: [file, mitre_persistence]
+
+- rule: Schedule Cron Jobs in Container
+  desc: Detect cron jobs scheduled in container
+  condition: >
+    ((open_write and fd.name startswith /etc/cron) or
+     (spawned_process and proc.name = "crontab")) and container
+  output: >
+    Cron jobs were scheduled to run inside container (user=%user.name command=%proc.cmdline
+    file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+  priority:
+    NOTICE
+  tag: [file, mitre_persistence]
 
 # Use this to test whether the event occurred within a container.
 
@@ -736,7 +762,7 @@
     File below a known binary directory opened for writing (user=%user.name
     command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
   priority: ERROR
-  tags: [filesystem]
+  tags: [filesystem, mitre_persistence]
 
 # If you'd like to generally monitor a wider set of directories on top
 # of the ones covered by the rule Write below binary dir, you can use
@@ -794,7 +820,7 @@
     File below a monitored directory opened for writing (user=%user.name
     command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
   priority: ERROR
-  tags: [filesystem]
+  tags: [filesystem, mitre_persistence]
 
 - list: safe_etc_dirs
   items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig]
@@ -1018,7 +1044,7 @@
   condition: write_etc_common
   output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"
   priority: ERROR
-  tags: [filesystem]
+  tags: [filesystem, mitre_persistence]
 
 - list: known_root_files
   items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials,
@@ -1095,7 +1121,7 @@
     and not user_known_write_root_conditions
   output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)"
   priority: ERROR
-  tags: [filesystem]
+  tags: [filesystem, mitre_persistence]
 
 - macro: cmp_cp_by_passwd
   condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts)
@@ -1110,7 +1136,7 @@
     Sensitive file opened for reading by trusted program after startup (user=%user.name
     command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2])
   priority: WARNING
-  tags: [filesystem]
+  tags: [filesystem, mitre_credential_access]
 
 - list: read_sensitive_file_binaries
   items: [
@@ -1159,7 +1185,7 @@
     Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name
     command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
   priority: WARNING
-  tags: [filesystem]
+  tags: [filesystem, mitre_credential_access]
 
 # Only let rpm-related programs write to the rpm database
 - rule: Write below rpm database
@@ -1172,7 +1198,7 @@
     and not exe_running_docker_save
   output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline)"
   priority: ERROR
-  tags: [filesystem, software_mgmt]
+  tags: [filesystem, software_mgmt, mitre_persistence]
 
 - macro: postgres_running_wal_e
   condition: (proc.pname=postgres and proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e")
@@ -1207,7 +1233,7 @@
     Database-related program spawned process other than itself (user=%user.name
     program=%proc.cmdline parent=%proc.pname)
   priority: NOTICE
-  tags: [process, database]
+  tags: [process, database, mitre_execution]
 
 - rule: Modify binary dirs
   desc: an attempt to modify any file below a set of binary directories.
@@ -1216,7 +1242,7 @@
     File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline
     pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args)
   priority: ERROR
-  tags: [filesystem]
+  tags: [filesystem, mitre_persistence]
 
 - rule: Mkdir binary dirs
   desc: an attempt to create a directory below a set of binary directories.
@@ -1225,7 +1251,7 @@
     Directory below known binary directory created (user=%user.name
     command=%proc.cmdline directory=%evt.arg.path)
   priority: ERROR
-  tags: [filesystem]
+  tags: [filesystem, mitre_persistence]
 
 # This list allows for easy additions to the set of commands allowed
 # to change thread namespace without having to copy and override the
@@ -1398,7 +1424,7 @@
     cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
     aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7])
   priority: DEBUG
-  tags: [shell]
+  tags: [shell, mitre_execution]
 
 - macro: allowed_openshift_registry_root
   condition: >
@@ -1473,7 +1499,7 @@
     and not user_trusted_containers
   output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
   priority: INFO
-  tags: [container, cis]
+  tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]
 
 # For now, only considering a full mount of /etc as
 # sensitive. Ideally, this would also consider all subdirectories
@@ -1513,7 +1539,7 @@
     and not user_sensitive_mount_containers
   output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts)
   priority: INFO
-  tags: [container, cis]
+  tags: [container, cis, mitre_lateral_movement]
 
 # In a local/user rules file, you could override this macro to
 # explicitly enumerate the container images that you want to run in
@@ -1533,7 +1559,7 @@
   condition: container_started and container and not allowed_containers
   output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
   priority: WARNING
-  tags: [container]
+  tags: [container, mitre_lateral_movement]
 
 # Anything run interactively by root
 # - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive
@@ -1545,7 +1571,7 @@
   condition: spawned_process and system_users and interactive
   output: "System user ran an interactive command (user=%user.name command=%proc.cmdline)"
   priority: INFO
-  tags: [users]
+  tags: [users, mitre_remote_access_tools]
 
 - rule: Terminal shell in container
   desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
@@ -1557,7 +1583,7 @@
     A shell was spawned in a container with an attached terminal (user=%user.name %container.info
     shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty)
   priority: NOTICE
-  tags: [container, shell]
+  tags: [container, shell, mitre_execution]
 
 # For some container types (mesos), there isn't a container image to
 # work with, and the container name is autogenerated, so there isn't
@@ -1631,7 +1657,7 @@
     Known system binary sent/received network traffic
     (user=%user.name command=%proc.cmdline connection=%fd.name)
   priority: NOTICE
-  tags: [network]
+  tags: [network, mitre_exfiltration]
 
 - list: openvpn_udp_ports
   items: [1194, 1197, 1198, 8080, 9201]
@@ -1672,7 +1698,7 @@
     Unexpected UDP Traffic Seen
     (user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args)
   priority: NOTICE
-  tags: [network]
+  tags: [network, mitre_exfiltration]
 
 # With the current restriction on system calls handled by falco
 # (e.g. excluding read/write/sendto/recvfrom/etc, this rule won't
@@ -1731,7 +1757,7 @@
     Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname
     command=%proc.cmdline uid=%evt.arg.uid)
   priority: NOTICE
-  tags: [users]
+  tags: [users, mitre_privilege_escalation]
 
 - rule: User mgmt binaries
   desc: >
@@ -1755,7 +1781,7 @@
     User management binary command run outside of container
     (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
   priority: NOTICE
-  tags: [host, users]
+  tags: [host, users, mitre_persistence]
 
 - list: allowed_dev_files
   items: [
@@ -1775,7 +1801,7 @@
     and not fd.name startswith /dev/tty
   output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)"
   priority: ERROR
-  tags: [filesystem]
+  tags: [filesystem, mitre_persistence]
 
 
 # In a local/user rules file, you could override this macro to
@@ -1797,7 +1823,7 @@
   condition: outbound and fd.sip="169.254.169.254" and container and not ec2_metadata_containers
   output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline connection=%fd.name %container.info image=%container.image.repository:%container.image.tag)
   priority: NOTICE
-  tags: [network, aws, container]
+  tags: [network, aws, container, mitre_discovery]
 
 # In a local/user rules file, you should override this macro with the
 # IP address of your k8s api server. The IP 1.2.3.4 is a placeholder
@@ -1820,7 +1846,7 @@
   condition: outbound and k8s_api_server and container and not k8s_containers
   output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag connection=%fd.name)
   priority: NOTICE
-  tags: [network, k8s, container]
+  tags: [network, k8s, container, mitre_discovery]
 
 # In a local/user rules file, list the container images that are
 # allowed to contact NodePort services from within a container. This
@@ -1836,10 +1862,10 @@
   condition: (inbound_outbound) and fd.sport >= 30000 and fd.sport <= 32767 and container and not nodeport_containers
   output: Unexpected K8s NodePort Connection (command=%proc.cmdline connection=%fd.name)
   priority: NOTICE
-  tags: [network, k8s, container]
+  tags: [network, k8s, container, mitre_port_knocking]
 
 - list: network_tool_binaries
-  items: [nc, ncat, nmap]
+  items: [nc, ncat, nmap, dig]
 
 - macro: network_tool_procs
   condition: proc.name in (network_tool_binaries)
@@ -1853,7 +1879,7 @@
     Package management process launched in container (user=%user.name
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: ERROR
-  tags: [process]
+  tags: [process, mitre_persistence]
 
 - rule: Netcat Remote Code Execution in Container
   desc: Netcat Program runs inside container that allows remote code execution
@@ -1866,17 +1892,60 @@
     Netcat runs inside container that allows remote code execution (user=%user.name
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: WARNING
-  tags: [network, process]
+  tags: [network, process, mitre_execution]
 
 - rule: Lauch Suspicious Network Tool in Container
   desc: Detect network tools launched inside container
   condition: >
     spawned_process and container and network_tool_procs
   output: >
-    Network tool launched in container (user=%user.name
-    command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+    Network tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname
+    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: NOTICE
-  tags: [network, process]
+  tags: [network, process, mitre_discovery, mitre_exfiltration]
+
+- list: grep_binaries
+  items: [grep, egre, fgrep]
+
+- macro: grep_commands
+  condition: (proc.name in (grep_binaries))
+
+- macro: private_key_or_password
+  condition: >
+    (proc.args icontains "BEGIN PRIVATE" or
+     proc.args icontains "BEGIN RSA PRIVATE" or
+     proc.args icontains "BEGIN DSA PRIVATE" or
+     proc.args icontains "BEGIN EC PRIVATE" or
+     proc.args icontains "pass" or
+     proc.args icontains "ssh"
+    )
+
+- rule: Search Private Keys or Passwords
+  desc: >
+    Detect grep private keys or passwords activity.
+  condition: >
+    (spawned_process and container and
+     ((grep_commands and private_key_or_password) or
+      (proc.name = "find" and (proc.args contains "id_rsa" or proc.args contains "id_dsa")))
+    )
+  output: >
+    Grep private keys or passwords activities found
+    (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name
+    image=%container.image.repository:%container.image.tag)
+  priority:
+    WARNING
+  tags: [process, mitre_credential_access]
+
+- rule: Delete Bash History
+  desc: Detect bash history deletetion
+  condition: >
+    (spawned_process and proc.name in (shred, rm) and proc.args contains "bash_history")
+  output: >
+    Bash history has been deleted (user=%user.name command=%proc.cmdline
+    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+  priority:
+    WARNING
+  tag: [process, mitre_defense_evation]
 
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to