Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rule update: add MITRE tags for rules #575

Merged
merged 7 commits into from
Apr 11, 2019
Merged

rule update: add MITRE tags for rules #575

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e6203b7
rule update: add MITRE tags for rules
Kaizhe Apr 4, 2019
7585119
update mitre tags with all lower case and add two more rules
Kaizhe Apr 9, 2019
d8646e8
minor change
Kaizhe Apr 9, 2019
c60c698
add two more mitre_persistence rules plus minor changes
Kaizhe Apr 10, 2019
6dc5501
minor changes
Kaizhe Apr 10, 2019
a415ba3
replace contains with icontains
Kaizhe Apr 10, 2019
b05fee8
limit search passwd in container
Kaizhe Apr 11, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
131 changes: 100 additions & 31 deletions rules/falco_rules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -327,7 +327,33 @@
condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts
output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name)
priority: NOTICE
tags: [network]
tags: [network, mitre_remote_service]

- list: user_context_files
items: [.bashrc, .bash_profile]

- rule: Modify User Context
desc: Detect attempt to modify .bashrc file or .bash_profile file
condition: >
open_write and fd.filename in (user_context_files)
output: >
.bash_profile or .bashrc has been modified (user=%user.name command=%proc.cmdline file=%fd.name
container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority:
WARNING
tag: [file, mitre_persistence]

- rule: Schedule Cron Jobs in Container
desc: Detect cron jobs scheduled in container
condition: >
((open_write and fd.name startswith /etc/cron) or
(spawned_process and proc.name = "crontab")) and container
output: >
Cron jobs were scheduled to run inside container (user=%user.name command=%proc.cmdline
file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority:
NOTICE
tag: [file, mitre_persistence]

# Use this to test whether the event occurred within a container.

Expand Down Expand Up @@ -736,7 +762,7 @@
File below a known binary directory opened for writing (user=%user.name
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
priority: ERROR
tags: [filesystem]
tags: [filesystem, mitre_persistence]

# If you'd like to generally monitor a wider set of directories on top
# of the ones covered by the rule Write below binary dir, you can use
Expand Down Expand Up @@ -794,7 +820,7 @@
File below a monitored directory opened for writing (user=%user.name
command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2])
priority: ERROR
tags: [filesystem]
tags: [filesystem, mitre_persistence]

- list: safe_etc_dirs
items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig]
Expand Down Expand Up @@ -1018,7 +1044,7 @@
condition: write_etc_common
output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])"
priority: ERROR
tags: [filesystem]
tags: [filesystem, mitre_persistence]

- list: known_root_files
items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials,
Expand Down Expand Up @@ -1095,7 +1121,7 @@
and not user_known_write_root_conditions
output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)"
priority: ERROR
tags: [filesystem]
tags: [filesystem, mitre_persistence]

- macro: cmp_cp_by_passwd
condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts)
Expand All @@ -1110,7 +1136,7 @@
Sensitive file opened for reading by trusted program after startup (user=%user.name
command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2])
priority: WARNING
tags: [filesystem]
tags: [filesystem, mitre_credential_access]

- list: read_sensitive_file_binaries
items: [
Expand Down Expand Up @@ -1159,7 +1185,7 @@
Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name
command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
priority: WARNING
tags: [filesystem]
tags: [filesystem, mitre_credential_access]

# Only let rpm-related programs write to the rpm database
- rule: Write below rpm database
Expand All @@ -1172,7 +1198,7 @@
and not exe_running_docker_save
output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline)"
priority: ERROR
tags: [filesystem, software_mgmt]
tags: [filesystem, software_mgmt, mitre_persistence]

- macro: postgres_running_wal_e
condition: (proc.pname=postgres and proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e")
Expand Down Expand Up @@ -1207,7 +1233,7 @@
Database-related program spawned process other than itself (user=%user.name
program=%proc.cmdline parent=%proc.pname)
priority: NOTICE
tags: [process, database]
tags: [process, database, mitre_execution]

- rule: Modify binary dirs
desc: an attempt to modify any file below a set of binary directories.
Expand All @@ -1216,7 +1242,7 @@
File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline
pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args)
priority: ERROR
tags: [filesystem]
tags: [filesystem, mitre_persistence]

- rule: Mkdir binary dirs
desc: an attempt to create a directory below a set of binary directories.
Expand All @@ -1225,7 +1251,7 @@
Directory below known binary directory created (user=%user.name
command=%proc.cmdline directory=%evt.arg.path)
priority: ERROR
tags: [filesystem]
tags: [filesystem, mitre_persistence]

# This list allows for easy additions to the set of commands allowed
# to change thread namespace without having to copy and override the
Expand Down Expand Up @@ -1398,7 +1424,7 @@
cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7])
priority: DEBUG
tags: [shell]
tags: [shell, mitre_execution]

- macro: allowed_openshift_registry_root
condition: >
Expand Down Expand Up @@ -1473,7 +1499,7 @@
and not user_trusted_containers
output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
priority: INFO
tags: [container, cis]
tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]

# For now, only considering a full mount of /etc as
# sensitive. Ideally, this would also consider all subdirectories
Expand Down Expand Up @@ -1513,7 +1539,7 @@
and not user_sensitive_mount_containers
output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts)
priority: INFO
tags: [container, cis]
tags: [container, cis, mitre_lateral_movement]

# In a local/user rules file, you could override this macro to
# explicitly enumerate the container images that you want to run in
Expand All @@ -1533,7 +1559,7 @@
condition: container_started and container and not allowed_containers
output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
priority: WARNING
tags: [container]
tags: [container, mitre_lateral_movement]

# Anything run interactively by root
# - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive
Expand All @@ -1545,7 +1571,7 @@
condition: spawned_process and system_users and interactive
output: "System user ran an interactive command (user=%user.name command=%proc.cmdline)"
priority: INFO
tags: [users]
tags: [users, mitre_remote_access_tools]

- rule: Terminal shell in container
desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
Expand All @@ -1557,7 +1583,7 @@
A shell was spawned in a container with an attached terminal (user=%user.name %container.info
shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty)
priority: NOTICE
tags: [container, shell]
tags: [container, shell, mitre_execution]

# For some container types (mesos), there isn't a container image to
# work with, and the container name is autogenerated, so there isn't
Expand Down Expand Up @@ -1631,7 +1657,7 @@
Known system binary sent/received network traffic
(user=%user.name command=%proc.cmdline connection=%fd.name)
priority: NOTICE
tags: [network]
tags: [network, mitre_exfiltration]

- list: openvpn_udp_ports
items: [1194, 1197, 1198, 8080, 9201]
Expand Down Expand Up @@ -1672,7 +1698,7 @@
Unexpected UDP Traffic Seen
(user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args)
priority: NOTICE
tags: [network]
tags: [network, mitre_exfiltration]

# With the current restriction on system calls handled by falco
# (e.g. excluding read/write/sendto/recvfrom/etc, this rule won't
Expand Down Expand Up @@ -1731,7 +1757,7 @@
Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname
command=%proc.cmdline uid=%evt.arg.uid)
priority: NOTICE
tags: [users]
tags: [users, mitre_privilege_escalation]

- rule: User mgmt binaries
desc: >
Expand All @@ -1755,7 +1781,7 @@
User management binary command run outside of container
(user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
priority: NOTICE
tags: [host, users]
tags: [host, users, mitre_persistence]

- list: allowed_dev_files
items: [
Expand All @@ -1775,7 +1801,7 @@
and not fd.name startswith /dev/tty
output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)"
priority: ERROR
tags: [filesystem]
tags: [filesystem, mitre_persistence]


# In a local/user rules file, you could override this macro to
Expand All @@ -1797,7 +1823,7 @@
condition: outbound and fd.sip="169.254.169.254" and container and not ec2_metadata_containers
output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline connection=%fd.name %container.info image=%container.image.repository:%container.image.tag)
priority: NOTICE
tags: [network, aws, container]
tags: [network, aws, container, mitre_discovery]

# In a local/user rules file, you should override this macro with the
# IP address of your k8s api server. The IP 1.2.3.4 is a placeholder
Expand All @@ -1820,7 +1846,7 @@
condition: outbound and k8s_api_server and container and not k8s_containers
output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag connection=%fd.name)
priority: NOTICE
tags: [network, k8s, container]
tags: [network, k8s, container, mitre_discovery]

# In a local/user rules file, list the container images that are
# allowed to contact NodePort services from within a container. This
Expand All @@ -1836,10 +1862,10 @@
condition: (inbound_outbound) and fd.sport >= 30000 and fd.sport <= 32767 and container and not nodeport_containers
output: Unexpected K8s NodePort Connection (command=%proc.cmdline connection=%fd.name)
priority: NOTICE
tags: [network, k8s, container]
tags: [network, k8s, container, mitre_port_knocking]

- list: network_tool_binaries
items: [nc, ncat, nmap]
items: [nc, ncat, nmap, dig]

- macro: network_tool_procs
condition: proc.name in (network_tool_binaries)
Expand All @@ -1853,7 +1879,7 @@
Package management process launched in container (user=%user.name
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: ERROR
tags: [process]
tags: [process, mitre_persistence]

- rule: Netcat Remote Code Execution in Container
desc: Netcat Program runs inside container that allows remote code execution
Expand All @@ -1866,17 +1892,60 @@
Netcat runs inside container that allows remote code execution (user=%user.name
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: WARNING
tags: [network, process]
tags: [network, process, mitre_execution]

- rule: Lauch Suspicious Network Tool in Container
desc: Detect network tools launched inside container
condition: >
spawned_process and container and network_tool_procs
output: >
Network tool launched in container (user=%user.name
command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
Network tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname
container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority: NOTICE
tags: [network, process]
tags: [network, process, mitre_discovery, mitre_exfiltration]

- list: grep_binaries
items: [grep, egre, fgrep]

- macro: grep_commands
condition: (proc.name in (grep_binaries))

- macro: private_key_or_password
condition: >
(proc.args icontains "BEGIN PRIVATE" or
proc.args icontains "BEGIN RSA PRIVATE" or
proc.args icontains "BEGIN DSA PRIVATE" or
proc.args icontains "BEGIN EC PRIVATE" or
proc.args icontains "pass" or
proc.args icontains "ssh"
)

- rule: Search Private Keys or Passwords
desc: >
Detect grep private keys or passwords activity.
condition: >
(spawned_process and container and
((grep_commands and private_key_or_password) or
(proc.name = "find" and (proc.args contains "id_rsa" or proc.args contains "id_dsa")))
)
output: >
Grep private keys or passwords activities found
(user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name
image=%container.image.repository:%container.image.tag)
priority:
WARNING
tags: [process, mitre_credential_access]

- rule: Delete Bash History
desc: Detect bash history deletetion
condition: >
(spawned_process and proc.name in (shred, rm) and proc.args contains "bash_history")
output: >
Bash history has been deleted (user=%user.name command=%proc.cmdline
container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
priority:
WARNING
tag: [process, mitre_defense_evation]

# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to
Expand Down