From 1d2884c9e73c6047fc421f257c084cf0faf956f6 Mon Sep 17 00:00:00 2001 From: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com> Date: Mon, 10 Oct 2022 16:41:16 +0200 Subject: [PATCH] feat: Support for detecting outbound connection to c2 servers with FQDN domains and IP addresses. --- rules/falco_rules.yaml | 35 +++++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 7707491f688..5802206a31c 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -3052,10 +3052,37 @@ - list: c2_server_ip_list items: [] -- rule: Outbound Connection to C2 Servers - desc: Detect outbound connection to command & control servers - condition: outbound and fd.sip in (c2_server_ip_list) - output: Outbound connection to C2 server (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) +- list: c2_server_fqdn_list + items: [] + +# Use Falco HELM chart to update (append) the list with values. +# +# ```yaml +# customRules: +# c2-servers-list.yaml: |- +# - list: c2_server_ip_list +# append: true +# items: +# - "'51.178.161.32'" +# - "'46.101.90.205'" +# +# - list: c2_server_fqdn_list +# append: true +# items: +# - "srv-web.ffconsulting.com" +# - "57.ip-142-44-247.net" +# ``` + +- rule: Outbound Connection to C2 Servers IPs and FQDNs + desc: > + Detect outbound connection to command & control servers. For example, fetch + a list of IP addresses and FQDN on this website: + https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.json. + condition: > + outbound and + ((fd.sip in (c2_server_ip_list)) or + (fd.sip.name in (c2_server_fqdn_list))) + output: Outbound connection to C2 server IPs and FQDNs (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: WARNING tags: [network]