diff --git a/README.md b/README.md index 869fbacb7db..7db6dbce600 100644 --- a/README.md +++ b/README.md @@ -80,6 +80,8 @@ For example, Falco can easily detect incidents including but not limited to: - A standard system binary, such as `ls`, is making an outbound network connection. - A privileged pod is started in a Kubernetes cluster. +The Falco rules inventory [document](rules-inventory/rules_mitre_overview.md) provides additional details around the default rules Falco ships with. + ## Installing Falco If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/getting-started/installation/). diff --git a/rules-inventory/rules_mitre_overview.md b/rules-inventory/rules_mitre_overview.md new file mode 100644 index 00000000000..c5ed2d958ed --- /dev/null +++ b/rules-inventory/rules_mitre_overview.md @@ -0,0 +1,245 @@ + + + +# Falco Rules - Summary Stats + + + + + + +This document is auto-generated. Last Updated: 2022-11-16. + + +The Falco project ships with 75 [default rules](https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml) contributed by the community. The intended outcome of this document is to provide a comprehensive overview of the default rules, provide additional resources and help drive future improvements. + + + + + + +Falco default rules per workload type: + + + +| workload | rule_count | percentage | +|:----------------|-------------:|:-------------| +| container | 27 | 36.0% | +| container, host | 47 | 62.67% | +| host | 1 | 1.33% | + + + +Falco default rules per [Falco tag](https://falco.org/docs/rules/#tags): + + + +| extra_tag | rule_count | percentage | +|:--------------|-------------:|:-------------| +| aws | 1 | 1.01% | +| cis | 5 | 5.05% | +| database | 1 | 1.01% | +| filesystem | 30 | 30.3% | +| k8s | 2 | 2.02% | +| network | 22 | 22.22% | +| process | 26 | 26.26% | +| shell | 2 | 2.02% | +| software_mgmt | 2 | 2.02% | +| users | 8 | 8.08% | + + + +Falco default rules per [Mitre Attack](https://attack.mitre.org/) phase: + + + +| mitre_phase | rules | percentage | +|:---------------------------|:-----------------------------------------------------------------------|:-------------| +| mitre_command_and_control | Disallowed SSH Connection | 8.0% | +| | Launch Ingress Remote File Copy Tools in Container | | +| | Outbound Connection to C2 Servers | | +| | Program run with disallowed http proxy env | | +| | Unexpected inbound connection source | | +| | Unexpected outbound connection destination | | +| mitre_credential_access | Create Hardlink Over Sensitive Files | 9.33% | +| | Create Symlink Over Sensitive Files | | +| | Directory traversal monitored file read | | +| | Read environment variable from /proc files | | +| | Read sensitive file trusted after startup | | +| | Read sensitive file untrusted | | +| | Search Private Keys or Passwords | | +| mitre_defense_evasion | Clear Log Activities | 5.33% | +| | Delete Bash History | | +| | Delete or rename shell history | | +| | Unprivileged Delegation of Page Faults Handling to a Userspace Process | | +| mitre_discovery | Contact EC2 Instance Metadata Service From Container | 18.67% | +| | Contact K8S API Server From Container | | +| | Contact cloud metadata service from container | | +| | Directory traversal monitored file read | | +| | Launch Suspicious Network Tool in Container | | +| | Launch Suspicious Network Tool on Host | | +| | Network Connection outside Local Subnet | | +| | Outbound or Inbound Traffic not to Authorized Server Process and Port | | +| | Packet socket created in container | | +| | Read Shell Configuration File | | +| | Read environment variable from /proc files | | +| | Read sensitive file untrusted | | +| | Read ssh information | | +| | Redirect STDOUT/STDIN to Network Connection in Container | | +| mitre_execution | Container Drift Detected (chmod) | 18.67% | +| | Container Drift Detected (open+create) | | +| | Container Run as Root User | | +| | DB program spawned process | | +| | Debugfs Launched in Privileged Container | | +| | Detect crypto miners using the Stratum protocol | | +| | Detect outbound connections to common miner pool ports | | +| | Linux Kernel Module Injection Detected | | +| | Netcat Remote Code Execution in Container | | +| | Redirect STDOUT/STDIN to Network Connection in Container | | +| | Run shell untrusted | | +| | System user interactive | | +| | Terminal shell in container | | +| | The docker client is executed in a container | | +| mitre_exfiltration | Create Hardlink Over Sensitive Files | 13.33% | +| | Create Symlink Over Sensitive Files | | +| | Directory traversal monitored file read | | +| | Interpreted procs inbound network activity | | +| | Interpreted procs outbound network activity | | +| | Launch Remote File Copy Tools in Container | | +| | Launch Suspicious Network Tool in Container | | +| | Launch Suspicious Network Tool on Host | | +| | System procs network activity | | +| | Unexpected UDP Traffic | | +| mitre_initial_access | Java Process Class File Download | 2.67% | +| | Modify Container Entrypoint | | +| mitre_lateral_movement | Change thread namespace | 13.33% | +| | Debugfs Launched in Privileged Container | | +| | Detect release_agent File Container Escapes | | +| | Disallowed SSH Connection | | +| | Launch Disallowed Container | | +| | Launch Excessively Capable Container | | +| | Launch Privileged Container | | +| | Launch Remote File Copy Tools in Container | | +| | Launch Sensitive Mount Container | | +| | Mount Launched in Privileged Container | | +| mitre_persistence | Create Hidden Files or Directories | 24.0% | +| | Create files below dev | | +| | Launch Package Management Process in Container | | +| | Linux Kernel Module Injection Detected | | +| | Mkdir binary dirs | | +| | Modify Shell Configuration File | | +| | Modify binary dirs | | +| | Remove Bulk Data from Disk | | +| | Schedule Cron Jobs | | +| | Set Setuid or Setgid bit | | +| | Unexpected K8s NodePort Connection | | +| | Update Package Repository | | +| | User mgmt binaries | | +| | Write below binary dir | | +| | Write below etc | | +| | Write below monitored dir | | +| | Write below root | | +| | Write below rpm database | | +| mitre_privilege_escalation | Change thread namespace | 9.33% | +| | Detect release_agent File Container Escapes | | +| | Launch Excessively Capable Container | | +| | Launch Privileged Container | | +| | Non sudo setuid | | +| | Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) | | +| | Sudo Potential Privilege Escalation | | + + + +# Falco Rules - Detailed Overview + + + + + +54 Falco rules (72.00% of rules) are enabled by default: + + +| rule | desc | workload | mitre_phase | mitre_ttp | extra_tags | +|:-----------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------|:-------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------| +| Contact EC2 Instance Metadata Service From Container | Detect attempts to contact the EC2 Instance Metadata Service from a container | container | mitre_discovery | [T1565](https://attack.mitre.org/techniques/T1565) | network, aws | +| Contact K8S API Server From Container | Detect attempts to contact the K8S API Server from a container | container | mitre_discovery | [T1565](https://attack.mitre.org/techniques/T1565) | network, k8s | +| Debugfs Launched in Privileged Container | Detect file system debugger debugfs launched inside a privileged container which might lead to container escape. | container | mitre_execution, mitre_lateral_movement | [T1611](https://attack.mitre.org/techniques/T1611) | cis, process | +| Detect release_agent File Container Escapes | This rule detect an attempt to exploit a container escape using release_agent file. By running a container with certains capabilities, a privileged user can modify release_agent file and escape from the container | container | mitre_lateral_movement, mitre_privilege_escalation | [T1611](https://attack.mitre.org/techniques/T1611) | process | +| Launch Disallowed Container | Detect the initial process started by a container that is not in a list of allowed containers. | container | mitre_lateral_movement | [T1610](https://attack.mitre.org/techniques/T1610) | | +| Launch Excessively Capable Container | Detect container started with a powerful set of capabilities. Exceptions are made for known trusted images. | container | mitre_lateral_movement, mitre_privilege_escalation | [T1610](https://attack.mitre.org/techniques/T1610) | cis | +| Launch Ingress Remote File Copy Tools in Container | Detect ingress remote file copy tools launched in container | container | mitre_command_and_control | [TA0011](https://attack.mitre.org/tactics/TA0011) | network, process | +| Launch Package Management Process in Container | Package management process ran inside container | container | mitre_persistence | [T1505](https://attack.mitre.org/techniques/T1505) | process, software_mgmt | +| Launch Privileged Container | Detect the initial process started in a privileged container. Exceptions are made for known trusted images. | container | mitre_lateral_movement, mitre_privilege_escalation | [T1610](https://attack.mitre.org/techniques/T1610) | cis | +| Launch Remote File Copy Tools in Container | Detect remote file copy tools launched in container | container | mitre_exfiltration, mitre_lateral_movement | [T1020](https://attack.mitre.org/techniques/T1020), [T1210](https://attack.mitre.org/techniques/T1210) | network, process | +| Launch Sensitive Mount Container | Detect the initial process started by a container that has a mount from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images. | container | mitre_lateral_movement | [T1610](https://attack.mitre.org/techniques/T1610) | cis | +| Launch Suspicious Network Tool in Container | Detect network tools launched inside container | container | mitre_discovery, mitre_exfiltration | [T1046](https://attack.mitre.org/techniques/T1046), [T1595](https://attack.mitre.org/techniques/T1595) | network, process | +| Mount Launched in Privileged Container | Detect file system mount happened inside a privileged container which might lead to container escape. | container | mitre_lateral_movement | [T1611](https://attack.mitre.org/techniques/T1611) | cis, filesystem | +| Netcat Remote Code Execution in Container | Netcat Program runs inside container that allows remote code execution | container | mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | network, process | +| Packet socket created in container | Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used for ARP Spoofing and privilege escalation(CVE-2020-14386) by attacker. | container | mitre_discovery | [T1046](https://attack.mitre.org/techniques/T1046) | network | +| Read environment variable from /proc files | An attempt to read process environment variables from /proc files | container | mitre_credential_access, mitre_discovery | [T1083](https://attack.mitre.org/techniques/T1083) | filesystem, process | +| Redirect STDOUT/STDIN to Network Connection in Container | Detect redirecting stdout/stdin to network connection in container (potential reverse shell). | container | mitre_discovery, mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | network, process | +| Terminal shell in container | A shell was used as the entrypoint/exec point into a container with an attached terminal. | container | mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | shell | +| The docker client is executed in a container | Detect a k8s client tool executed inside a container | container | mitre_execution | [T1610](https://attack.mitre.org/techniques/T1610) | | +| Unexpected K8s NodePort Connection | Detect attempts to use K8s NodePorts from a container | container | mitre_persistence | [T1205.001](https://attack.mitre.org/techniques/T1205/001) | network, k8s | +| Clear Log Activities | Detect clearing of critical log files | container, host | mitre_defense_evasion | [T1070](https://attack.mitre.org/techniques/T1070) | filesystem | +| Create Hardlink Over Sensitive Files | Detect hardlink created over sensitive files | container, host | mitre_credential_access, mitre_exfiltration | [T1020](https://attack.mitre.org/techniques/T1020), [T1083](https://attack.mitre.org/techniques/T1083), [T1212](https://attack.mitre.org/techniques/T1212), [T1552](https://attack.mitre.org/techniques/T1552), [T1555](https://attack.mitre.org/techniques/T1555) | filesystem | +| Create Symlink Over Sensitive Files | Detect symlink created over sensitive files | container, host | mitre_credential_access, mitre_exfiltration | [T1020](https://attack.mitre.org/techniques/T1020), [T1083](https://attack.mitre.org/techniques/T1083), [T1212](https://attack.mitre.org/techniques/T1212), [T1552](https://attack.mitre.org/techniques/T1552), [T1555](https://attack.mitre.org/techniques/T1555) | filesystem | +| Create files below dev | creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev. | container, host | mitre_persistence | [T1083](https://attack.mitre.org/techniques/T1083), [T1543](https://attack.mitre.org/techniques/T1543) | filesystem | +| DB program spawned process | a database-server related program spawned a new process other than itself. This shouldn\'t occur and is a follow on from some SQL injection attacks. | container, host | mitre_execution | [T1190](https://attack.mitre.org/techniques/T1190) | process, database | +| Delete Bash History | Detect bash history deletion | container, host | mitre_defense_evasion | [T1070](https://attack.mitre.org/techniques/T1070) | process, filesystem | +| Delete or rename shell history | Detect shell history deletion | container, host | mitre_defense_evasion | [T1070](https://attack.mitre.org/techniques/T1070) | process, filesystem | +| Detect crypto miners using the Stratum protocol | Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp' | container, host | mitre_execution | [T1496](https://attack.mitre.org/techniques/T1496) | process | +| Directory traversal monitored file read | Web applications can be vulnerable to directory traversal attacks that allow accessing files outside of the web app's root directory (e.g. Arbitrary File Read bugs). System directories like /etc are typically accessed via absolute paths. Access patterns outside of this (here path traversal) can be regarded as suspicious. This rule includes failed file open attempts. | container, host | mitre_credential_access, mitre_discovery, mitre_exfiltration | [T1020](https://attack.mitre.org/techniques/T1020), [T1083](https://attack.mitre.org/techniques/T1083), [T1212](https://attack.mitre.org/techniques/T1212), [T1552](https://attack.mitre.org/techniques/T1552), [T1555](https://attack.mitre.org/techniques/T1555) | filesystem | +| Java Process Class File Download | Detected Java process downloading a class file which could indicate a successful exploit of the log4shell Log4j vulnerability (CVE-2021-44228) | container, host | mitre_initial_access | [T1190](https://attack.mitre.org/techniques/T1190) | process | +| Linux Kernel Module Injection Detected | Detect kernel module was injected (from container). | container, host | mitre_execution, mitre_persistence | [TA0002](https://attack.mitre.org/tactics/TA0002) | process | +| Mkdir binary dirs | an attempt to create a directory below a set of binary directories. | container, host | mitre_persistence | [T1222.002](https://attack.mitre.org/techniques/T1222/002) | filesystem | +| Modify Shell Configuration File | Detect attempt to modify shell configuration files | container, host | mitre_persistence | [T1546.004](https://attack.mitre.org/techniques/T1546/004) | filesystem | +| Modify binary dirs | an attempt to modify any file below a set of binary directories. | container, host | mitre_persistence | [T1222.002](https://attack.mitre.org/techniques/T1222/002) | filesystem | +| Non sudo setuid | an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody" suing to itself are also excluded, as setuid calls typically involve dropping privileges. | container, host | mitre_privilege_escalation | [T1548.001](https://attack.mitre.org/techniques/T1548/001) | users | +| Outbound Connection to C2 Servers | Detect outbound connection to command & control servers | container, host | mitre_command_and_control | [TA0011](https://attack.mitre.org/tactics/TA0011) | network | +| Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) | This rule detects an attempt to exploit a privilege escalation vulnerability in Polkit's pkexec. By running specially crafted code, a local user can leverage this flaw to gain root privileges on a compromised system | container, host | mitre_privilege_escalation | [TA0004](https://attack.mitre.org/tactics/TA0004) | process, users | +| Read sensitive file trusted after startup | an attempt to read any sensitive file (e.g. files containing user/password/authentication information) by a trusted program after startup. Trusted programs might read these files at startup to load initial state, but not afterwards. | container, host | mitre_credential_access | [T1020](https://attack.mitre.org/techniques/T1020), [T1083](https://attack.mitre.org/techniques/T1083), [T1212](https://attack.mitre.org/techniques/T1212), [T1552](https://attack.mitre.org/techniques/T1552), [T1555](https://attack.mitre.org/techniques/T1555) | filesystem | +| Read sensitive file untrusted | an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs. | container, host | mitre_credential_access, mitre_discovery | [T1020](https://attack.mitre.org/techniques/T1020), [T1083](https://attack.mitre.org/techniques/T1083), [T1212](https://attack.mitre.org/techniques/T1212), [T1552](https://attack.mitre.org/techniques/T1552), [T1555](https://attack.mitre.org/techniques/T1555) | filesystem | +| Remove Bulk Data from Disk | Detect process running to clear bulk data from disk | container, host | mitre_persistence | [T1485](https://attack.mitre.org/techniques/T1485) | process, filesystem | +| Run shell untrusted | an attempt to spawn a shell below a non-shell application. Specific applications are monitored. | container, host | mitre_execution | [T1059.004](https://attack.mitre.org/techniques/T1059/004) | process, shell | +| Search Private Keys or Passwords | Detect grep private keys or passwords activity. | container, host | mitre_credential_access | [T1552.001](https://attack.mitre.org/techniques/T1552/001) | process, filesystem | +| Sudo Potential Privilege Escalation | Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root. | container, host | mitre_privilege_escalation | [T1548.003](https://attack.mitre.org/techniques/T1548/003) | filesystem, users | +| System procs network activity | any network activity performed by system binaries that are not expected to send or receive any network traffic | container, host | mitre_exfiltration | [T1059](https://attack.mitre.org/techniques/T1059), [TA0011](https://attack.mitre.org/tactics/TA0011) | network | +| System user interactive | an attempt to run interactive commands by a system (i.e. non-login) user | container, host | mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | users | +| Unprivileged Delegation of Page Faults Handling to a Userspace Process | Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs | container, host | mitre_defense_evasion | [TA0005](https://attack.mitre.org/tactics/TA0005) | process | +| Update Package Repository | Detect package repositories get updated | container, host | mitre_persistence | [T1072](https://attack.mitre.org/techniques/T1072) | filesystem | +| User mgmt binaries | activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. Activity in containers is also excluded--some containers create custom users on top of a base linux distribution at startup. Some innocuous command lines that don't actually change anything are excluded. | container, host | mitre_persistence | [T1098](https://attack.mitre.org/techniques/T1098), [T1543](https://attack.mitre.org/techniques/T1543) | users, software_mgmt | +| Write below binary dir | an attempt to write to any file below a set of binary directories | container, host | mitre_persistence | [T1543](https://attack.mitre.org/techniques/T1543) | filesystem | +| Write below etc | an attempt to write to any file below /etc | container, host | mitre_persistence | [T1098](https://attack.mitre.org/techniques/T1098) | filesystem | +| Write below monitored dir | an attempt to write to any file below a set of monitored directories | container, host | mitre_persistence | [T1543](https://attack.mitre.org/techniques/T1543) | filesystem | +| Write below root | an attempt to write to any file directly below / or /root | container, host | mitre_persistence | [TA0003](https://attack.mitre.org/tactics/TA0003) | filesystem | +| Write below rpm database | an attempt to write to the rpm database by any non-rpm related program | container, host | mitre_persistence | [T1072](https://attack.mitre.org/techniques/T1072) | filesystem | +| Launch Suspicious Network Tool on Host | Detect network tools launched on the host | host | mitre_discovery, mitre_exfiltration | [T1046](https://attack.mitre.org/techniques/T1046), [T1595](https://attack.mitre.org/techniques/T1595) | network, process | + + +21 Falco rules (28.00% of rules) are *not* enabled by default: + + +| rule | desc | workload | mitre_phase | mitre_ttp | extra_tags | +|:----------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------|:---------------------------------------------------|:-------------------------------------------------------------------------------------------------------|:--------------------| +| Contact cloud metadata service from container | Detect attempts to contact the Cloud Instance Metadata Service from a container | container | mitre_discovery | [T1565](https://attack.mitre.org/techniques/T1565) | network | +| Container Drift Detected (chmod) | New executable created in a container due to chmod | container | mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | process, filesystem | +| Container Drift Detected (open+create) | New executable created in a container due to open+create | container | mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | process, filesystem | +| Container Run as Root User | Detected container running as root user | container | mitre_execution | [T1610](https://attack.mitre.org/techniques/T1610) | process, users | +| Modify Container Entrypoint | This rule detect an attempt to write on container entrypoint symlink (/proc/self/exe). Possible CVE-2019-5736 Container Breakout exploitation attempt. | container | mitre_initial_access | [T1611](https://attack.mitre.org/techniques/T1611) | filesystem | +| Network Connection outside Local Subnet | Detect traffic to image outside local subnet. | container | mitre_discovery | [T1046](https://attack.mitre.org/techniques/T1046) | network | +| Outbound or Inbound Traffic not to Authorized Server Process and Port | Detect traffic that is not to authorized server process and port. | container | mitre_discovery | [TA0011](https://attack.mitre.org/tactics/TA0011) | network | +| Change thread namespace | an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns. | container, host | mitre_lateral_movement, mitre_privilege_escalation | [T1611](https://attack.mitre.org/techniques/T1611) | process | +| Create Hidden Files or Directories | Detect hidden files or directories created | container, host | mitre_persistence | [T1564.001](https://attack.mitre.org/techniques/T1564/001) | filesystem | +| Detect outbound connections to common miner pool ports | Miners typically connect to miner pools on common ports. | container, host | mitre_execution | [T1496](https://attack.mitre.org/techniques/T1496) | network | +| Disallowed SSH Connection | Detect any new ssh connection to a host other than those in an allowed group of hosts | container, host | mitre_command_and_control, mitre_lateral_movement | [T1021.004](https://attack.mitre.org/techniques/T1021/004) | network | +| Interpreted procs inbound network activity | Any inbound network activity performed by any interpreted program (perl, python, ruby, etc.) | container, host | mitre_exfiltration | [TA0011](https://attack.mitre.org/tactics/TA0011) | network | +| Interpreted procs outbound network activity | Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.) | container, host | mitre_exfiltration | [TA0011](https://attack.mitre.org/tactics/TA0011) | network | +| Program run with disallowed http proxy env | An attempt to run a program with a disallowed HTTP_PROXY environment variable | container, host | mitre_command_and_control | [T1090](https://attack.mitre.org/techniques/T1090), [T1204](https://attack.mitre.org/techniques/T1204) | users | +| Read Shell Configuration File | Detect attempts to read shell configuration files by non-shell programs | container, host | mitre_discovery | [T1546.004](https://attack.mitre.org/techniques/T1546/004) | filesystem | +| Read ssh information | Any attempt to read files below ssh directories by non-ssh programs | container, host | mitre_discovery | [T1005](https://attack.mitre.org/techniques/T1005) | filesystem | +| Schedule Cron Jobs | Detect cron jobs scheduled | container, host | mitre_persistence | [T1053.003](https://attack.mitre.org/techniques/T1053/003) | filesystem | +| Set Setuid or Setgid bit | When the setuid or setgid bits are set for an application, this means that the application will run with the privileges of the owning user or group respectively. Detect setuid or setgid bits set via chmod | container, host | mitre_persistence | [T1548.001](https://attack.mitre.org/techniques/T1548/001) | process, users | +| Unexpected UDP Traffic | UDP traffic not on port 53 (DNS) or other commonly used ports | container, host | mitre_exfiltration | [TA0011](https://attack.mitre.org/tactics/TA0011) | network | +| Unexpected inbound connection source | Detect any inbound connection from a source outside of an allowed set of ips, networks, or domain names | container, host | mitre_command_and_control | [TA0011](https://attack.mitre.org/tactics/TA0011) | network | +| Unexpected outbound connection destination | Detect any outbound connection to a destination outside of an allowed set of ips, networks, or domain names | container, host | mitre_command_and_control | [TA0011](https://attack.mitre.org/tactics/TA0011) | network | diff --git a/rules-inventory/scripts/requirements.txt b/rules-inventory/scripts/requirements.txt new file mode 100644 index 00000000000..be1f461e26e --- /dev/null +++ b/rules-inventory/scripts/requirements.txt @@ -0,0 +1,3 @@ +pandas +pyyaml +tabulate \ No newline at end of file diff --git a/rules-inventory/scripts/rules_mitre_overview_generator.py b/rules-inventory/scripts/rules_mitre_overview_generator.py new file mode 100644 index 00000000000..07b2c56bac3 --- /dev/null +++ b/rules-inventory/scripts/rules_mitre_overview_generator.py @@ -0,0 +1,89 @@ +import pandas as pd +import yaml +import argparse +import datetime + +""" +Usage: +python rules-inventory/scripts/rules_mitre_overview_generator.py --rules_file=rules/falco_rules.yaml +""" + +BASE_MITRE_URL_TECHNIQUE="https://attack.mitre.org/techniques/" +BASE_MITRE_URL_TACTIC="https://attack.mitre.org/tactics/" +COLUMNS=['rule', 'desc', 'workload', 'mitre_phase', 'mitre_ttp', 'extra_tags', 'extra_tags_list', 'mitre_phase_list', 'enabled'] + +def arg_parser(): + parser = argparse.ArgumentParser() + parser.add_argument('--rules_file', help='Path to falco rules yaml file') + return parser.parse_args() + +def rules_to_df(rules_file): + l = [] + with open(rules_file, 'r') as f: + items = yaml.safe_load(f) + for item in items: + if 'rule' in item and 'tags' in item: + if len(item['tags']) > 0: + item['workload'], item['mitre_phase'], item['mitre_ttp'], item['extra_tags'] = [], [], [], [] + for i in item['tags']: + if i in ['host', 'container']: + item['workload'].append(i) + elif i.startswith('mitre'): + item['mitre_phase'].append(i) + elif i.startswith('T'): + if i.startswith('TA'): + item['mitre_ttp'].append('[{}]({}{})'.format(i, BASE_MITRE_URL_TACTIC, i.replace('.', '/'))) + else: + item['mitre_ttp'].append('[{}]({}{})'.format(i, BASE_MITRE_URL_TECHNIQUE, i.replace('.', '/'))) + else: + item['extra_tags'].append(i) + item['workload'].sort() + item['mitre_phase'].sort() + item['mitre_ttp'].sort() + item['mitre_phase_list'] = item['mitre_phase'] + item['extra_tags_list'] = item['extra_tags'] + item['enabled'] = (item['enabled'] if 'enabled' in item else True) + l.append([', '.join(item[x]) if x in ['workload', 'mitre_ttp', 'extra_tags', 'mitre_phase'] else item[x] for x in COLUMNS]) + df = pd.DataFrame.from_records(l, columns=COLUMNS) + return df.sort_values(by=['workload','rule'], inplace=False) + +def print_markdown(df): + n_rules=len(df) + + print('\n\n\n# Falco Rules - Summary Stats\n\n\n') + print('\n\n\nThis document is auto-generated. Last Updated: {}.\n\n'.format(datetime.date.today())) + print('The Falco project ships with {} [default rules](https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml) contributed by the community. The intended outcome of this document is to provide a comprehensive overview of the default rules, provide additional resources and help drive future improvements.\n\n\n'.format(n_rules)) + + print('\n\n\nFalco default rules per workload type:\n\n\n') + df_stats1 = df.groupby('workload').agg(rule_count=('workload', 'count')) + df_stats1['percentage'] = round(100.0 * df_stats1['rule_count'] / df_stats1['rule_count'].sum(), 2).astype(str) + '%' + print(df_stats1.to_markdown(index=True)) + + print('\n\n\nFalco default rules per [Falco tag](https://falco.org/docs/rules/#tags):\n\n\n') + df_stats2 = df[['rule', 'extra_tags_list']].explode('extra_tags_list') + df_stats2.rename(columns={'extra_tags_list':'extra_tag'}, inplace=True) + df_stats2 = df_stats2.groupby('extra_tag').agg(rule_count=('extra_tag', 'count')) + df_stats2['percentage'] = round(100.0 * df_stats2['rule_count'] / df_stats2['rule_count'].sum(), 2).astype(str) + '%' + print(df_stats2.to_markdown(index=True)) + + print('\n\n\nFalco default rules per [Mitre Attack](https://attack.mitre.org/) phase:\n\n\n') + df_stats3 = df[['rule', 'mitre_phase_list']].explode('mitre_phase_list') + df_stats3.rename(columns={'mitre_phase_list':'mitre_phase'}, inplace=True) + df_stats3.sort_values(by=['mitre_phase','rule'], inplace=True) + df_stats3 = df_stats3.groupby("mitre_phase").agg({"rule": lambda x: ['\n'.join(list(x)), len(list(x))]}) + df_stats3['rules'] = df_stats3['rule'].apply(lambda x: x[0]) + df_stats3['percentage'] = df_stats3['rule'].apply(lambda x: round((100.0 * x[1] / n_rules), 2)).astype(str) + '%' + print(df_stats3.drop('rule', axis=1).to_markdown(index=True)) + + print('\n\n\n# Falco Rules - Detailed Overview\n\n\n') + df_stats4 = df.drop(['extra_tags_list', 'mitre_phase_list'], axis=1) + df_enabled = df_stats4[(df_stats4['enabled'] == True)].drop(['enabled'], axis=1) + df_disabled = df_stats4[(df_stats4['enabled'] == False)].drop(['enabled'], axis=1) + print('\n\n{} Falco rules ({:.2f}% of rules) are enabled by default:\n\n'.format(len(df_enabled), (100.0 * len(df_enabled) / n_rules))) + print(df_enabled.to_markdown(index=False)) + print('\n\n{} Falco rules ({:.2f}% of rules) are *not* enabled by default:\n\n'.format(len(df_disabled), (100.0 * len(df_disabled) / n_rules))) + print(df_disabled.to_markdown(index=False)) + +if __name__ == "__main__": + args_parsed = arg_parser() + print_markdown(rules_to_df(args_parsed.rules_file)) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 773c62860b3..7afc1acb586 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -27,6 +27,12 @@ # - macro: read # condition: (syscall.type=read and evt.dir=> and fd.type in (file, directory)) +# Information about rules tags and fields can be found here: https://falco.org/docs/rules/#tags-for-current-falco-ruleset +# `tags` fields also include information about the type of workload inspection, Mitre Attack killchain phases and Mitre TTP code(s) +# Mitre Attack References: +# [1] https://attack.mitre.org/tactics/enterprise/ +# [2] https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json + - macro: open_write condition: (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0) @@ -369,7 +375,7 @@ enabled: false output: Disallowed SSH Connection (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [network, mitre_remote_service] + tags: [host, container, network, mitre_command_and_control, mitre_lateral_movement, T1021.004] # These rules and supporting macros are more of an example for how to # use the fd.*ip and fd.*ip.name fields to match connection @@ -399,7 +405,7 @@ enabled: false output: Disallowed outbound connection destination (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [network] + tags: [host, container, network, mitre_command_and_control, TA0011] - list: allowed_inbound_source_ipaddrs items: ['"127.0.0.1"'] @@ -420,7 +426,7 @@ enabled: false output: Disallowed inbound connection source (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [network] + tags: [host, container, network, mitre_command_and_control, TA0011] - list: bash_config_filenames items: [.bashrc, .bash_profile, .bash_history, .bash_login, .bash_logout, .inputrc, .profile] @@ -464,7 +470,7 @@ a shell configuration file has been modified (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository) priority: WARNING - tags: [file, mitre_persistence] + tags: [host, container, filesystem, mitre_persistence, T1546.004] # This rule is not enabled by default, as there are many legitimate # readers of shell config files. @@ -482,7 +488,7 @@ a shell configuration file was read by a non-shell program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name container_id=%container.id image=%container.image.repository) priority: WARNING - tags: [file, mitre_discovery] + tags: [host, container, filesystem, mitre_discovery, T1546.004] - macro: user_known_cron_jobs condition: (never_true) @@ -499,7 +505,7 @@ file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [file, mitre_persistence] + tags: [host, container, filesystem, mitre_persistence, T1053.003] # Use this to test whether the event occurred within a container. @@ -877,7 +883,7 @@ Repository files get updated (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [filesystem, mitre_persistence] + tags: [host, container, filesystem, mitre_persistence, T1072] # Users should overwrite this macro to specify conditions under which a # write under the binary dir is ignored. For example, it may be okay to @@ -898,7 +904,7 @@ File below a known binary directory opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository) priority: ERROR - tags: [filesystem, mitre_persistence] + tags: [host, container, filesystem, mitre_persistence, T1543] # If you'd like to generally monitor a wider set of directories on top # of the ones covered by the rule Write below binary dir, you can use @@ -954,7 +960,7 @@ File below a monitored directory opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository) priority: ERROR - tags: [filesystem, mitre_persistence] + tags: [host, container, filesystem, mitre_persistence, T1543] # ****************************************************************************** # * "Directory traversal monitored file read" requires FALCO_ENGINE_VERSION 13 * @@ -972,7 +978,7 @@ command=%proc.cmdline pid=%proc.pid parent=%proc.pname file=%fd.name fileraw=%fd.nameraw parent=%proc.pname gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository returncode=%evt.res cwd=%proc.cwd) priority: WARNING - tags: [filesystem, mitre_discovery, mitre_exfiltration, mitre_credential_access] + tags: [host, container, filesystem, mitre_discovery, mitre_exfiltration, mitre_credential_access, T1555, T1212, T1020, T1552, T1083] # This rule is disabled by default as many system management tools # like ansible, etc can read these files/paths. Enable it using this macro. @@ -992,7 +998,7 @@ ssh-related file/directory read by non-ssh program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository) priority: ERROR - tags: [filesystem, mitre_discovery] + tags: [host, container, filesystem, mitre_discovery, T1005] - list: safe_etc_dirs items: [/etc/cassandra, /etc/ssl/certs/java, /etc/logstash, /etc/nginx/conf.d, /etc/container_environment, /etc/hrmconfig, /etc/fluent/configs.d] @@ -1278,7 +1284,7 @@ condition: write_etc_common output: "File below /etc opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)" priority: ERROR - tags: [filesystem, mitre_persistence] + tags: [host, container, filesystem, mitre_persistence, T1098] - list: known_root_files items: [/root/.monit.state, /root/.auth_tokens, /root/.bash_history, /root/.ash_history, /root/.aws/credentials, @@ -1375,7 +1381,7 @@ and not user_known_write_below_root_activities output: "File below / or /root opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)" priority: ERROR - tags: [filesystem, mitre_persistence] + tags: [host, container, filesystem, mitre_persistence, TA0003] - macro: cmp_cp_by_passwd condition: proc.name in (cmp, cp) and proc.pname in (passwd, run-parts) @@ -1393,7 +1399,7 @@ Sensitive file opened for reading by trusted program after startup (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository) priority: WARNING - tags: [filesystem, mitre_credential_access] + tags: [host, container, filesystem, mitre_credential_access, T1555, T1212, T1020, T1552, T1083] - list: read_sensitive_file_binaries items: [ @@ -1463,7 +1469,7 @@ Sensitive file opened for reading by non-trusted program (user=%user.name user_loginuid=%user.loginuid program=%proc.name command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository) priority: WARNING - tags: [filesystem, mitre_credential_access, mitre_discovery] + tags: [host, container, filesystem, mitre_credential_access, mitre_discovery, T1555, T1212, T1020, T1552, T1083] - macro: amazon_linux_running_python_yum condition: > @@ -1487,7 +1493,7 @@ and not user_known_write_rpm_database_activities output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)" priority: ERROR - tags: [filesystem, software_mgmt, mitre_persistence] + tags: [host, container, filesystem, software_mgmt, mitre_persistence, T1072] - macro: postgres_running_wal_e condition: (proc.pname=postgres and (proc.cmdline startswith "sh -c envdir /etc/wal-e.d/env /usr/local/bin/wal-e" or proc.cmdline startswith "sh -c envdir \"/run/etc/wal-e.d/env\" wal-g wal-push")) @@ -1526,7 +1532,7 @@ Database-related program spawned process other than itself (user=%user.name user_loginuid=%user.loginuid program=%proc.cmdline pid=%proc.pid parent=%proc.pname container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [process, database, mitre_execution] + tags: [host, container, process, database, mitre_execution, T1190] - macro: user_known_modify_bin_dir_activities condition: (never_true) @@ -1538,7 +1544,7 @@ File below known binary directory renamed/removed (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args container_id=%container.id image=%container.image.repository) priority: ERROR - tags: [filesystem, mitre_persistence] + tags: [host, container, filesystem, mitre_persistence, T1222.002] - macro: user_known_mkdir_bin_dir_activities condition: (never_true) @@ -1555,7 +1561,7 @@ Directory below known binary directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid directory=%evt.arg.path container_id=%container.id image=%container.image.repository) priority: ERROR - tags: [filesystem, mitre_persistence] + tags: [host, container, filesystem, mitre_persistence, T1222.002] # This list allows for easy additions to the set of commands allowed # to change thread namespace without having to copy and override the @@ -1597,7 +1603,7 @@ Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [process, mitre_privilege_escalation, mitre_lateral_movement] + tags: [host, container, process, mitre_privilege_escalation, mitre_lateral_movement, T1611] # The binaries in this list and their descendents are *not* allowed # spawn shells. This includes the binaries spawning shells directly as @@ -1744,7 +1750,7 @@ cmdline=%proc.cmdline pid=%proc.pid pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] container_id=%container.id image=%container.image.repository) priority: DEBUG - tags: [shell, mitre_execution] + tags: [host, container, process, shell, mitre_execution, T1059.004] - macro: allowed_openshift_registry_root condition: > @@ -1927,7 +1933,7 @@ and not redhat_image output: Privileged container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid %container.info image=%container.image.repository:%container.image.tag) priority: INFO - tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement] + tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement, T1610] # These capabilities were used in the past to escape from containers - macro: excessively_capable_container @@ -1951,7 +1957,7 @@ and not user_privileged_containers output: Excessively capable container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid %container.info image=%container.image.repository:%container.image.tag cap_permitted=%thread.cap_permitted) priority: INFO - tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement] + tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement, T1610] # For now, only considering a full mount of /etc as @@ -1997,7 +2003,7 @@ and not user_sensitive_mount_containers output: Container with sensitive mount started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts) priority: INFO - tags: [container, cis, mitre_lateral_movement] + tags: [container, cis, mitre_lateral_movement, T1610] # In a local/user rules file, you could override this macro to # explicitly enumerate the container images that you want to run in @@ -2017,7 +2023,7 @@ condition: container_started and container and not allowed_containers output: Container started and not in allowed list (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid %container.info image=%container.image.repository:%container.image.tag) priority: WARNING - tags: [container, mitre_lateral_movement] + tags: [container, mitre_lateral_movement, T1610] - macro: user_known_system_user_login condition: (never_true) @@ -2032,7 +2038,7 @@ condition: spawned_process and system_users and interactive and not user_known_system_user_login output: "System user ran an interactive command (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid container_id=%container.id image=%container.image.repository)" priority: INFO - tags: [users, mitre_remote_access_tools] + tags: [host, container, users, mitre_execution, T1059] # In some cases, a shell is expected to be run in a container. For example, configuration # management software may do this, which is expected. @@ -2050,7 +2056,7 @@ A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pid=%proc.pid terminal=%proc.tty container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [container, shell, mitre_execution] + tags: [container, shell, mitre_execution, T1059] # For some container types (mesos), there isn't a container image to # work with, and the container name is autogenerated, so there isn't @@ -2126,7 +2132,7 @@ Known system binary sent/received network traffic (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid connection=%fd.name container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [network, mitre_exfiltration] + tags: [host, container, network, mitre_exfiltration, T1059, TA0011] # This list allows easily whitelisting system proc names that are # expected to communicate on the network. @@ -2165,7 +2171,7 @@ Program run with disallowed HTTP_PROXY environment variable (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [host, users] + tags: [host, container, users, mitre_command_and_control, T1090, T1204] # In some environments, any attempt by a interpreted program (perl, # python, ruby, etc) to listen for incoming connections or perform @@ -2181,7 +2187,7 @@ Interpreted program received/listened for network traffic (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid connection=%fd.name container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [network, mitre_exfiltration] + tags: [host, container, network, mitre_exfiltration, TA0011] - rule: Interpreted procs outbound network activity desc: Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.) @@ -2192,7 +2198,7 @@ Interpreted program performed outgoing network connection (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid connection=%fd.name container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [network, mitre_exfiltration] + tags: [host, container, network, mitre_exfiltration, TA0011] - list: openvpn_udp_ports items: [1194, 1197, 1198, 8080, 9201] @@ -2231,7 +2237,7 @@ Unexpected UDP Traffic Seen (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [network, mitre_exfiltration] + tags: [host, container, network, mitre_exfiltration, TA0011] # With the current restriction on system calls handled by falco # (e.g. excluding read/write/sendto/recvfrom/etc, this rule won't @@ -2291,7 +2297,7 @@ Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [users, mitre_privilege_escalation] + tags: [host, container, users, mitre_privilege_escalation, T1548.001] - macro: user_known_user_management_activities condition: (never_true) @@ -2323,7 +2329,7 @@ User management binary command run outside of container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]) priority: NOTICE - tags: [host, users, mitre_persistence] + tags: [host, container, users, software_mgmt, mitre_persistence, T1543, T1098] - list: allowed_dev_files items: [ @@ -2347,7 +2353,7 @@ and not user_known_create_files_below_dev_activities output: "File created below /dev by untrusted program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name container_id=%container.id image=%container.image.repository)" priority: ERROR - tags: [filesystem, mitre_persistence] + tags: [host, container, filesystem, mitre_persistence, T1543, T1083] # In a local/user rules file, you could override this macro to @@ -2369,7 +2375,7 @@ condition: outbound and fd.sip="169.254.169.254" and container and not ec2_metadata_containers output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline pid=%proc.pid connection=%fd.name %container.info image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [network, aws, container, mitre_discovery] + tags: [network, aws, container, mitre_discovery, T1565] # This rule is not enabled by default, since this rule is for cloud environment(GCP, AWS and Azure) only. @@ -2386,7 +2392,7 @@ enabled: false output: Outbound connection to cloud instance metadata service (command=%proc.cmdline pid=%proc.pid connection=%fd.name %container.info image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [network, container, mitre_discovery] + tags: [network, container, mitre_discovery, T1565] # Containers from IBM Cloud - list: ibm_cloud_containers @@ -2434,7 +2440,7 @@ not user_known_contact_k8s_api_server_activities output: Unexpected connection to K8s API Server from container (command=%proc.cmdline pid=%proc.pid %container.info image=%container.image.repository:%container.image.tag connection=%fd.name) priority: NOTICE - tags: [network, k8s, container, mitre_discovery] + tags: [network, k8s, container, mitre_discovery, T1565] # In a local/user rules file, list the container images that are # allowed to contact NodePort services from within a container. This @@ -2450,7 +2456,7 @@ condition: (inbound_outbound) and fd.sport >= 30000 and fd.sport <= 32767 and container and not nodeport_containers output: Unexpected K8s NodePort Connection (command=%proc.cmdline pid=%proc.pid connection=%fd.name container_id=%container.id image=%container.image.repository) priority: NOTICE - tags: [network, k8s, container, mitre_port_knocking] + tags: [network, k8s, container, mitre_persistence, T1205.001] - list: network_tool_binaries items: [nc, ncat, nmap, dig, tcpdump, tshark, ngrep, telnet, mitmproxy, socat, zmap] @@ -2487,7 +2493,7 @@ Package management process launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: ERROR - tags: [process, mitre_persistence] + tags: [container, process, software_mgmt, mitre_persistence, T1505] - rule: Netcat Remote Code Execution in Container desc: Netcat Program runs inside container that allows remote code execution @@ -2501,7 +2507,7 @@ Netcat runs inside container that allows remote code execution (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: WARNING - tags: [network, process, mitre_execution] + tags: [container, network, process, mitre_execution, T1059] - macro: user_known_network_tool_activities condition: (never_true) @@ -2514,7 +2520,7 @@ Network tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent_process=%proc.pname container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [network, process, mitre_discovery, mitre_exfiltration] + tags: [container, network, process, mitre_discovery, mitre_exfiltration, T1595, T1046] # This rule is not enabled by default, as there are legitimate use # cases for these tools on hosts. If you want to enable it, modify the @@ -2533,7 +2539,7 @@ output: > Network tool launched on host (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent_process=%proc.pname) priority: NOTICE - tags: [network, process, mitre_discovery, mitre_exfiltration] + tags: [host, network, process, mitre_discovery, mitre_exfiltration, T1595, T1046] - list: grep_binaries items: [grep, egrep, fgrep] @@ -2572,7 +2578,7 @@ image=%container.image.repository:%container.image.tag) priority: WARNING - tags: [process, mitre_credential_access] + tags: [host, container, process, filesystem, mitre_credential_access, T1552.001] - list: log_directories items: [/var/log, /dev/log] @@ -2605,7 +2611,7 @@ Log files were tampered (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name container_id=%container.id image=%container.image.repository) priority: WARNING - tags: [file, mitre_defense_evasion] + tags: [host, container, filesystem, mitre_defense_evasion, T1070] - list: data_remove_commands items: [shred, mkfs, mke2fs] @@ -2623,7 +2629,7 @@ Bulk data has been removed from disk (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name container_id=%container.id image=%container.image.repository) priority: WARNING - tags: [process, mitre_persistence] + tags: [host, container, process, filesystem, mitre_persistence, T1485] # here `ash_history` will match both `bash_history` and `ash_history` - macro: modify_shell_history @@ -2664,7 +2670,7 @@ Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline pid=%proc.pid fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) priority: WARNING - tags: [process, mitre_defense_evasion] + tags: [host, container, process, filesystem, mitre_defense_evasion, T1070] # This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility. # Rule Delete or rename shell history is the preferred rule to use now. @@ -2677,7 +2683,7 @@ Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline pid=%proc.pid fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info) priority: WARNING - tags: [process, mitre_defense_evasion] + tags: [host, container, process, filesystem, mitre_defense_evasion, T1070] - list: user_known_chmod_applications items: [hyperkube, kubelet, k3s-agent] @@ -2704,7 +2710,7 @@ command=%proc.cmdline pid=%proc.pid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [process, mitre_persistence] + tags: [host, container, process, users, mitre_persistence, T1548.001] - list: exclude_hidden_directories items: [/root/.cassandra] @@ -2727,7 +2733,7 @@ file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [file, mitre_persistence] + tags: [host, container, filesystem, mitre_persistence, T1564.001] - list: remote_file_copy_binaries items: [rsync, scp, sftp, dcp] @@ -2751,7 +2757,7 @@ Remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent_process=%proc.pname container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [network, process, mitre_lateral_movement, mitre_exfiltration] + tags: [container, network, process, mitre_lateral_movement, mitre_exfiltration, T1020, T1210] - rule: Create Symlink Over Sensitive Files desc: Detect symlink created over sensitive files @@ -2761,7 +2767,7 @@ output: > Symlinks created over sensitive files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname) priority: WARNING - tags: [file, mitre_exfiltration] + tags: [host, container, filesystem, mitre_exfiltration, mitre_credential_access, T1020, T1083, T1212, T1552, T1555] - rule: Create Hardlink Over Sensitive Files desc: Detect hardlink created over sensitive files @@ -2771,7 +2777,7 @@ output: > Hardlinks created over sensitive files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid target=%evt.arg.oldpath linkpath=%evt.arg.newpath parent_process=%proc.pname) priority: WARNING - tags: [file, mitre_exfiltration] + tags: [host, container, filesystem, mitre_exfiltration, mitre_credential_access, T1020, T1083, T1212, T1552, T1555] - list: miner_ports items: [ @@ -2876,14 +2882,14 @@ enabled: false output: Outbound connection to IP/Port flagged by https://cryptoioc.ch (command=%proc.cmdline pid=%proc.pid port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository) priority: CRITICAL - tags: [network, mitre_execution] + tags: [host, container, network, mitre_execution, T1496] - rule: Detect crypto miners using the Stratum protocol desc: Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp' condition: spawned_process and (proc.cmdline contains "stratum+tcp" or proc.cmdline contains "stratum2+tcp" or proc.cmdline contains "stratum+ssl" or proc.cmdline contains "stratum2+ssl") output: Possible miner running (command=%proc.cmdline pid=%proc.pid container=%container.info image=%container.image.repository) priority: CRITICAL - tags: [process, mitre_execution] + tags: [host, container, process, mitre_execution, T1496] - list: k8s_client_binaries items: [docker, kubectl, crictl] @@ -2913,7 +2919,7 @@ condition: spawned_process and container and not user_known_k8s_client_container_parens and proc.name in (k8s_client_binaries) output: "Docker or kubernetes client executed in container (user=%user.name user_loginuid=%user.loginuid %container.info parent=%proc.pname cmdline=%proc.cmdline pid=%proc.pid image=%container.image.repository:%container.image.tag)" priority: WARNING - tags: [container, mitre_execution] + tags: [container, mitre_execution, T1610] - list: user_known_packet_socket_binaries items: [] @@ -2923,7 +2929,7 @@ condition: evt.type=socket and evt.arg[0]=AF_PACKET and container and not proc.name in (user_known_packet_socket_binaries) output: Packet socket was created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [network, mitre_discovery] + tags: [container, network, mitre_discovery, T1046] # Namespaces where the rule is enforce - list: namespace_scope_network_only_subnet @@ -2956,7 +2962,7 @@ image=%container.image.repository namespace=%k8s.ns.name fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name) priority: WARNING - tags: [network] + tags: [container, network, mitre_discovery, T1046] - list: allowed_image items: [] # add image to monitor, i.e.: bitnami/nginx @@ -2989,7 +2995,7 @@ (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: WARNING - tags: [network] + tags: [container, network, mitre_discovery, TA0011] - macro: user_known_stand_streams_redirect_activities condition: (never_true) @@ -3003,6 +3009,7 @@ output: > Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline pid=%proc.pid terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip) priority: NOTICE + tags: [container, network, process, mitre_discovery, mitre_execution, T1059] # The two Container Drift rules below will fire when a new executable is created in a container. # There are two ways to create executables - file is created with execution permissions or permissions change of existing file. @@ -3032,6 +3039,7 @@ enabled: false output: Drift detected (chmod), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) priority: ERROR + tags: [container, process, filesystem, mitre_execution, T1059] # **************************************************************************** # * "Container Drift Detected (open+create)" requires FALCO_ENGINE_VERSION 6 * @@ -3049,6 +3057,7 @@ enabled: false output: Drift detected (open+create), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type) priority: ERROR + tags: [container, process, filesystem, mitre_execution, T1059] - list: c2_server_ip_list items: [] @@ -3087,7 +3096,7 @@ (fd.sip.name in (c2_server_fqdn_list))) output: Outbound connection to C2 server (c2_domain=%fd.sip.name c2_addr=%fd.sip command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository) priority: WARNING - tags: [network] + tags: [host, container, network, mitre_command_and_control, TA0011] - list: white_listed_modules items: [] @@ -3097,7 +3106,7 @@ condition: spawned_process and container and proc.name=insmod and not proc.args in (white_listed_modules) and thread.cap_effective icontains sys_module output: Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag) priority: WARNING - tags: [process] + tags: [host, container, process, mitre_execution, mitre_persistence, TA0002] - list: run_as_root_image_list items: [] @@ -3113,7 +3122,7 @@ enabled: false output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: INFO - tags: [container, process] + tags: [container, process, users, mitre_execution, T1610] # This rule helps detect CVE-2021-3156: # A privilege escalation to root through heap-based buffer overflow @@ -3122,7 +3131,7 @@ condition: spawned_process and user.uid != 0 and (proc.name=sudoedit or proc.name = sudo) and (proc.args contains -s or proc.args contains -i or proc.args contains --login) and (proc.args contains "\ " or proc.args endswith \) output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline pid=%proc.pid %container.info)" priority: CRITICAL - tags: [filesystem, mitre_privilege_escalation] + tags: [host, container, filesystem, users, mitre_privilege_escalation, T1548.003] - rule: Debugfs Launched in Privileged Container desc: Detect file system debugger debugfs launched inside a privileged container which might lead to container escape. @@ -3132,7 +3141,7 @@ and proc.name=debugfs output: Debugfs launched started in a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid %container.info image=%container.image.repository:%container.image.tag) priority: WARNING - tags: [container, cis, mitre_lateral_movement] + tags: [container, cis, process, mitre_execution, mitre_lateral_movement, T1611] - macro: mount_info condition: (proc.args="" or proc.args intersects ("-V", "-l", "-h")) @@ -3156,7 +3165,7 @@ and not user_known_mount_in_privileged_containers output: Mount was executed inside a privileged container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid %container.info image=%container.image.repository:%container.image.tag) priority: WARNING - tags: [container, cis, mitre_lateral_movement] + tags: [container, cis, filesystem, mitre_lateral_movement, T1611] - list: user_known_userfaultfd_processes items: [] @@ -3170,7 +3179,7 @@ not proc.name in (user_known_userfaultfd_processes) output: An userfaultfd syscall was successfully executed by an unprivileged user (user=%user.name user_loginuid=%user.loginuid process=%proc.name command=%proc.cmdline pid=%proc.pid %container.info image=%container.image.repository:%container.image.tag) priority: CRITICAL - tags: [syscall, mitre_defense_evasion] + tags: [host, container, process, mitre_defense_evasion, TA0005] - list: ingress_remote_file_copy_binaries items: [wget] @@ -3201,7 +3210,7 @@ Ingress remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid parent_process=%proc.pname container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag) priority: NOTICE - tags: [network, process, mitre_command_and_control] + tags: [container, network, process, mitre_command_and_control, TA0011] # This rule helps detect CVE-2021-4034: # A privilege escalation to root through memory corruption @@ -3212,7 +3221,7 @@ output: "Detect Polkit pkexec Local Privilege Escalation Exploit (CVE-2021-4034) (user=%user.loginname uid=%user.loginuid command=%proc.cmdline pid=%proc.pid args=%proc.args)" priority: CRITICAL - tags: [process, mitre_privilege_escalation] + tags: [host, container, process, users, mitre_privilege_escalation, TA0004] - rule: Detect release_agent File Container Escapes @@ -3222,7 +3231,7 @@ output: "Detect an attempt to exploit a container escape using release_agent file (user=%user.name user_loginuid=%user.loginuid filename=%fd.name %container.info image=%container.image.repository:%container.image.tag cap_effective=%thread.cap_effective)" priority: CRITICAL - tags: [container, mitre_privilege_escalation, mitre_lateral_movement] + tags: [container, process, mitre_privilege_escalation, mitre_lateral_movement, T1611] # Rule for detecting potential Log4Shell (CVE-2021-44228) exploitation # Note: Not compatible with Java 17+, which uses read() syscalls @@ -3235,7 +3244,7 @@ java_network_read and evt.buffer bcontains cafebabe output: Java process class file download (user=%user.name user_loginname=%user.loginname user_loginuid=%user.loginuid event=%evt.type connection=%fd.name server_ip=%fd.sip server_port=%fd.sport proto=%fd.l4proto process=%proc.name command=%proc.cmdline pid=%proc.pid parent=%proc.pname buffer=%evt.buffer container_id=%container.id image=%container.image.repository) priority: CRITICAL - tags: [mitre_initial_access] + tags: [host, container, process, mitre_initial_access, T1190] - list: docker_binaries items: [dockerd, containerd-shim, "runc:[1:CHILD]", pause] @@ -3251,7 +3260,7 @@ output: > Detect Potential Container Breakout Exploit (CVE-2019-5736) (user=%user.name process=%proc.name file=%fd.name cmdline=%proc.cmdline pid=%proc.pid %container.info) priority: WARNING - tags: [container, filesystem, mitre_initial_access] + tags: [container, filesystem, mitre_initial_access, T1611] # Application rules have moved to application_rules.yaml. Please look # there if you want to enable them by adding to @@ -3269,7 +3278,7 @@ Environment variables were retrieved from /proc files (user=%user.name user_loginuid=%user.loginuid program=%proc.name command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository) priority: WARNING - tags: [filesystem, mitre_credential_access, mitre_discovery] + tags: [container, filesystem, process, mitre_credential_access, mitre_discovery, T1083] - list: known_ptrace_binaries items: [] @@ -3282,4 +3291,4 @@ condition: evt.type=ptrace and evt.dir=> and evt.arg.request in (5, 6, 11, 20, 27) and proc_name_exists and not known_ptrace_procs output: Detected ptrace PTRACE_ATTACH attempt (proc.cmdline=%proc.cmdline container=%container.info evt.type=%evt.type evt.arg.request=%evt.arg.request proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginuid=%user.loginuid user.loginname=%user.loginname user.name=%user.name group.gid=%group.gid group.name=%group.name container.id=%container.id container.name=%container.name image=%container.image.repository) priority: WARNING - tags: [process] \ No newline at end of file + tags: [process]