Skip to content

Commit

Permalink
updated falco rules files
Browse files Browse the repository at this point in the history
Signed-off-by: h4l0gen <[email protected]>
  • Loading branch information
h4l0gen committed Mar 22, 2024
1 parent f9bee5f commit 58da868
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 27 deletions.
12 changes: 6 additions & 6 deletions rules/falco-sandbox_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1943,8 +1943,8 @@
user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath
parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
priority: CRITICAL
tags: >
[maturity_sandbox, host, container, process, mitre_defense_evasion, TA0005]
tags: [
maturity_sandbox, host, container, process, mitre_defense_evasion, TA0005]

# This rule helps detect CVE-2021-4034:
# A privilege escalation to root through memory corruption
Expand Down Expand Up @@ -2081,8 +2081,8 @@
parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
exe_flags=%evt.arg.flags %container.info)
priority: INFO
tags: >
[maturity_sandbox, container, process, mitre_command_and_control, T1132]
tags: [
maturity_sandbox, container, process, mitre_command_and_control, T1132]
- list: recon_binaries
items: [w, whoami, id, who, uname]

Expand Down Expand Up @@ -2114,5 +2114,5 @@
parent=%proc.pname command=%proc.cmdline terminal=%proc.tty
exe_flags=%evt.arg.flags %container.info)
priority: NOTICE
tags: >
[maturity_sandbox, host, container, process, mitre_reconnaissance, TA0043]
tags: [
maturity_sandbox, host, container, process, mitre_reconnaissance, TA0043]
45 changes: 24 additions & 21 deletions rules/falco_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -402,17 +402,18 @@
and directory_traversal
and not proc.pname in (shell_binaries)
enabled: true
enabled: true
output: Read monitored file via directory traversal
(file=%fd.name fileraw=%fd.nameraw gparent=%proc.aname[2]
ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type
user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid
process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
command=%proc.cmdline terminal=%proc.tty %container.info)

priority: WARNING
tags: [maturity_stable, host, container, filesystem, mitre_credential_access,
T1555]
priority: WARNING
tags: [
maturity_stable, host, container, filesystem,
mitre_credential_access, T1555]

- macro: cmp_cp_by_passwd
condition: (proc.name in (cmp, cp) and proc.pname in (passwd, run-parts))
Expand Down Expand Up @@ -1441,7 +1442,7 @@
terminal=%proc.tty %container.info)
priority: WARNING
tags: [maturity_stable, host, container, process, mitre_privilege_escalation,
T1055.008]
T1055.008]

- rule: PTRACE anti-debug attempt
desc: >
Expand Down Expand Up @@ -1492,7 +1493,7 @@
exe_flags=%evt.arg.flags %container.info)
priority: WARNING
tags: [maturity_stable, host, container, process, aws,
mitre_credential_access, T1552]
mitre_credential_access, T1552]

- rule: Execution from /dev/shm
desc: >
Expand Down Expand Up @@ -1548,18 +1549,18 @@
and proc.is_exe_upper_layer=true
and not container.image.repository in (known_drop_and_execute_containers)
output: Executing binary not part of base image
proc_exe=%proc.exe proc_sname=%proc.sname gparent=%proc.aname[2]
proc_exe_ino_ctime=%proc.exe_ino.ctime
proc_exe_ino_mtime=%proc.exe_ino.mtime
proc_exe_ino_ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start
proc_cwd=%proc.cwd container_start_ts=%container.start_ts evt_type=%evt.type
user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid
process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
command=%proc.cmdline terminal=%proc.tty
exe_flags=%evt.arg.flags %container.info)
proc_exe=%proc.exe proc_sname=%proc.sname gparent=%proc.aname[2]
proc_exe_ino_ctime=%proc.exe_ino.ctime
proc_exe_ino_mtime=%proc.exe_ino.mtime
proc_exe_ino_ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start
proc_cwd=%proc.cwd container_start_ts=%container.start_ts evt_type=%evt.type
user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid
process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
command=%proc.cmdline terminal=%proc.tty
exe_flags=%evt.arg.flags %container.info)
priority: CRITICAL
tags: >
[maturity_stable, container, process, mitre_persistence,
tags: [
maturity_stable, container, process, mitre_persistence,
TA0003, PCI_DSS_11.5.1]

# RFC1918 addresses were assigned for private network usage
Expand Down Expand Up @@ -1606,8 +1607,9 @@
user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath
parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
priority: NOTICE
tags: >
[maturity_stable, host, container, network, process, mitre_execution, T1059]
tags: [
maturity_stable, host, container, network, process, mitre_execution, T1059
]

- list: known_memfd_execution_binaries
items: []
Expand Down Expand Up @@ -1635,5 +1637,6 @@
command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
%container.info)
priority: CRITICAL
tags: >
[maturity_stable, host, container, process, mitre_defense_evasion, T1620]
tags: [
maturity_stable, host, container, process, mitre_defense_evasion, T1620
]

0 comments on commit 58da868

Please sign in to comment.