Skip to content

Commit

Permalink
Added crypto-miner, removed 5G from name and shell-history-mod from m…
Browse files Browse the repository at this point in the history
…etadata

Signed-off-by: JayJersan <[email protected]>
  • Loading branch information
JayJersan committed Mar 25, 2024
1 parent 16fd032 commit e7ff8a4
Show file tree
Hide file tree
Showing 5 changed files with 104 additions and 24 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-mitre-5g-remote-services
name: ksp-mitre-remote-services
namespace: default # Change your namespace
spec:
tags: ["MITRE", "FIGHT", "FGT1021"]
tags: ["MITRE", "FIGHT", "FGT1021","5G"]
message: "Warning! access sensitive files detected"
selector:
matchLabels:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-mitre-5g-tactic-impair-defense
name: ksp-mitre-tactic-impair-defense
namespace: default #change with your namespace
spec:
tags: ["MITRE", "FGT1562","FIGHT"]
tags: ["MITRE", "FGT1562","FIGHT","5G"]
message: "Selinux Files Accessed by Unknown Process"
selector:
matchLabels:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-5g-network-service-scanning
name: ksp-network-service-scanning
namespace: default # Change your namespace
spec:
tags: ["MITRE", "FGT1046","FIGHT"]
tags: ["MITRE", "FGT1046","FIGHT","5G"]
message: "Network service has been scanned!"
selector:
matchLabels:
Expand Down
68 changes: 68 additions & 0 deletions generic/system/ksp-prevent-crypto-miners.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
# KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
# To learn more about KubeArmor visit:
# https://www.accuknox.com/kubearmor/

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-mitre-prevent-crypto-miners
spec:
selector:
matchLabels:
app: wordpress

action: Block
process:
matchDirectories:
- dir: /tmp/
recursive: true

matchPaths:
# do not allow execution of xmrig (xmrig.com)
- execname: xmrig

# prevent execution of Dero miner
- execname: dero
- execname: dero-miner-linux-amd64
- execname: dero-wallet-cli-linux-amd64
- execname: derod-linux-amd64

# do not allow execution of masscan/zgrab2/nmap used for recon
- execname: zgrab2
- execname: masscan
- execname: nmap

# do not allow package management tools execution
- execname: apt
- execname: apk

# time sync is important for miners. typically ntpdate is used.
- execname: ntpdate

# Do not allow overwriting system binaries
file:
matchDirectories:
- dir: /usr/local/bin/
readOnly: true
recursive: true
- dir: /sbin/
readOnly: true
recursive: true
- dir: /bin/
readOnly: true
recursive: true
- dir: /usr/bin/
readOnly: true
recursive: true
- dir: /var/local/bin/
readOnly: true
recursive: true
- dir: /boot/
readOnly: true
recursive: true

message: cryptominer detected and blocked
severity: 10
tags:
- cryptominer
- MITRE_T1496_resource_hijacking
48 changes: 30 additions & 18 deletions generic/system/metadata.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -164,18 +164,18 @@ policyRules:
tldr: The adversary is trying to avoid being detected.
detailed: Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
yaml: ksp-deny-write-under-etc-directory.yaml
- name: shell-history-mod
precondition:
- /root/*_history
- OPTSCAN
description:
refs:
- name: MITRE_T1070_indicator_removal
url:
- https://attack.mitre.org/techniques/T1070/
tldr: Adversaries may delete or modify artifacts generated within systems to remove evidence.
detailed: Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform. Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.
yaml: ksp-shell-history-modification.yaml
# - name: shell-history-mod
# precondition:
# - /root/*_history
# - OPTSCAN
# description:
# refs:
# - name: MITRE_T1070_indicator_removal
# url:
# - https://attack.mitre.org/techniques/T1070/
# tldr: Adversaries may delete or modify artifacts generated within systems to remove evidence.
# detailed: Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform. Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.
# yaml: ksp-shell-history-modification.yaml
- name: file-system-mounts
precondition:
- /bin/mount
Expand Down Expand Up @@ -327,7 +327,7 @@ policyRules:
- OPTSCAN
description:
refs:
- name: 5g-tactic-impair-defense
- name: tactic-impair-defense
url:
- https://fight.mitre.org/techniques/FGT1562
tldr: Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
Expand All @@ -336,34 +336,46 @@ policyRules:
and anti-virus, but also detection capabilities that defenders can use to audit activity and identify
malicious behavior. This may also span both native defenses as well as supplemental capabilities installed
by users and administrators.
yaml: ksp-mitre-5g-tactic-impair-defense.yaml
yaml: ksp-mitre-tactic-impair-defense.yaml
- name: network-service-scanning
precondition:
- /bin/*
- OPTSCAN
description:
refs:
- name: 5g-tactic-network-service-scanning
- name: tactic-network-service-scanning
url:
- https://fight.mitre.org/techniques/FGT1046
tldr: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation.
detailed: Adversaries may attempt to get a listing of services running on remote hosts and local
network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Common methods to acquire this information include port and/or vulnerability scans using tools that are
brought onto a system.
yaml: ksp-5g-network-service-scanning.yaml
yaml: ksp-network-service-scanning.yaml
- name: remote-services
precondition:
- /var/*
- OPTSCAN
description:
refs:
- name: 5g-tactic-remote-services
- name: tactic-remote-services
url:
- https://fight.mitre.org/techniques/FGT1021
tldr: Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC.
detailed: Legitimate applications (such as Software Deployment Tools and other administrative programs)
may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS
is native software used for remote management. ARD leverages a blend of protocols, including VNC to
send the screen and control buffers and SSH for secure file transfer.
yaml: ksp-mitre-5g-remote-services.yaml
yaml: ksp-mitre-remote-services.yaml
- name: crypto-miners
precondition:
- /bin/*
- OPTSCAN
description:
refs:
- name: MITRE_T1496_resource_hijacking
url:
- https://attack.mitre.org/techniques/T1496/
tldr: Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.
detailed: One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. Servers and cloud-based systems are common targets because of the high potential for available resources.
yaml: ksp-prevent-crypto-miners.yaml

0 comments on commit e7ff8a4

Please sign in to comment.