From e2e4126e9c8ac86a2368f142853b0537b2791b80 Mon Sep 17 00:00:00 2001 From: salman-accuknox <86464007+salman-accuknox@users.noreply.github.com> Date: Mon, 20 May 2024 08:40:23 +0530 Subject: [PATCH 01/11] Update metadata.yaml --- generic/system/metadata.yaml | 62 ++++++++++++++++++------------------ 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/generic/system/metadata.yaml b/generic/system/metadata.yaml index 8a080de3..97e98d42 100644 --- a/generic/system/metadata.yaml +++ b/generic/system/metadata.yaml @@ -9,7 +9,7 @@ policyRules: - name: MITRE-TTP url: - https://attack.mitre.org/techniques/T1553/ - tldr: Restrict access to maintenance tools (apk, mii-tool, ...) + tldr: Restrict or limit maintenance tool usage detailed: Container images might contain maintenance tools which should ideally never be used in prod env, or if used, should be used only in certain time frames. Examples include, dynamic package management tools, mii-tool, iptables etc @@ -24,7 +24,7 @@ policyRules: url: - https://attack.mitre.org/techniques/T1553/ - https://fight.mitre.org/techniques/FGT1555 - tldr: Restrict access to trusted certificated bundles in the OS image + tldr: Prevent certificate bundle tampering detailed: Operating systems maintain a list of trusted certificates (often called trust bundles) in file system. These bundles decides which authorities are trusted. Subverting these trust controls would essentially allow an adversary to operate @@ -46,28 +46,28 @@ policyRules: - name: MITRE-TTP-T1082 url: - https://attack.mitre.org/techniques/T1082/ - tldr: System Information Discovery - block system owner discovery commands + tldr: Limit adversaries from gathering system information detailed: An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. yaml: ksp-mitre-system-owner-user-discovery.yaml -- name: write-under-bin-dir - precondition: - - /bin/* - - OPTSCAN - description: - refs: - - name: NIST-SI-4 - url: - - https://csf.tools/reference/nist-sp-800-53/r5/si/si-4/ - tldr: System and Information Integrity - System Monitoring make directory under /bin/ - detailed: System monitoring includes external and internal monitoring. External monitoring - includes the observation of events occurring at system boundaries. Internal monitoring - includes the observation of events occurring within the system. Organizations monitor systems, - for example, by observing audit activities in real time or by observing other system aspects - such as access patterns, characteristics of access, and other actions. - yaml: ksp-nist-si-4-mkdir-bin-dir.yaml +#- name: write-under-bin-dir +# precondition: +# - /bin/* +# - OPTSCAN +# description: +# refs: +# - name: NIST-SI-4 +# url: +# - https://csf.tools/reference/nist-sp-800-53/r5/si/si-4/ +# tldr: System and Information Integrity - System Monitoring make directory under /bin/ +# detailed: System monitoring includes external and internal monitoring. External monitoring +# includes the observation of events occurring at system boundaries. Internal monitoring +# includes the observation of events occurring within the system. Organizations monitor systems, +# for example, by observing audit activities in real time or by observing other system aspects +# such as access patterns, characteristics of access, and other actions. +# yaml: ksp-nist-si-4-mkdir-bin-dir.yaml - name: write-under-dev-dir precondition: - /dev/* @@ -77,7 +77,7 @@ policyRules: - name: NIST-SI-4 url: - https://csf.tools/reference/nist-sp-800-53/r5/si/si-4/ - tldr: System and Information Integrity - System Monitoring make files under /dev/ + tldr: Audit file events in the /dev/ directory, for enhanced security detailed: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems, @@ -93,7 +93,7 @@ policyRules: - name: NIST-SI-4 url: - https://csf.tools/reference/nist-sp-800-53/r5/si/si-4/ - tldr: System and Information Integrity - System Monitoring Detect access to cronjob files + tldr: Audit access to cronjob files as a part of system monitoring for better integrity detailed: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems, @@ -109,7 +109,7 @@ policyRules: - name: NIST-CM-7-5 url: - https://csf.tools/reference/nist-sp-800-53/r5/cm/cm-7/cm-7-5/ - tldr: System and Information Integrity - Least Functionality deny execution of package manager process in container + tldr: Prohibit package manager process execution in containers to maintain system integrity and limit authorized software versions and sources. detailed: Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different @@ -125,7 +125,7 @@ policyRules: - name: MITRE_T1609_container_administration_command url: - https://attack.mitre.org/techniques/T1609/ - tldr: Adversaries may abuse a container administration service to execute commands within a container. + tldr: Prevent execution of container administration tools within a container detailed: Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment. yaml: ksp-deny-k8s-client-tool-execution-inside container.yaml - name: remote-file-copy @@ -137,7 +137,7 @@ policyRules: - name: MITRE_TA0010_exfiltration url: - https://attack.mitre.org/tactics/TA0010/ - tldr: The adversary is trying to steal data. + tldr: Prevent data exfiltration attempts using utility tooling detailed: Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. yaml: ksp-deny-remote-file-copy.yaml - name: write-in-shm-dir @@ -149,7 +149,7 @@ policyRules: - name: MITRE_execution url: - https://attack.mitre.org/tactics/TA0002/ - tldr: The adversary is trying to write under shm folder + tldr: Restrict adversaries from writing malicious code under the shm folder detailed: The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. yaml: ksp-deny-write-in-shm-folder.yaml - name: write-etc-dir @@ -161,7 +161,7 @@ policyRules: - name: MITRE_TA0005_defense_evasion url: - https://attack.mitre.org/tactics/TA0005/ - tldr: The adversary is trying to avoid being detected. + tldr: Prevent concealment of adversarial processes detailed: Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses. yaml: ksp-deny-write-under-etc-directory.yaml # - name: shell-history-mod @@ -330,7 +330,7 @@ policyRules: - name: tactic-impair-defense url: - https://fight.mitre.org/techniques/FGT1562 - tldr: Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. + tldr: Audit defense control points to detect defense impairments detailed: Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify @@ -346,7 +346,7 @@ policyRules: - name: tactic-network-service-scanning url: - https://fight.mitre.org/techniques/FGT1046 - tldr: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. + tldr: Audit execution of network service scanning tools detailed: Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are @@ -361,7 +361,7 @@ policyRules: - name: tactic-remote-services url: - https://fight.mitre.org/techniques/FGT1021 - tldr: Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. + tldr: Audit remote access services detailed: Legitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to @@ -376,6 +376,6 @@ policyRules: - name: MITRE_T1496_resource_hijacking url: - https://attack.mitre.org/techniques/T1496/ - tldr: Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. + tldr: Cryptojacking, Crypto mining, Malware protection detailed: One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. Servers and cloud-based systems are common targets because of the high potential for available resources. - yaml: ksp-prevent-crypto-miners.yaml \ No newline at end of file + yaml: ksp-prevent-crypto-miners.yaml From 3eebeec834d0ff7f8ce797998ae01217afe86cfd Mon Sep 17 00:00:00 2001 From: salman-accuknox <86464007+salman-accuknox@users.noreply.github.com> Date: Mon, 20 May 2024 08:42:54 +0530 Subject: [PATCH 02/11] Update ksp-audit-maintenance-tool-access.yaml --- generic/system/ksp-audit-maintenance-tool-access.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/generic/system/ksp-audit-maintenance-tool-access.yaml b/generic/system/ksp-audit-maintenance-tool-access.yaml index 74378e95..87f86fc3 100644 --- a/generic/system/ksp-audit-maintenance-tool-access.yaml +++ b/generic/system/ksp-audit-maintenance-tool-access.yaml @@ -11,9 +11,10 @@ spec: tags: - PCI_DSS - MITRE + - MITRE_T1553_Subvert_Trust_Controls severity: 1 process: matchDirectories: - dir: /sbin/ recursive: true - action: Audit \ No newline at end of file + action: Audit From 8cc8e168d6b6aebd127b0e11e5c8f570585bd6cf Mon Sep 17 00:00:00 2001 From: salman-accuknox <86464007+salman-accuknox@users.noreply.github.com> Date: Mon, 20 May 2024 08:45:09 +0530 Subject: [PATCH 03/11] Update ksp-mitre-remote-services.yaml --- generic/system/ksp-mitre-remote-services.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/generic/system/ksp-mitre-remote-services.yaml b/generic/system/ksp-mitre-remote-services.yaml index 1699b832..a58ed107 100644 --- a/generic/system/ksp-mitre-remote-services.yaml +++ b/generic/system/ksp-mitre-remote-services.yaml @@ -8,7 +8,7 @@ metadata: name: ksp-mitre-remote-services namespace: default # Change your namespace spec: - tags: ["MITRE", "FIGHT", "FGT1021","5G"] + tags: ["MITRE", "FIGHT", "FGT1021", "5G", "MITRE_T1021_Remote_Services"] message: "Warning! access sensitive files detected" selector: matchLabels: From 1f954842f62397ba4b20347abd18d7c5da2f3332 Mon Sep 17 00:00:00 2001 From: salman-accuknox <86464007+salman-accuknox@users.noreply.github.com> Date: Mon, 20 May 2024 08:46:42 +0530 Subject: [PATCH 04/11] Update ksp-mitre-tactic-impair-defense.yaml --- generic/system/ksp-mitre-tactic-impair-defense.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/generic/system/ksp-mitre-tactic-impair-defense.yaml b/generic/system/ksp-mitre-tactic-impair-defense.yaml index 6d60afef..1d627878 100644 --- a/generic/system/ksp-mitre-tactic-impair-defense.yaml +++ b/generic/system/ksp-mitre-tactic-impair-defense.yaml @@ -8,7 +8,7 @@ metadata: name: ksp-mitre-tactic-impair-defense namespace: default #change with your namespace spec: - tags: ["MITRE", "FGT1562","FIGHT","5G"] + tags: ["MITRE", "FGT1562", "FIGHT", "5G", "MITRE_T1562_Impair _Defenses"] message: "Selinux Files Accessed by Unknown Process" selector: matchLabels: From 1f019a2444c2f22a9706b39f3a3b9cbdd83a5db1 Mon Sep 17 00:00:00 2001 From: salman-accuknox <86464007+salman-accuknox@users.noreply.github.com> Date: Mon, 20 May 2024 08:49:31 +0530 Subject: [PATCH 05/11] Update ksp-prevent-crypto-miners.yaml --- generic/system/ksp-prevent-crypto-miners.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/generic/system/ksp-prevent-crypto-miners.yaml b/generic/system/ksp-prevent-crypto-miners.yaml index daf465ed..bde9eb30 100644 --- a/generic/system/ksp-prevent-crypto-miners.yaml +++ b/generic/system/ksp-prevent-crypto-miners.yaml @@ -65,4 +65,5 @@ spec: severity: 10 tags: - cryptominer - - MITRE_T1496_resource_hijacking \ No newline at end of file + - MITRE_T1496_resource_hijacking + - MITRE From a9eccbe8f220e252efdd4ba7b54b52e1ebac4630 Mon Sep 17 00:00:00 2001 From: salman-accuknox <86464007+salman-accuknox@users.noreply.github.com> Date: Mon, 20 May 2024 08:51:46 +0530 Subject: [PATCH 06/11] Update ksp-network-service-scanning.yaml --- generic/system/ksp-network-service-scanning.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/generic/system/ksp-network-service-scanning.yaml b/generic/system/ksp-network-service-scanning.yaml index 7cde12bb..09f428f8 100644 --- a/generic/system/ksp-network-service-scanning.yaml +++ b/generic/system/ksp-network-service-scanning.yaml @@ -8,7 +8,7 @@ metadata: name: ksp-network-service-scanning namespace: default # Change your namespace spec: - tags: ["MITRE", "FGT1046","FIGHT","5G"] + tags: ["MITRE", "FGT1046", "FIGHT", "5G", "MITRE_T1046_Network_Service_Discovery"] message: "Network service has been scanned!" selector: matchLabels: From a118fcfea01df15caab5bdbf90dbbc79d791c363 Mon Sep 17 00:00:00 2001 From: salman-accuknox <86464007+salman-accuknox@users.noreply.github.com> Date: Mon, 20 May 2024 08:52:38 +0530 Subject: [PATCH 07/11] Update ksp-deny-write-in-shm-folder.yaml --- generic/system/ksp-deny-write-in-shm-folder.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/generic/system/ksp-deny-write-in-shm-folder.yaml b/generic/system/ksp-deny-write-in-shm-folder.yaml index 04f73b5a..d808bb66 100644 --- a/generic/system/ksp-deny-write-in-shm-folder.yaml +++ b/generic/system/ksp-deny-write-in-shm-folder.yaml @@ -13,5 +13,5 @@ spec: message: Alert! write to /dev/shm folder prevented. severity: 5 tags: - - MITRE_execution - - MITRE \ No newline at end of file + - MITRE_Execution + - MITRE From 8c64245fbb1a29e59fb23330e2137cbaab8659b7 Mon Sep 17 00:00:00 2001 From: salman-accuknox <86464007+salman-accuknox@users.noreply.github.com> Date: Mon, 20 May 2024 08:53:04 +0530 Subject: [PATCH 08/11] Update ksp-deny-write-in-shm-folder.yaml --- generic/system/ksp-deny-write-in-shm-folder.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/generic/system/ksp-deny-write-in-shm-folder.yaml b/generic/system/ksp-deny-write-in-shm-folder.yaml index d808bb66..4ea7e6b8 100644 --- a/generic/system/ksp-deny-write-in-shm-folder.yaml +++ b/generic/system/ksp-deny-write-in-shm-folder.yaml @@ -13,5 +13,5 @@ spec: message: Alert! write to /dev/shm folder prevented. severity: 5 tags: - - MITRE_Execution + - MITRE_TA0002_Execution - MITRE From d072b37ca0ab5b236e933ab775f805be256d3026 Mon Sep 17 00:00:00 2001 From: salman-accuknox <86464007+salman-accuknox@users.noreply.github.com> Date: Mon, 20 May 2024 08:54:48 +0530 Subject: [PATCH 09/11] Update metadata.yaml --- generic/system/metadata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/generic/system/metadata.yaml b/generic/system/metadata.yaml index 97e98d42..7363d5e2 100644 --- a/generic/system/metadata.yaml +++ b/generic/system/metadata.yaml @@ -127,7 +127,7 @@ policyRules: - https://attack.mitre.org/techniques/T1609/ tldr: Prevent execution of container administration tools within a container detailed: Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment. - yaml: ksp-deny-k8s-client-tool-execution-inside container.yaml + yaml: ksp-deny-k8s-client-tool-execution-inside-container.yaml - name: remote-file-copy precondition: - /usr/bin/rsync From da498b7397cb6d0a1ae87dd40a1a2d3c48b6b1a9 Mon Sep 17 00:00:00 2001 From: salman-accuknox <86464007+salman-accuknox@users.noreply.github.com> Date: Tue, 21 May 2024 08:59:06 +0530 Subject: [PATCH 10/11] Update metadata.yaml --- generic/system/metadata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/generic/system/metadata.yaml b/generic/system/metadata.yaml index 7363d5e2..c4957770 100644 --- a/generic/system/metadata.yaml +++ b/generic/system/metadata.yaml @@ -312,7 +312,7 @@ policyRules: - name: MITRE_T1565_data_manipulation url: - https://attack.mitre.org/techniques/T1565/ - tldr: File Integrity Monitoring + tldr: File Integrity Monitoring/Protection detailed: Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. From f7b1507c8b42c5acf347a15205196fb7511a9662 Mon Sep 17 00:00:00 2001 From: salman-accuknox <86464007+salman-accuknox@users.noreply.github.com> Date: Tue, 21 May 2024 08:59:56 +0530 Subject: [PATCH 11/11] Update metadata.yaml --- generic/system/metadata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/generic/system/metadata.yaml b/generic/system/metadata.yaml index c4957770..e856c80c 100644 --- a/generic/system/metadata.yaml +++ b/generic/system/metadata.yaml @@ -77,7 +77,7 @@ policyRules: - name: NIST-SI-4 url: - https://csf.tools/reference/nist-sp-800-53/r5/si/si-4/ - tldr: Audit file events in the /dev/ directory, for enhanced security + tldr: Audit device directory for enhanced security detailed: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at system boundaries. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems,