diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 8f54193d9..b9d1f456f 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -17,7 +17,7 @@ # Starting with version 8, the Falco engine supports exceptions. # However the Falco rules file does not use them by default. -- required_engine_version: 13 +- required_engine_version: 16 # Currently disabled as read/write are ignored syscalls. The nearly # similar open_write/open_read check for files being opened for @@ -490,6 +490,30 @@ WARNING tags: [host, container, filesystem, mitre_discovery, T1546.004] +# List of allowed container images that are known to execute binaries not part of their base image. +# Users can use this list to better tune the rule below (i.e reducing false positives) by considering their workloads, +# since this requires application specific knowledge. +- list: known_drop_and_execute_containers + items: [] + +- rule: Drop and execute new binary in container + desc: + Detect if an executable not belonging to the base image of a container is being executed. + The drop and execute pattern can be observed very often after an attacker gained an initial foothold. + is_exe_upper_layer filter field only applies for container runtimes that use overlayfs as union mount filesystem. + condition: > + spawned_process + and container + and proc.is_exe_upper_layer=true + and not container.image.repository in (known_drop_and_execute_containers) + output: > + Executing binary not part of base image (user=%user.name user_loginuid=%user.loginuid user_uid=%user.uid comm=%proc.cmdline exe=%proc.exe container_id=%container.id + image=%container.image.repository proc.name=%proc.name proc.sname=%proc.sname proc.pname=%proc.pname proc.aname[2]=%proc.aname[2] exe_flags=%evt.arg.flags + proc.exe_ino=%proc.exe_ino proc.exe_ino.ctime=%proc.exe_ino.ctime proc.exe_ino.mtime=%proc.exe_ino.mtime proc.exe_ino.ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start + proc.exepath=%proc.exepath proc.cwd=%proc.cwd proc.tty=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid evt.res=%evt.res) + priority: CRITICAL + tags: [container, mitre_persistence, TA0003] + - macro: user_known_cron_jobs condition: (never_true) @@ -3335,4 +3359,4 @@ # Application rules have moved to application_rules.yaml. Please look # there if you want to enable them by adding to -# falco_rules.local.yaml. \ No newline at end of file +# falco_rules.local.yaml.