WARNING
Adding ssh keys to authorized_keys
After gaining access, attackers can modify the authorized_keys file to maintain persistence on a victim host. Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. This rules aims at detecting any modification to the authorized_keys file, that is usually located under the .ssh directory in any user's home directory. This rule complements the more generic auditing rule "Read ssh information" by specifically detecting the writing of new, potentially attacker-provided keys.
open_write and (user_ssh_directory or fd.name startswith /root/.ssh) and fd.name endswith authorized_keys and not proc.name in (ssh_binaries)
NOTICE
BPF Program Not Profiled
BPF is a kernel technology that can be misused for malicious purposes, like "Linux Kernel Module Injection". This rule should be considered an auditing rule to notify you of any unprofiled BPF tools running in your environment. However, it requires customization after profiling your environment. BPF-powered agents make bpf syscalls all the time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=5) in the enter event. If you also want to log whether the syscall failed or succeeded, remove the direction filter and add the evt.arg.res_or_fd output field.
evt.type=bpf and (evt.arg.cmd=5 or evt.arg.cmd=BPF_PROG_LOAD) and not bpf_profiled_procs
tags ["maturity_incubating", "host", "container", "mitre_persistence", "TA0003"]
WARNING
Backdoored library loaded into SSHD (CVE-2024-3094)
This rule detects possible CVE-2024-3094 exploitation when the SSH daemon process loads a vulnerable version of the liblzma library. An attacker could exploit this to interfere with authentication in sshd via systemd, potentially compromising sensitive data or escalating their privileges.
open_read and proc.name=sshd and (fd.name contains "liblzma.so.5.6.0" or fd.name contains "liblzma.so.5.6.1")
NOTICE
Basic Interactive Reconnaissance
This rule detects basic interactive reconnaissance commands that are typically run by unsophisticated attackers or used in internal Red Team exercises. Interactive is defined as a terminal being present (proc.tty != 0). This could be any form of reverse shell or usage of kubectl exec or ssh etc. In addition, filtering for the process being the process group leader indicates that the command was "directly" typed into the terminal and not run as a result of a script. This rule is a basic auditing or template rule. You can expand the list of reconnaissance commands, such as by adding "ls". Common anti-patterns are SRE activity or debugging, but it is still worth capturing this generically. Typically, you would expect other rules to fire as well in relation to this activity.
spawned_process and recon_binaries_procs and proc.tty != 0 and proc.is_vpgid_leader=true
tags ["maturity_sandbox", "host", "container", "process", "mitre_reconnaissance", "TA0043"]
NOTICE
Change namespace privileges via unshare
Unprivileged users in containers may not have CAP_SYS_ADMIN or other elevated privileges. However, they can use the unshare system call with CLONE_NEWNS or CLONE_NEWUSER to create or clone a namespace or user with the necessary privileges to conduct further attacks. It is best practice to block the unshare system call via seccomp if it is not needed. Misuse of unshare can be related to misconfigured Kubernetes clusters, for example.
evt.type=unshare and container and not thread.cap_permitted contains CAP_SYS_ADMIN
NOTICE
Change thread namespace
An attempt to alter the namespace of a process (often performed while creating a container) through the setns syscall. Conversely, the same syscall setns is triggered when an unauthorized attempt is made to break out from the container to the host, for example, when using commands like `nsenter --target 1` and similar ones. Recommending to profile your environment and refine this rule for effective operationalization.
evt.type=setns and proc_name_exists and not (container.id=host and proc.name in (docker_binaries, k8s_binaries, lxd_binaries, nsenter)) and not proc.name in (sysdigcloud_binaries, sysdig, calico, oci-umount, cilium-cni, network_plugin_binaries) and not proc.name in (user_known_change_thread_namespace_binaries) and not proc.name startswith "runc" and not proc.cmdline startswith "containerd" and not proc.pname in (sysdigcloud_binaries, hyperkube, kubelet, protokube, dockerd, tini, aws) and not java_running_sdjagent and not kubelet_running_loopback and not rancher_agent and not rancher_network_manager and not calico_node and not weaveworks_scope and not user_known_change_thread_namespace_activities
WARNING
Clear Log Activities
Detect clearing of critical access log files, typically done to erase evidence that could be attributed to an adversary's actions. To effectively customize and operationalize this detection, check for potentially missing log file destinations relevant to your environment, and adjust the profiled containers you wish not to be alerted on.
open_write and access_log_files and evt.arg.flags contains "O_TRUNC" and not containerd_activities and not trusted_logging_images and not allowed_clear_log_files
NOTICE
Contact EC2 Instance Metadata Service From Container
Detects attempts to communicate with the EC2 Instance Metadata Service from a container. This detection is narrowly focused and might not apply to your environment. In addition, it could generate noise and require fine-tuning.
outbound and container and fd.sip="169.254.169.254" and not ec2_metadata_containers
NOTICE
Contact K8S API Server From Container
Detect attempts to communicate with the K8S API Server from a container by non-profiled users. Kubernetes APIs play a pivotal role in configuring the cluster management lifecycle. Detecting potential unauthorized access to the API server is of utmost importance. Audit your complete infrastructure and pinpoint any potential machines from which the API server might be accessible based on your network layout. If Falco can't operate on all these machines, consider analyzing the Kubernetes audit logs (typically drained from control nodes, and Falco offers a k8saudit plugin) as an additional data source for detections within the control plane.
evt.type=connect and (fd.typechar=4 or fd.typechar=6) and container and k8s_api_server and not k8s_containers and not user_known_contact_k8s_api_server_activities
NOTICE
Contact cloud metadata service from container
Detects attempts to communicate with the Cloud Instance Metadata Service from a container. This detection is narrowly focused and might not apply to your environment. In addition, it could generate noise and require fine-tuning.
outbound and container and fd.sip="169.254.169.254" and not user_known_metadata_access
WARNING
Container Access to Host Sensitive Paths
Detects container processes accessing paths that typically only exist when the host filesystem is mounted into the container (like /host, /rootfs, /hostfs). This may indicate a container escape attempt or a misconfigured volume mount that exposes the host filesystem. Legitimate monitoring or backup containers may access these paths, so tune accordingly using the user_known_host_path_access macro.
(open_read or open_write) and container and (fd.name startswith /host/ or
fd.name startswith /rootfs/ or
fd.name startswith /hostfs/)
and not known_container_runtime_host_access and not user_known_host_path_access
ERROR
Container Drift Detected (chmod)
Detect new executables created within a container as a result of chmod. While this detection can generate significant noise, chmod usage is frequently linked to dropping and executing malicious implants. The newer rule "Drop and execute new binary in container" provides more precise detection of this TTP using unambiguous kernel signals. It is recommended to use the new rule. However, this rule might be more relevant for auditing if applicable in your environment, such as when chmod is used on files within the /tmp folder.
chmod and container and evt.rawres>=0 and ((evt.arg.mode contains "S_IXUSR") or
(evt.arg.mode contains "S_IXGRP") or
(evt.arg.mode contains "S_IXOTH"))
and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and not user_known_container_drift_activities
ERROR
Container Drift Detected (open+create)
Detect new executables created within a container as a result of open+create. The newer rule "Drop and execute new binary in container" provides more precise detection of this TTP using unambiguous kernel signals. It is recommended to use the new rule.
evt.type in (open,openat,openat2,creat) and evt.rawres>=0 and evt.is_open_exec=true and container and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and not user_known_container_drift_activities
INFO
Container Run as Root User
Container detected running as the root user. This should be taken into account especially when policies disallow containers from running with root user privileges. Note that a root user in containers doesn't inherently possess extensive power, as modern container environments define privileges through Linux capabilities. To learn more, check out the rule "Launch Privileged Container".
spawned_process and container and proc.vpid=1 and user.uid=0 and not user_known_run_as_root_container
WARNING
Create Hardlink Over Sensitive Files
Detect hardlink created over a curated list of sensitive files or subdirectories under /etc/ or root directories. Can be customized as needed. Refer to further and equivalent guidance within the rule "Read sensitive file untrusted".
create_hardlink and (evt.arg.oldpath in (sensitive_file_names))
NOTICE
Create Hidden Files or Directories
Detecting hidden files or directories creation can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases.
((modify and evt.arg.newpath contains "/.") or
(mkdir and evt.arg.path contains "/.") or
(open_write and evt.arg.flags contains "O_CREAT" and fd.name contains "/." and not fd.name pmatch (exclude_hidden_directories)))
and not user_known_create_hidden_file_activities and not exe_running_docker_save
WARNING
Create Symlink Over Sensitive Files
Detect symlinks created over a curated list of sensitive files or subdirectories under /etc/ or root directories. Can be customized as needed. Refer to further and equivalent guidance within the rule "Read sensitive file untrusted".
create_symlink and (evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names))
ERROR
Create files below dev
Detect the creation of files under /dev except for authorized device management programs. This can reveal rootkits hiding files in /dev. Additionally, consider the "Execution from /dev/shm" rule. The upstream rule already covers some tuning scenarios that you can further expand upon.
(evt.type = creat or (evt.type in (open,openat,openat2))) and evt.arg.flags contains O_CREAT and fd.directory = /dev and not proc.name in (dev_creation_binaries) and not fd.name in (allowed_dev_files) and not fd.name startswith /dev/tty and not user_known_create_files_below_dev_activities
NOTICE
DB program spawned process
A program related to the database server creates an unexpected child process (other than itself). This is not supposed to happen and often follows SQL injection attacks. This behavioral detection could indicate potential unauthorized data extraction or tampering with the database.
spawned_process and proc.pname in (db_server_binaries) and not proc.name in (db_server_binaries) and not postgres_running_wal_e and not user_known_db_spawned_processes
WARNING
Debugfs Launched in Privileged Container
Detect file system debugger debugfs launched inside a privileged container which might lead to container escape. This rule has a more narrow scope.
spawned_process and container and container.privileged=true and proc.name=debugfs
INFO
Decoding Payload in Container
Detect any use of {base64} decoding in a container. Legitimate applications may decode encoded payloads. The template list known_decode_payload_containers can be used for simple tuning and customization, or you can adopt custom, more refined tuning. Less sophisticated adversaries may {base64}-decode their payloads not only to obfuscate them, but also to ensure that the payload remains intact when the application processes it. Note that injecting commands into an application's input often results in the application processing passed strings like "sh -c". In these cases, you may be lucky and the encoded blob will also be logged. Otherwise, all you will see is the {base64} decoding command, as the encoded blob was already interpreted by the shell.
spawned_process and container and base64_decoding and not container.image.repository in (known_decode_payload_containers)
WARNING
Delete or rename shell history
Detect shell history deletion, frequently used by unsophisticated adversaries to eliminate evidence. Note that it can also trigger when exiting a Terminal shell, such as with `kubectl exec`, which may introduce some noise.
(modify_shell_history or truncate_shell_history) and not var_lib_docker_filepath and not proc.name in (docker_binaries)
CRITICAL
Detect crypto miners using the Stratum protocol
Miners commonly specify the mining pool to connect to using a URI that starts with "stratum+tcp". However, this rule is highly specific to this technique, and matching command-line arguments can generally be bypassed quite easily.
spawned_process and (proc.cmdline contains "stratum+tcp" or
proc.cmdline contains "stratum2+tcp" or
proc.cmdline contains "stratum+ssl" or
proc.cmdline contains "stratum2+ssl")
CRITICAL
Detect outbound connections to common miner pool ports
Miners usually connect to miner pools using standard ports, and this rule flags such activity. Important: Falco currently sends DNS requests to resolve miner pool domains, which could trigger other alerts. Prior to enabling this rule, it's advised to ensure whether this is acceptable for your environment. This rule is specifically disabled for that reason.
net_miner_pool and not trusted_images_query_miner_domain_dns
CRITICAL
Detect release_agent File Container Escapes
Detect an attempt to exploit a container escape using release_agent file. By running a container with certains capabilities, a privileged user can modify release_agent file and escape from the container.
open_write and container and fd.name endswith release_agent and (user.uid=0 or thread.cap_effective contains CAP_DAC_OVERRIDE) and thread.cap_effective contains CAP_SYS_ADMIN
WARNING
Directory traversal monitored file read
Web applications can be vulnerable to directory traversal attacks that allow accessing files outside of the web app's root directory (e.g. Arbitrary File Read bugs). System directories like /etc are typically accessed via absolute paths. Access patterns outside of this (here path traversal) can be regarded as suspicious. This rule includes failed file open attempts.
(open_read or open_file_failed) and (etc_dir or user_ssh_directory or
fd.name startswith /root/.ssh or
fd.name contains "id_rsa")
and directory_traversal and not proc.pname in (shell_binaries)
NOTICE
Disallowed SSH Connection
Detect any new SSH connection on port 22 to a host other than those in an allowed list of hosts. This rule absolutely requires profiling your environment beforehand. Network-based rules are extremely crucial in any security program, as they can often provide the only definitive evidence. However, effectively operationalizing them can be challenging due to the potential for noise.
inbound_outbound and ssh_port and not allowed_ssh_hosts
NOTICE
Disallowed SSH Connection Non Standard Port
Detect any new outbound SSH connection from the host or container using a non-standard port. This rule holds the potential to detect a family of reverse shells that cause the victim machine to connect back out over SSH, with STDIN piped from the SSH connection to a shell's STDIN, and STDOUT of the shell piped back over SSH. Such an attack can be launched against any app that is vulnerable to command injection. The upstream rule only covers a limited selection of non-standard ports. We suggest adding more ports, potentially incorporating ranges based on your environment's knowledge and custom SSH port configurations. This rule can complement the "Redirect STDOUT/STDIN to Network Connection in Container" or "Disallowed SSH Connection" rule.
outbound and proc.exe endswith ssh and fd.l4proto=tcp and ssh_non_standard_ports_network
CRITICAL
Drop and execute new binary in container
Detect if an executable not belonging to the base image of a container is being executed. The drop and execute pattern can be observed very often after an attacker gained an initial foothold. is_exe_upper_layer filter field only applies for container runtimes that use overlayfs as union mount filesystem. Adopters can utilize the provided template list known_drop_and_execute_containers containing allowed container images known to execute binaries not included in their base image. Alternatively, you could exclude non-production namespaces in Kubernetes settings by adjusting the rule further. This helps reduce noise by applying application and environment-specific knowledge to this rule. Common anti-patterns include administrators or SREs performing ad-hoc debugging.
spawned_process and container and proc.is_exe_upper_layer=true and not container.image.repository in (known_drop_and_execute_containers) and not known_drop_and_execute_activities
tags ["maturity_stable", "container", "process", "mitre_persistence", "TA0003", "PCI_DSS_11.5.1"]
WARNING
Execution from /dev/shm
This rule detects file execution in the /dev/shm directory, a tactic often used by threat actors to store their readable, writable, and occasionally executable files. /dev/shm acts as a link to the host or other containers, creating vulnerabilities for their compromise as well. Notably, /dev/shm remains unchanged even after a container restart. Consider this rule alongside the newer "Drop and execute new binary in container" rule.
spawned_process and (proc.exe startswith "/dev/shm/" or
(proc.cwd startswith "/dev/shm/" and proc.exe startswith "./" ) or
(shell_procs and proc.args startswith "-c /dev/shm") or
(shell_procs and proc.args startswith "-i /dev/shm") or
(shell_procs and proc.args startswith "/dev/shm") or
(proc.cwd startswith "/dev/shm/" and proc.args startswith "./" ))
and not container.image.repository in (falco_privileged_images, trusted_images)
NOTICE
Exfiltrating Artifacts via Kubernetes Control Plane
Detect the copying of artifacts from a container's file system using the Kubernetes control plane (kubectl cp). This rule can identify potential exfiltration of application secrets from containers' file systems, potentially revealing the outcomes of unauthorized access and control plane misuse via stolen identities (such as stolen credentials like Kubernetes serviceaccount tokens). Can be customized by the adopter to only monitor specific artifact paths, containers, or namespaces as needed.
open_read and container and proc.name=tar and container_entrypoint and proc.tty=0 and not system_level_side_effect_artifacts_kubectl_cp
tags ["maturity_incubating", "container", "filesystem", "mitre_exfiltration", "TA0010"]
CRITICAL
Fileless execution via memfd_create
Detect if a binary is executed from memory using the memfd_create technique. This is a well-known defense evasion technique for executing malware on a victim machine without storing the payload on disk and to avoid leaving traces about what has been executed. Adopters can whitelist processes that may use fileless execution for benign purposes by adding items to the list known_memfd_execution_processes.
spawned_process and proc.is_exe_from_memfd=true and not known_memfd_execution_processes
WARNING
Find AWS Credentials
Detect attempts to search for private keys or passwords using the grep or find command, particularly targeting standard AWS credential locations. This is often seen with unsophisticated attackers, as there are many ways to access files using bash built-ins that could go unnoticed. Regardless, this serves as a solid baseline detection that can be tailored to cover these gaps while maintaining an acceptable noise level. This rule complements the rule "Search Private Keys or Passwords".
spawned_process and ((grep_commands and private_aws_credentials) or
(proc.name = "find" and proc.args endswith ".aws/credentials"))
NOTICE
Interpreted procs inbound network activity
Any inbound network activity performed by any interpreted program (perl, python, ruby, etc.). While it offers broad coverage and behavioral insights, operationalizing it effectively requires significant time and might result in a moderate level of noise. Suggesting customizing this rule to be more specific. For example, you could set it up to alert only for important namespaces after studying their usual behavior.
inbound and interpreted_procs
tags ["maturity_sandbox", "host", "container", "network", "mitre_exfiltration", "TA0011"]
NOTICE
Interpreted procs outbound network activity
Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.). While it offers broad coverage and behavioral insights, operationalizing it effectively requires significant time and might result in a moderate level of noise. Suggesting customizing this rule to be more specific. For example, you could set it up to alert only for important namespaces after studying their usual behavior.
outbound and interpreted_procs
tags ["maturity_sandbox", "host", "container", "network", "mitre_exfiltration", "TA0011"]
CRITICAL
Java Process Class File Download
Detecting a Java process downloading a class file which could indicate a successful exploit of the log4shell Log4j vulnerability (CVE-2021-44228). This rule is highly specific in its scope.
java_network_read and evt.buffer bcontains cafebabe
CRITICAL
Known Cryptominer Process Executed
Detects execution of known cryptocurrency mining software by matching process names against a list of common miners. Cryptominers are commonly deployed by attackers after gaining initial access to monetize compromised systems. This rule complements the existing "Detect crypto miners using the Stratum protocol" rule by catching miners that may use renamed binaries but still match known miner process names. Consider tuning this rule if you have legitimate mining operations in your environment.
spawned_process and is_miner_process
WARNING
Kubernetes Client Tool Launched in Container
Detect the execution of a Kubernetes client tool (like docker, kubectl, crictl) within a container, which is typically not expected behavior. Although this rule targets container workloads, monitoring the use of tools like crictl on the host over interactive access could also be valuable for broader auditing objectives.
spawned_process and container and not user_known_k8s_client_container_parens and proc.name in (k8s_client_binaries)
WARNING
Launch Disallowed Container
Detect the initial process launched within a container that is not in a list of allowed containers. This rule holds value for generic auditing; however, this rule requires a good understanding of your setup and consistent effort to keep the list of allowed containers current. In some situations, this can be challenging to manage.
container_started and not allowed_containers
INFO
Launch Excessively Capable Container
Identify containers that start with a powerful set of capabilities, with exceptions for recognized trusted images. Similar to the "Launch Privileged Container" rule, this functions as a robust auditing rule. Compromised highly privileged containers can lead to substantial harm. For instance, if another rule is triggered within such a container, it might raise suspicion, prompting closer scrutiny.
container_started and excessively_capable_container and not falco_privileged_containers and not user_privileged_containers
NOTICE
Launch Ingress Remote File Copy Tools in Container
Detect ingress remote file copy tools (such as curl or wget) launched inside containers. This rule can be considered a valuable auditing tool, but it has the potential to generate notable noise and requires careful profiling before full operationalization.
spawned_process and container and (ingress_remote_file_copy_procs or curl_download) and not user_known_ingress_remote_file_copy_activities
tags ["maturity_incubating", "container", "network", "process", "mitre_command_and_control", "TA0011"]
ERROR
Launch Package Management Process in Container
Detect package management processes executed within containers. An excellent auditing rule to monitor general drifts in containers. Particularly useful for newer rules like "Drop and execute new binary in container" during incident response investigations. This helps identify common anti-patterns of ad-hoc debugging. Simultaneously, to maintain optimal hygiene, it's recommended to prevent container drifts and instead opt for redeploying new containers.
spawned_process and container and user.name != "_apt" and package_mgmt_procs and not package_mgmt_ancestor_procs and not user_known_package_manager_in_container and not pkg_mgmt_in_kube_proxy
INFO
Launch Privileged Container
Detect the initial process initiation within a privileged container, with exemptions for known and trusted images. This rule primarily serves as an excellent auditing mechanism since highly privileged containers, when compromised, can result in significant harm. For instance, if another rule triggers within such a privileged container, it could be seen as more suspicious, prompting a closer inspection.
container_started and container.privileged=true and not falco_privileged_containers and not user_privileged_containers and not redhat_image
NOTICE
Launch Remote File Copy Tools in Container
Detect remote file copy tools (like rsync, scp, sftp, dcp) launched within a container, potentially indicating data exfiltration. Suggest refining this rule to accommodate legitimate use cases.
spawned_process and container and remote_file_copy_procs and not user_known_remote_file_copy_activities
INFO
Launch Sensitive Mount Container
Detect the initial process launched within a container that has a mount from a sensitive host directory (e.g. /proc). Exceptions are made for known trusted images. This rule holds value for generic auditing; however, its noisiness varies based on your environment.
container_started and sensitive_mount and not falco_sensitive_mount_containers and not user_sensitive_mount_containers
NOTICE
Launch Suspicious Network Tool in Container
Detect network tools (like netcat, nmap, tcpdump, socat, and more) launched within containers without any additional filters. This serves as a valuable general detection, but it's recommended to invest engineering effort to fine-tune it and prevent a high volume of legitimate logs. This rule complements the more specific "Netcat Remote Code Execution in Container" rule.
spawned_process and container and network_tool_procs and not user_known_network_tool_activities
NOTICE
Launch Suspicious Network Tool on Host
Detect network tools (like netcat, nmap, tcpdump, socat, and more) launched within containers without any additional filters. This serves as a valuable general detection, but it's recommended to invest engineering effort to fine-tune it and prevent a high volume of legitimate logs. The host equivalent of "Launch Suspicious Network Tool in Container.".
spawned_process and not container and network_tool_procs and not user_known_network_tool_activities
WARNING
Linux Kernel Module Injection Detected
Inject Linux Kernel Modules from containers using insmod or modprobe with init_module and finit_module syscalls, given the precondition of sys_module effective capabilities. Profile the environment and consider allowed_container_images_loading_kernel_module to reduce noise and account for legitimate cases.
kernel_module_load and container and thread.cap_effective icontains sys_module and not container.image.repository in (allowed_container_images_loading_kernel_module)
tags ["maturity_stable", "host", "container", "process", "mitre_persistence", "TA0003"]
Trying to create a directory below a set of binary directories can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases.
mkdir and bin_dir_mkdir and not package_mgmt_procs and not user_known_mkdir_bin_dir_activities and not exe_running_docker_save
WARNING
Modify Container Entrypoint
This rule detect an attempt to write on container entrypoint symlink (/proc/self/exe). Possible CVE-2019-5736 Container Breakout exploitation attempt. This rule has a more narrow scope.
open_write and container and (fd.name=/proc/self/exe or fd.name startswith /proc/self/fd/) and not docker_procs and not proc.cmdline = "runc:[1:CHILD] init"