Falco rules · threatengine.sh

WARNING

Modify Shell Configuration File

Detect attempts to modify shell configuration files, primarily aimed at establishing persistence by automatically inserting commands into scripts executed by shells. The upstream rule excludes shell processes because they often create unnecessary noise. However, this might lead to missed detections. To customize the rule for your situation, you can fine-tune it using enhanced profiling. For example, you might want to only consider interactive shell processes (where proc.tty != 0).

open_write and (fd.filename in (shell_config_filenames) or
     fd.name in (shell_config_files) or
     fd.directory in (shell_config_directories))
and not proc.name in (shell_binaries) and not exe_running_docker_save and not user_known_shell_config_modifiers

tags ["maturity_incubating", "host", "container", "filesystem", "mitre_persistence", "T1546.004"] T1546.004 ↗

ERROR

Modify binary dirs

Trying to modify any file below a set of binary directories can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases.

modify and bin_dir_rename and not package_mgmt_procs and not exe_running_docker_save and not user_known_modify_bin_dir_activities

tags ["maturity_sandbox", "host", "container", "filesystem", "mitre_defense_evasion", "T1222.002"] T1222.002 ↗

WARNING

Mount Launched in Privileged Container

Detect filesystem mounts (using the mount binary) within a privileged container. Due to the elevated privileges, this action could be one of the TTPs used in an attempt to escape from a container to the host. This type of action is often preceded by reconnaissance activities, for which you can also create custom rules.

spawned_process and container and container.privileged=true and proc.name=mount and not mount_info and not known_gke_mount_in_privileged_containers and not known_aks_mount_in_privileged_containers and not known_eks_mount_in_privileged_containers and not user_known_mount_in_privileged_containers

tags ["maturity_incubating", "container", "cis", "filesystem", "mitre_privilege_escalation", "T1611"] T1611 ↗

WARNING

Netcat Remote Code Execution in Container

Netcat Program runs inside container that allows remote code execution and may be utilized as a part of a variety of reverse shell payload https://github.com/swisskyrepo/PayloadsAllTheThings/. These programs are of higher relevance as they are commonly installed on UNIX-like operating systems. Can fire in combination with the "Redirect STDOUT/STDIN to Network Connection in Container" rule as it utilizes a different evt.type.

spawned_process and container and ((proc.name = "nc" and (proc.cmdline contains " -e" or
                            proc.cmdline contains " -c")) or
     (proc.name = "ncat" and (proc.args contains "--sh-exec" or
                              proc.args contains "--exec" or proc.args contains "-e " or
                              proc.args contains "-c " or proc.args contains "--lua-exec"))
     )

tags ["maturity_stable", "container", "network", "process", "mitre_execution", "T1059"] T1059 ↗

WARNING

Netcat/Socat Remote Code Execution on Host

Netcat/Socat Program runs on host that allows remote code execution and may be utilized as a part of a variety of reverse shell payload https://github.com/swisskyrepo/PayloadsAllTheThings/. These programs are of higher relevance as they are commonly installed on UNIX-like operating systems.

spawned_process and not container and ((proc.name = "nc" and (proc.cmdline contains "-e" or
                            proc.cmdline contains "-c")) or
     (proc.name = "ncat" and (proc.args contains "--sh-exec" or
                              proc.args contains "--exec" or proc.args contains "-e " or
                              proc.args contains "-c " or proc.args contains "--lua-exec")) or
     (proc.name = 'socat' and (proc.args contains "EXEC" or
                               proc.args contains "SYSTEM")))

tags ["maturity_sandbox", "host", "network", "process", "mitre_execution", "T1059"] T1059 ↗

WARNING

Network Connection outside Local Subnet

Detect network traffic (inbound or outbound) from a container to a destination outside the local subnet. To operationalize this rule, profile your environment and update the template macro namespace_scope_network_only_subnet. Customizing network-related rules usually demands substantial engineering effort to ensure their functionality.

inbound_outbound and container and k8s.ns.name in (namespace_scope_network_only_subnet) and not network_local_subnet

tags ["maturity_incubating", "container", "network", "mitre_discovery", "T1046", "PCI_DSS_6.4.2"] T1046 ↗

WARNING

Network Tool Executed During NPM Package Install

Detect network tools being launched when an NPM package is installed. Malicious NPM packages may invoke preinstall or postinstall commands, which can involve network tools to download malicious payloads or exfiltrate sensitive information. Network tools spawned by npm, node, yarn, pnpm, bun, or related processes during package installation should be investigated. This rule complements the more generic "Launch Suspicious Network Tool in Container" rule with a specific focus on the supply chain attack vector via NPM packages.

spawned_process and container and network_tool_procs and npm_package_install_ancestor and not user_known_network_tool_in_npm_install_activities

tags ["maturity_sandbox", "container", "network", "process", "mitre_execution", "T1195.002"] T1195.002 ↗

NOTICE

Non sudo setuid

Detect attempts to change users through the use of setuid, with exceptions for sudo/su. The users "root" and "nobody" using setuid on themselves are also excluded, as setuid calls in these cases typically involve reducing privileges. By setting the setuid bit, an attacker could execute code in a different user's context, potentially with higher privileges. One drawback is the potential for noise, as many applications legitimately use this approach.

evt.type=setuid and (known_user_in_container or not container) and not (user.name=root or user.uid=0) and not somebody_becoming_themselves and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
                      nomachine_binaries)
and not proc.name startswith "runc:" and not java_running_sdjagent and not nrpe_becoming_nagios and not user_known_non_sudo_setuid_conditions

tags ["maturity_incubating", "host", "container", "users", "mitre_privilege_escalation", "T1548.001"] T1548.001 ↗

WARNING

Outbound Connection to C2 Servers

Detect outbound connections to command and control servers using a list of IP addresses and fully qualified domain names (FQDNs). This rule absolutely requires profiling your environment beforehand and also necessitates adjusting the template lists. The current expression logic will never evaluate to true unless the lists are populated. Network-based rules are extremely crucial in any security program, as they can often provide the only definitive evidence. However, effectively operationalizing them can be challenging due to the potential for noise. Notably, this rule is challenging to operationalize.

outbound and ((fd.sip in (c2_server_ip_list)) or
     (fd.sip.name in (c2_server_fqdn_list)))

tags ["maturity_deprecated", "host", "container", "network", "mitre_command_and_control", "TA0011"]

WARNING

Outbound or Inbound Traffic not to Authorized Server Process and Port

Detect traffic to an unauthorized server process and port within pre-defined containers. This rule absolutely requires profiling your environment beforehand and also necessitates adjusting the list of containers to which this rule will be applied. The current expression logic will never evaluate to true unless the list is populated. Network-based rules are extremely crucial in any security program, as they can often provide the only definitive evidence. However, effectively operationalizing them can be challenging due to the potential for noise. Notably, this rule is challenging to operationalize.

inbound_outbound and container and container.image.repository in (allowed_image) and not proc.name in (authorized_server_binary) and not fd.sport in (authorized_server_port)

tags ["maturity_deprecated", "container", "network", "mitre_discovery", "TA0011", "NIST_800-53_CM-7"]

NOTICE

PTRACE anti-debug attempt

Detect usage of the PTRACE system call with the PTRACE_TRACEME argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity. Read more about PTRACE in the "PTRACE attached to process" rule.

evt.type=ptrace and evt.arg.request contains PTRACE_TRACEME and proc_name_exists

tags ["maturity_stable", "host", "container", "process", "mitre_defense_evasion", "T1622"] T1622 ↗

WARNING

PTRACE attached to process

Detect an attempt to inject potentially malicious code into a process using PTRACE in order to evade process-based defenses or elevate privileges. Common anti-patterns are debuggers. Additionally, profiling your environment via the known_ptrace_procs template macro can reduce noise. A successful ptrace syscall generates multiple logs at once.

ptrace_attach_or_injection and proc_name_exists and not known_ptrace_procs

tags ["maturity_stable", "host", "container", "process", "mitre_privilege_escalation", "T1055.008"] T1055.008 ↗

NOTICE

Packet socket created in container

Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used for ARP Spoofing and privilege escalation (CVE-2020-14386) by an attacker. Noise can be reduced by using the user_known_packet_socket_binaries template list.

evt.type=socket and container and evt.arg.domain contains AF_PACKET and not proc.name in (user_known_packet_socket_binaries)

tags ["maturity_stable", "container", "network", "mitre_credential_access", "T1557.002"] T1557.002 ↗

CRITICAL

Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)

This rule detects attempts to exploit a privilege escalation vulnerability in Polkit's pkexec. Through the execution of specially crafted code, a local user can exploit this weakness to attain root privileges on a compromised system. This rule is highly specific in its scope.

spawned_process and user.loginuid != 0 and proc.name=pkexec and proc.args = ''

tags ["maturity_sandbox", "host", "container", "process", "users", "mitre_privilege_escalation", "TA0004"]

NOTICE

Potential Local Privilege Escalation via Environment Variables Misuse

Process run with suspect environment variable that could be attempting privilege escalation. One use case is detecting the use of the GLIBC_TUNABLES environment variable, which could be used for privilege escalation on systems running vulnerable glibc versions. Only known and carefully profiled processes that legitimately exhibit this behavior should be excluded from this rule. This rule is expected to trigger on every attempt, even failed ones.

spawned_process and glibc_tunables_env

tags ["maturity_incubating", "host", "container", "users", "mitre_privilege_escalation", "TA0004"]

CRITICAL

Privileged Container Device Access

Detects container processes accessing raw block devices, which could be used to escape container isolation by directly reading or writing to host storage. This technique allows attackers to access the host filesystem, modify system files, or extract sensitive data even without traditional container escape. Requires the container to have privileged access or specific device permissions. Override user_known_privileged_device_access for legitimate storage operations.

(open_read or open_write) and container and (fd.name startswith /dev/sd or
     fd.name startswith /dev/nvme or
     fd.name startswith /dev/vd or
     fd.name startswith /dev/xvd or
     fd.name = /dev/mem or
     fd.name = /dev/kmem)
and not user_known_privileged_device_access

tags ["maturity_sandbox", "container", "filesystem", "mitre_privilege_escalation", "T1611"] T1611 ↗

NOTICE

Program run with disallowed http proxy env

Detect curl or wget usage with HTTP_PROXY environment variable. Attackers can manipulate the HTTP_PROXY variable's value to redirect application's internal HTTP requests. This could expose sensitive information like authentication keys and private data.

spawned_process and http_proxy_procs and proc.env icontains HTTP_PROXY and not allowed_ssh_proxy_env

tags ["maturity_incubating", "host", "container", "users", "mitre_execution", "T1204"] T1204 ↗

WARNING

Read Shell Configuration File

This rule detects attempts made by non-shell programs to read shell configuration files. It offers additional generic auditing. It serves as a baseline detection alert for unusual shell configuration file accesses. The rule "Modify Shell Configuration File" might be more relevant and adequate for your specific cases.

open_read and (fd.filename in (shell_config_filenames) or
     fd.name in (shell_config_files) or
     fd.directory in (shell_config_directories))
and not proc.name in (shell_binaries)

tags ["maturity_sandbox", "host", "container", "filesystem", "mitre_discovery", "T1546.004"] T1546.004 ↗

WARNING

Read environment variable from /proc files

An attempt to read process environment variables from /proc files. The consequences are akin to accessing traditional sensitive files, as sensitive data, including secrets, might be stored in environment variables. Understanding your environment, such as identifying critical namespaces, and incorporating extra filtering statements to alert exclusively for those, can enhance the rule's effectiveness.

open_read and container and (fd.name glob /proc/*/environ) and not proc.name in (known_binaries_to_read_environment_variables_from_proc_files)

tags ["maturity_incubating", "container", "filesystem", "process", "mitre_discovery", "T1083"] T1083 ↗

WARNING

Read sensitive file trusted after startup

An attempt to read any sensitive file (e.g. files containing user/password/authentication information) by a trusted program after startup. Trusted programs might read these files at startup to load initial state, but not afterwards. Can be customized as needed. In modern containerized cloud infrastructures, accessing traditional Linux sensitive files might be less relevant, yet it remains valuable for baseline detections. While we provide additional rules for SSH or cloud vendor-specific credentials, you can significantly enhance your security program by crafting custom rules for critical application credentials unique to your environment.

open_read and sensitive_files and server_procs and not proc_is_new and proc.name!="sshd" and not user_known_read_sensitive_files_activities

tags ["maturity_stable", "host", "container", "filesystem", "mitre_credential_access", "T1555"] T1555 ↗

WARNING

Read sensitive file untrusted

An attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs. Can be customized as needed. In modern containerized cloud infrastructures, accessing traditional Linux sensitive files might be less relevant, yet it remains valuable for baseline detections. While we provide additional rules for SSH or cloud vendor-specific credentials, you can significantly enhance your security program by crafting custom rules for critical application credentials unique to your environment.

open_read and sensitive_files and proc_name_exists and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries,
 cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries,
 vpn_binaries, mail_config_binaries, nomachine_binaries, sshkit_script_binaries,
 in.proftpd, mandb, salt-call, salt-minion, postgres_mgmt_binaries,
 google_oslogin_
 )
and not cmp_cp_by_passwd and not ansible_running_python and not run_by_qualys and not run_by_chef and not run_by_google_accounts_daemon and not user_read_sensitive_file_conditions and not mandb_postinst and not perl_running_plesk and not perl_running_updmap and not veritas_driver_script and not perl_running_centrifydc and not runuser_reading_pam and not linux_bench_reading_etc_shadow and not user_known_read_sensitive_files_activities and not user_read_sensitive_file_containers

tags ["maturity_stable", "host", "container", "filesystem", "mitre_credential_access", "T1555"] T1555 ↗

ERROR

Read ssh information

This rule identifies attempts to read files within ssh directories using programs that are not related to ssh. It's a simple and versatile detection method that works well alongside more specific rules focused on sensitive file access. You have a couple of options for using this rule effectively: you can adjust the specialized rules to cover all the important scenarios and ensure precedence in rule smatching for those, or you can analyze the combined view of ssh-related file access across various rules on your downstream computing platform. Just like with other rules, you can narrow down monitoring to specific processes, or you can limit it to interactive access only.

(open_read or open_directory)
 and (user_ssh_directory or fd.name startswith /root/.ssh)
 and not user_known_read_ssh_information_activities
 and not proc.name in (ssh_binaries)

tags ["maturity_incubating", "host", "container", "filesystem", "mitre_collection", "T1005"] T1005 ↗

NOTICE

Redirect STDOUT/STDIN to Network Connection in Container

Detect redirection of stdout/stdin to a network connection within a container, achieved by utilizing a variant of the dup syscall (potential reverse shell or remote code execution https://github.com/swisskyrepo/PayloadsAllTheThings/). This detection is behavior-based and may generate noise in the system, and can be adjusted using the user_known_stand_streams_redirect_activities template macro. Tuning can be performed similarly to existing detections based on process lineage or container images, and/or it can be limited to interactive tty (tty != 0).

dup and container and evt.rawres in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities

tags ["maturity_stable", "container", "network", "process", "mitre_execution", "T1059"] T1059 ↗

WARNING

Remove Bulk Data from Disk

Detect a process running to clear bulk data from disk with the intention to destroy data, possibly interrupting availability to systems. Profile your environment and use user_known_remove_data_activities to tune this rule.

spawned_process and clear_data_procs and not user_known_remove_data_activities

tags ["maturity_stable", "host", "container", "process", "filesystem", "mitre_impact", "T1485"] T1485 ↗

CRITICAL

Reverse Shell from Web Server

Detects common reverse shell patterns spawned from web server processes. Attackers frequently establish reverse shells after exploiting web vulnerabilities to maintain interactive access to the compromised system. This rule looks for specific command patterns known to create reverse shells, including bash /dev/tcp redirects, netcat with -e flag, and common scripting language reverse shell idioms.

spawned_process and spawned_by_web_server and (proc.cmdline contains "/dev/tcp/" or
     proc.cmdline contains "nc -e" or
     proc.cmdline contains "ncat -e" or
     proc.cmdline contains "bash -i" or
     proc.cmdline contains "python -c 'import socket" or
     proc.cmdline contains "python3 -c 'import socket" or
     proc.cmdline contains "perl -e 'use Socket" or
     proc.cmdline contains "ruby -rsocket" or
     (proc.cmdline contains "mkfifo" and proc.cmdline contains "/tmp"))

tags ["maturity_sandbox", "host", "container", "process", "network", "mitre_execution", "T1059"] T1059 ↗

NOTICE

Run shell untrusted

An attempt to spawn a shell below a non-shell application. The non-shell applications that are monitored are defined in the protected_shell_spawner macro, with protected_shell_spawning_binaries being the list you can easily customize. For Java parent processes, please note that Java often has a custom process name. Therefore, rely more on proc.exe to define Java applications. This rule can be noisier, as you can see in the exhaustive existing tuning. However, given it is very behavior-driven and broad, it is universally relevant to catch general Remote Code Execution (RCE). Allocate time to tune this rule for your use cases and reduce noise. Tuning suggestions include looking at the duration of the parent process (proc.ppid.duration) to define your long-running app processes. Checking for newer fields such as proc.vpgid.name and proc.vpgid.exe instead of the direct parent process being a non-shell application could make the rule more robust.

spawned_process and shell_procs and proc.pname exists and protected_shell_spawner and not proc.pname in (shell_binaries, gitlab_binaries, cron_binaries, user_known_shell_spawn_binaries,
                       needrestart_binaries,
                       mesos_shell_binaries,
                       erl_child_setup, exechealthz,
                       PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf,
                       lb-controller, nvidia-installe, runsv, statsite, erlexec, calico-node,
                       "puma reactor")
and not proc.cmdline in (known_shell_spawn_cmdlines) and not proc.aname in (unicorn_launche) and not consul_running_net_scripts and not consul_running_alert_checks and not nginx_starting_nginx and not nginx_running_aws_s3_cp and not run_by_package_mgmt_binaries and not serf_script and not check_process_status and not run_by_foreman and not python_mesos_marathon_scripting and not splunk_running_forwarder and not postgres_running_wal_e and not postgres_running_cnpg and not redis_running_prepost_scripts and not rabbitmq_running_scripts and not rabbitmqctl_running_scripts and not run_by_appdynamics and not user_shell_container_exclusions

tags ["maturity_stable", "host", "container", "process", "shell", "mitre_execution", "T1059.004"] T1059.004 ↗

NOTICE

Schedule Cron Jobs

Detect scheduled cron jobs; this is a highly generic detection and certainly needs adjustments and profiling in your environment before operationalization. Simultaneously, exploiting the functionality of cron jobs is among one of the oldest TTPs used by adversaries.

((open_write and fd.name startswith /etc/cron) or
 (spawned_process and proc.name = "crontab"))
and not user_known_cron_jobs

tags ["maturity_incubating", "host", "container", "filesystem", "mitre_execution", "T1053.003"] T1053.003 ↗

WARNING

Search Private Keys or Passwords

Detect attempts to search for private keys or passwords using the grep or find command. This is often seen with unsophisticated attackers, as there are many ways to access files using bash built-ins that could go unnoticed. Regardless, this serves as a solid baseline detection that can be tailored to cover these gaps while maintaining an acceptable noise level.

spawned_process and ((grep_commands and private_key_or_password) or
     (proc.name = "find" and (proc.args contains "id_rsa" or
                              proc.args contains "id_dsa" or
                              proc.args contains "id_ed25519" or
                              proc.args contains "id_ecdsa"
      )
    ))

tags ["maturity_stable", "host", "container", "process", "filesystem", "mitre_credential_access", "T1552.001"] T1552.001 ↗

NOTICE

Set Setuid or Setgid bit

This rule is focused on detecting the use of setuid or setgid bits set via chmod. These bits, when set for an application, result in the application running with the privileges of the owning user or group. By enabling the setuid or setgid bits, an attacker could run code in a different user's context, possibly with elevated privileges. However, there's a trade-off with noise, given that numerous applications legitimately run chmod. This rule is related to the "Non sudo setuid" rule.

chmod and (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID") and not proc.name in (user_known_chmod_applications) and not exe_running_docker_save and not user_known_set_setuid_or_setgid_bit_conditions

tags ["maturity_incubating", "host", "container", "process", "users", "mitre_privilege_escalation", "T1548.001"] T1548.001 ↗

CRITICAL

Sudo Potential Privilege Escalation

Affecting sudo (<= 1.9.5p2), there's a privilege escalation vulnerability. By executing sudo using the sudoedit -s or sudoedit -i command with a command-line argument that ends with a single backslash character, an unprivileged user can potentially escalate privileges to root. This rule is highly specific and might be bypassed due to potential issues with string matching on command line arguments.

spawned_process and user.loginuid != 0 and (proc.name=sudoedit or proc.name = sudo) and (proc.args contains -s or proc.args contains -i or proc.args contains --login) and (proc.args contains "\ " or proc.args endswith \)

tags ["maturity_sandbox", "host", "container", "filesystem", "users", "mitre_privilege_escalation", "T1548.003"] T1548.003 ↗

NOTICE

System procs network activity

Detect any unexpected network activity performed by system binaries that typically shouldn't perform network activity, including coreutils binaries (like sleep, mkdir, who, date, and others) or user management binaries (such as login, systemd, usermod, deluser, adduser, chpasswd, and others). This serves as a valuable baseline detection for network-related activities.

inbound_outbound and fd.sockfamily = ip and (system_procs or proc.name in (shell_binaries)) and not proc.name in (known_system_procs_network_activity_binaries) and not login_doing_dns_lookup and not user_expected_system_procs_network_activity_conditions

tags ["maturity_incubating", "host", "network", "process", "mitre_execution", "T1059"] T1059 ↗

INFO

System user interactive

System (e.g. non-login) users spawning new processes. Can add custom service users (e.g. apache or mysqld). 'Interactive' is defined as new processes as descendants of an ssh session or login process. Consider further tuning by only looking at processes in a terminal / tty (proc.tty != 0). A newer field proc.is_vpgid_leader could be of help to distinguish if the process was "directly" executed, for instance, in a tty, or executed as a descendant process in the same process group, which, for example, is the case when subprocesses are spawned from a script. Consider this rule as a great template rule to monitor interactive accesses to your systems more broadly. However, such a custom rule would be unique to your environment. The rule "Terminal shell in container" that fires when using "kubectl exec" is more Kubernetes relevant, whereas this one could be more interesting for the underlying host.

spawned_process and system_users and interactive and not user_known_system_user_login

tags ["maturity_stable", "host", "container", "users", "mitre_execution", "T1059", "NIST_800-53_AC-2"] T1059 ↗

NOTICE

Terminal shell in container

A shell was used as the entrypoint/exec point into a container with an attached terminal. Parent process may have legitimately already exited and be null (read container_entrypoint macro). Common when using "kubectl exec" in Kubernetes. Correlate with k8saudit exec logs if possible to find user or serviceaccount token used (fuzzy correlation by namespace and pod name). Rather than considering it a standalone rule, it may be best used as generic auditing rule while examining other triggered rules in this container/tty.

spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint and not user_expected_terminal_shell_in_container_conditions

tags ["maturity_stable", "container", "shell", "mitre_execution", "T1059"] T1059 ↗

NOTICE

Unexpected K8s NodePort Connection

Detect attempts to utilize K8s NodePorts from a container. K8s NodePorts are accessible on the eth0 interface of each node, and they facilitate external traffic into a Kubernetes cluster. Attackers could misuse them for unauthorized access. The rule uses default port ranges, but check for custom ranges and make necessary adjustments. Also, consider tuning this rule as needed.

inbound_outbound and container and fd.sport >= 30000 and fd.sport <= 32767 and not nodeport_containers

tags ["maturity_sandbox", "network", "k8s", "container", "mitre_persistence", "T1205.001", "NIST_800-53_AC-6"] T1205.001 ↗

NOTICE

Unexpected UDP Traffic

Detecting UDP traffic on ports other than 53 (DNS) or other commonly used ports. Misusing UDP is a known TTP among attackers. Monitoring unusual network activity is highly valuable but often generates significant noise, as is the case with this detection.

inbound_outbound and fd.l4proto=udp and not expected_udp_traffic

tags ["maturity_incubating", "host", "container", "network", "mitre_exfiltration", "TA0011"]

NOTICE

Unexpected inbound connection source

Detect any inbound connection from a source outside of an allowed set of ips, networks, or domain names. This rule absolutely requires profiling your environment beforehand. Network-based rules are extremely crucial in any security program, as they can often provide the only definitive evidence. However, effectively operationalizing them can be challenging due to the potential for noise.

inbound and not ((fd.cip in (allowed_inbound_source_ipaddrs)) or
         (fd.cnet in (allowed_inbound_source_networks)) or
         (fd.cip.name in (allowed_inbound_source_domains)))

tags ["maturity_sandbox", "host", "container", "network", "mitre_command_and_control", "TA0011"]

NOTICE

Unexpected outbound connection destination

Detect any outbound connection to a destination outside of an allowed set of ips, networks, or domain names. This rule absolutely requires profiling your environment beforehand. Network-based rules are extremely crucial in any security program, as they can often provide the only definitive evidence. However, effectively operationalizing them can be challenging due to the potential for noise.

outbound and not ((fd.sip in (allowed_outbound_destination_ipaddrs)) or
         (fd.snet in (allowed_outbound_destination_networks)) or
         (fd.sip.name in (allowed_outbound_destination_domains)))

tags ["maturity_deprecated", "host", "container", "network", "mitre_command_and_control", "TA0011"]

CRITICAL

Unprivileged Delegation of Page Faults Handling to a Userspace Process

Detect a successful unprivileged userfaultfd syscall, which could serve as an attack primitive for exploiting other vulnerabilities. To fine-tune this rule, consider using the template list "user_known_userfaultfd_processes".

evt.type = userfaultfd and user.uid != 0 and (evt.rawres >= 0 or evt.res != -1) and not proc.name in (user_known_userfaultfd_processes)

tags ["maturity_sandbox", "host", "container", "process", "mitre_defense_evasion", "TA0005"]

NOTICE

Update Package Repository

This rule generically detects updates to package repositories and can be seen as an auditing measure. Recommend evaluating its relevance for your specific environment.

((open_write and access_repositories) or (modify and modify_repositories)) and not package_mgmt_procs and not package_mgmt_ancestor_procs and not exe_running_docker_save and not user_known_update_package_registry

tags ["maturity_sandbox", "host", "container", "filesystem", "mitre_execution", "T1072"] T1072 ↗

NOTICE

User mgmt binaries

Detect activity by any programs that can manage users, passwords, or permissions (such as login, systemd, usermod, deluser, adduser, chpasswd, and others). sudo and su are excluded. Activity in containers is also excluded -- some containers create custom users on top of a base linux distribution at startup. Some innocuous command lines that don't actually change anything are excluded. You might want to consider applying this rule to container actions as well.

spawned_process and not container and proc.name in (user_mgmt_binaries) and not proc.name in (su, sudo, lastlog, nologin, unix_chkpwd) and not proc.pname in (cron_binaries, systemd, systemd.postins, udev.postinst, run-parts) and not proc.cmdline startswith "passwd -S" and not proc.cmdline startswith "useradd -D" and not proc.cmdline startswith "systemd --version" and not run_by_qualys and not run_by_sumologic_securefiles and not run_by_yum and not run_by_ms_oms and not run_by_google_accounts_daemon and not chage_list and not user_known_user_management_activities

tags ["maturity_incubating", "host", "users", "software_mgmt", "mitre_persistence", "T1098"] T1098 ↗

CRITICAL

Web Server Spawned Shell

Detects a web server process (nginx, apache, php-fpm, etc.) spawning an interactive shell. This is a strong indicator of webshell exploitation or remote code execution vulnerability being actively exploited. Webshells are a common persistence mechanism used by attackers after compromising web applications. The macro user_known_web_server_shell_activities can be overridden to tune for legitimate use cases like CGI scripts. Note that simple shell wrappers used in health checks are excluded.

spawned_process and spawned_by_web_server and proc.name in (shell_binaries) and not proc.cmdline startswith "sh -c /usr/bin" and not proc.cmdline contains "healthcheck" and not user_known_web_server_shell_activities

tags ["maturity_sandbox", "host", "container", "process", "mitre_persistence", "mitre_execution", "T1505.003"] T1505.003 ↗

WARNING

Web Server Spawned Suspicious Child Process

Detects web server processes spawning suspicious child processes like curl, wget, netcat, or scripting interpreters. These often indicate exploitation of web application vulnerabilities, where attackers download additional payloads or establish network connections. This rule is more sensitive than the shell spawning rule and may require tuning in environments where web applications legitimately execute system commands. Override the macro user_known_web_server_child_activities for custom tuning.

spawned_process and spawned_by_web_server and proc.name in (suspicious_web_children) and not proc.name in (shell_binaries) and not proc.cmdline contains "healthcheck" and not proc.cmdline contains "status" and not user_known_web_server_child_activities

tags ["maturity_sandbox", "host", "container", "process", "mitre_execution", "T1059"] T1059 ↗

ERROR

Write below binary dir

Trying to write to any file below specific binary directories can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases.

open_write and bin_dir and not package_mgmt_procs and not exe_running_docker_save and not python_running_get_pip and not python_running_ms_oms and not user_known_write_below_binary_dir_activities

tags ["maturity_sandbox", "host", "container", "filesystem", "mitre_persistence", "T1543"] T1543 ↗

ERROR

Write below etc

Trying to write to any file below /etc can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases.

write_etc_common

tags ["maturity_sandbox", "host", "container", "filesystem", "mitre_persistence", "T1098"] T1098 ↗

ERROR

Write below monitored dir

Trying to write to any file below a set of monitored directories can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases.

open_write and monitored_dir and not package_mgmt_procs and not coreos_write_ssh_dir and not exe_running_docker_save and not python_running_get_pip and not python_running_ms_oms and not google_accounts_daemon_writing_ssh and not cloud_init_writing_ssh and not user_known_write_monitored_dir_conditions

tags ["maturity_sandbox", "host", "container", "filesystem", "mitre_persistence", "T1543"] T1543 ↗

ERROR

Write below root

Trying to write to any file directly below / or /root can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases. Lastly, this rule stands out as potentially the noisiest one among rules related to "write below.

open_write and root_dir and proc_name_exists and not fd.name in (known_root_files) and not fd.directory pmatch (known_root_directories) and not exe_running_docker_save and not gugent_writing_guestagent_log and not dse_writing_tmp and not zap_writing_state and not airflow_writing_state and not rpm_writing_root_rpmdb and not maven_writing_groovy and not chef_writing_conf and not kubectl_writing_state and not cassandra_writing_state and not galley_writing_state and not calico_writing_state and not rancher_writing_root and not runc_writing_exec_fifo and not mysqlsh_writing_state and not known_root_conditions and not user_known_write_root_conditions and not user_known_write_below_root_activities

tags ["maturity_sandbox", "host", "container", "filesystem", "mitre_persistence", "TA0003"]

ERROR

Write below rpm database

Trying to write to the rpm database by any non-rpm related program can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases.

open_write and fd.name startswith /var/lib/rpm and not rpm_procs and not ansible_running_python and not python_running_chef and not exe_running_docker_save and not amazon_linux_running_python_yum and not user_known_write_rpm_database_activities

tags ["maturity_sandbox", "host", "container", "filesystem", "software_mgmt", "mitre_persistence", "T1072"] T1072 ↗

Falco

Rules