From 6669492677ca82d27bbb8d9bdd0b9944a3bc5cca Mon Sep 17 00:00:00 2001 From: DevNow Date: Mon, 20 Apr 2026 01:16:45 -0400 Subject: [PATCH] feat(rules): detect container shell spawn for MITRE T1059 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds detection rule for shell processes spawned inside containers by non-shell parent processes — a common indicator of container escape attempts and command injection exploitation. MITRE ATT&CK: T1059 - Command and Scripting Interpreter Tags: container, shell, mitre_execution --- rules/falco_rules.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index 40cb8b1d..a637ba45 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -1263,3 +1263,22 @@ output: Fileless execution via memfd_create | container_start_ts=%container.start_ts proc_cwd=%proc.cwd evt_res=%evt.res proc_sname=%proc.sname gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags priority: CRITICAL tags: [maturity_stable, host, container, process, mitre_defense_evasion, T1620] + +# MITRE ATT&CK T1059 — Container Escape via Command Execution +# Detects shell spawned inside container by non-shell parent process +- rule: Detect Shell Spawn in Container (T1059) + desc: > + A shell was spawned inside a container by a process that is not + itself a shell. This is a common indicator of container escape + attempts or command injection exploitation. + condition: > + spawned_process and container and + shell_procs and not proc.pname in (shell_binaries) and + not container.image.repository in (trusted_images) + output: > + Shell spawned in container by non-shell parent + (user=%user.name container=%container.name + image=%container.image.repository + parent=%proc.pname shell=%proc.name cmdline=%proc.cmdline) + priority: WARNING + tags: [container, shell, mitre_execution, T1059]