feat(rules): detect container shell spawn for MITRE T1059

rules/falco_rules.yaml

@@ -1263,3 +1263,22 @@
   output: Fileless execution via memfd_create | container_start_ts=%container.start_ts proc_cwd=%proc.cwd evt_res=%evt.res proc_sname=%proc.sname gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags
   priority: CRITICAL
   tags: [maturity_stable, host, container, process, mitre_defense_evasion, T1620]
+
+# MITRE ATT&CK T1059 — Container Escape via Command Execution
+# Detects shell spawned inside container by non-shell parent process
+- rule: Detect Shell Spawn in Container (T1059)
+  desc: >
+    A shell was spawned inside a container by a process that is not
+    itself a shell. This is a common indicator of container escape
+    attempts or command injection exploitation.
+  condition: >
+    spawned_process and container and
+    shell_procs and not proc.pname in (shell_binaries) and
+    not container.image.repository in (trusted_images)
+  output: >
+    Shell spawned in container by non-shell parent
+    (user=%user.name container=%container.name
+    image=%container.image.repository
+    parent=%proc.pname shell=%proc.name cmdline=%proc.cmdline)
+  priority: WARNING
+  tags: [container, shell, mitre_execution, T1059]