new(rules): detect security tool impairment in containers (T1562.001) #367
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -1007,6 +1007,36 @@ | |||||||||||||||||||||||||||||
| # when more than one event type is involved because some event will populate | ||||||||||||||||||||||||||||||
| # the filtercheck and others will always return <NA>. It would be better to use | ||||||||||||||||||||||||||||||
| # a more generic filter like `fs.path.*` | ||||||||||||||||||||||||||||||
| - macro: user_known_security_tool_disable_activities | ||||||||||||||||||||||||||||||
| condition: (never_true) | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| - rule: Defense Tool Disabled or Modified in Container | ||||||||||||||||||||||||||||||
| desc: > | ||||||||||||||||||||||||||||||
| Detect attempts to disable or modify security tooling inside a running container, | ||||||||||||||||||||||||||||||
| including flushing firewall rules via iptables or stopping security daemons such | ||||||||||||||||||||||||||||||
| as falco, auditd, or sysdig. Adversaries impair defenses after achieving initial | ||||||||||||||||||||||||||||||
| execution to operate undetected before lateral movement. | ||||||||||||||||||||||||||||||
| Maps to MITRE ATT&CK T1562.001 (Impair Defenses: Disable or Modify Tools). | ||||||||||||||||||||||||||||||
| condition: > | ||||||||||||||||||||||||||||||
| spawned_process and container | ||||||||||||||||||||||||||||||
| and ( | ||||||||||||||||||||||||||||||
| (proc.name in (iptables, ip6tables) and | ||||||||||||||||||||||||||||||
| (proc.args contains "-F" or proc.args contains "--flush" or | ||||||||||||||||||||||||||||||
| proc.args contains "-X" or proc.args contains "--delete-chain")) | ||||||||||||||||||||||||||||||
| or | ||||||||||||||||||||||||||||||
| (proc.name = systemctl and proc.args contains "stop" and | ||||||||||||||||||||||||||||||
| (proc.args contains "falco" or proc.args contains "auditd" or | ||||||||||||||||||||||||||||||
| proc.args contains "sysdig" or proc.args contains "osquery")) | ||||||||||||||||||||||||||||||
| or | ||||||||||||||||||||||||||||||
| (proc.name = service and proc.args contains "stop" and | ||||||||||||||||||||||||||||||
| (proc.args contains "falco" or proc.args contains "auditd")) | ||||||||||||||||||||||||||||||
|
Comment on lines
+1027
to
+1032
Member
There was a problem hiding this comment.
Suggested change
The current
Our convention for short-token matching is whitespace anchoring, see the netcat rule at falco_rules.yaml:849-851 ( |
||||||||||||||||||||||||||||||
| ) | ||||||||||||||||||||||||||||||
| and not user_known_security_tool_disable_activities | ||||||||||||||||||||||||||||||
| output: Security tool disabled or firewall rules cleared in container | args=%proc.args evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository | ||||||||||||||||||||||||||||||
|
Member
There was a problem hiding this comment.
Suggested change
A few alignments with the style guide and our other rules:
|
||||||||||||||||||||||||||||||
| priority: | ||||||||||||||||||||||||||||||
| WARNING | ||||||||||||||||||||||||||||||
| tags: [maturity_incubating, container, process, network, mitre_defense_evasion, T1562.001] | ||||||||||||||||||||||||||||||
|
Member
There was a problem hiding this comment.
Suggested change
|
||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| - rule: Delete or rename shell history | ||||||||||||||||||||||||||||||
| desc: > | ||||||||||||||||||||||||||||||
| Detect shell history deletion, frequently used by unsophisticated adversaries to eliminate evidence. | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same precision concern as the
systemctlblock.proc.args contains "-F"matches the substring-Fanywhere in the args, including inside chain names or comment text. Combiningstartswithfor first-position flags withcontains " -F"(leading space) for later positions covers both placements while staying anchored to whitespace boundaries - same pattern as falco_rules.yaml:849-851 and falco-incubating_rules.yaml:1162-1165.