├── scripts ├── dummy.py ├── network_sniffing.py ├── os_credentials_dumping_reading_maps_file_of_a_process.py ├── unsecured_credential_acess.py ├── system_service_discovery.py ├── credentials_from_password_file.py ├── reflective_code_loading.py ├── disk_wipe.py ├── create_account_add_user.py ├── execute_on_time=5.py ├── file_and_directory_permissions.py ├── domain_trust_discovery.py ├── service_stop.py ├── script_to_create_child_process_and_run_it.py ├── creating_a_system_service_which_will.py ├── data_destruction_for_impact.py ├── system_date_time_and_region_discovery.py ├── steal_or_forge_kerberos_ticket.py ├── create_or_modify_system_process.py ├── permission_groups_members_discovery.py ├── boot_or_logon_autostart_execution.py ├── test │ └── inhibit_system_recovery.py ├── new_process_injection.py ├── software_discovery.py ├── process_injection.py ├── application_window_discovery.py ├── direct_volume_access.py ├── archive_collected_data.py ├── Account_manipulation.py ├── modify_authentication_process.py ├── Password_policy_discovery.py ├── remote_system_discovery.py ├── system_location_discovery.py └── Traffic_signaling_raw_sockets.py ├── index.yaml ├── rules ├── read_disk_block_command.yaml ├── boot_or_logon_autostart_execution.yaml ├── create_or_modify_system_process.yaml ├── detect_suspicious_disk_activity.yaml ├── create_nodeport_service.yaml ├── chown_chmod_operations.yaml ├── system_location_retrieval.yaml ├── modify_authentication_process.yaml ├── process_injection.yaml ├── suspicious_info_gathering.yaml ├── memory_maps_of_processes.yaml ├── detect_service_disable.yaml ├── password_policy_discovery.yaml ├── enumerate_domain_trust.yaml ├── account_manipulation_in_ssh.yaml ├── attempt_to_access_bash_history.yaml ├── create_account_add_user.yaml ├── credentials_from_password_file.yaml ├── system_service_discovery.yaml ├── suspicious_time_Date.yaml ├── detect_data_destruction_activity.yaml ├── permission_group_members_discovery.yaml ├── execute_command_via_utility.yaml ├── detect_peripheral_device_enumeration.yaml ├── get_info_about_open_application_windows.yaml ├── suspicious_network_spanning_command.yaml ├── archive_and_compression_activity.yaml ├── disable_recovery_features.yaml └── custom_rules.yaml ├── .github └── workflows │ └── release.yaml ├── README.md └── LICENSE /scripts/dummy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | sum=0 8 | for i in range(100): 9 | sum=sum+i 10 | print(sum) 11 | 12 | -------------------------------------------------------------------------------- /scripts/network_sniffing.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | from scapy.all import * 8 | 9 | def packet_callback(packet): 10 | print(packet.summary()) 11 | 12 | sniff(prn=packet_callback,filter= "tcp", count=10) 13 | 14 | -------------------------------------------------------------------------------- /scripts/os_credentials_dumping_reading_maps_file_of_a_process.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | pid = 1767 # Replace with the desired process ID 8 | 9 | maps_file_path = f"/proc/{pid}/maps" 10 | 11 | with open(maps_file_path, "r") as f: 12 | maps_contents = f.read() 13 | 14 | print(maps_contents) 15 | 16 | -------------------------------------------------------------------------------- /scripts/unsecured_credential_acess.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[3]: 5 | 6 | 7 | # Open and read the Bash history file 8 | user="ashutoshreddy" 9 | file=f"/home/{user}/.bash_history" 10 | with open(".bash_history", "r") as f: 11 | lines = f.readlines() 12 | 13 | 14 | 15 | for line in lines: 16 | print(line.strip()) 17 | 18 | 19 | # In[ ]: 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /scripts/system_service_discovery.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[8]: 5 | 6 | 7 | import subprocess 8 | 9 | # Execute the systemctl command and capture the output 10 | output = subprocess.check_output(['systemctl', 'list-unit-files', '--type=service']) 11 | 12 | # Split the output into lines 13 | lines = output.decode().split('\n') 14 | print(lines) 15 | 16 | 17 | 18 | # In[ ]: 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /scripts/credentials_from_password_file.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | import os 8 | 9 | username = 'dummy' 10 | home_dir = '/home/du' 11 | user_id = '1001' 12 | group_id = '1001' 13 | comment = 'New User' 14 | shell = '/bin/bash' 15 | 16 | with open('/etc/passwd', 'a') as passwd_file: 17 | passwd_file.write(f"{username}:x:{user_id}:{group_id}:{comment}:{home_dir}:{shell}\n") 18 | 19 | os.system('passwd newuser') 20 | 21 | -------------------------------------------------------------------------------- /scripts/reflective_code_loading.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | import os 8 | 9 | # example directory to list 10 | directory = "/home/f" 11 | 12 | # using execve() system call 13 | pid = os.fork() 14 | if pid == 0: 15 | os.execve("/bin/ls", ["/bin/ls", directory], os.environ) 16 | else: 17 | os.waitpid(pid, 0) 18 | 19 | # using execv() system call 20 | pid = os.fork() 21 | if pid == 0: 22 | os.execv("/bin/ls", ["/bin/ls", directory]) 23 | else: 24 | os.waitpid(pid, 0) 25 | 26 | -------------------------------------------------------------------------------- /scripts/disk_wipe.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | # wipe or corrupt data on a disk 4 | os.system("dd if=/dev/zero of=/dev/sda bs=1M count=10") 5 | os.system("shred -u /home/f/test/dummy.py") 6 | os.system("hdparm --security-erase NULL /dev/sda") 7 | os.system("fdisk /dev/sda -d") 8 | os.system("blkdiscard /dev/sda") 9 | os.system("wipe -f -r /home/f/test/Traffic_signaling_raw_sockets.py") 10 | os.system("badblocks -v /dev/sda") 11 | os.system("fsck /dev/sda1") 12 | os.system("parted /dev/sda mkpart primary ext4 0% 100%") 13 | os.system("mkfs.ext4 /dev/sda1") 14 | 15 | -------------------------------------------------------------------------------- /scripts/create_account_add_user.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | import subprocess 8 | 9 | # Define the username and home directory 10 | username = "falco5" 11 | home_dir = "/home/falco5" 12 | 13 | # Create the new user account 14 | subprocess.run(["adduser", "--home", home_dir, "--shell", "/bin/bash", username]) 15 | 16 | # Set a password for the new user 17 | subprocess.run(["passwd", username]) 18 | 19 | # Add the new user to a specific group 20 | subprocess.run(["sudo", "usermod", "-aG", "root", username]) 21 | 22 | -------------------------------------------------------------------------------- /scripts/execute_on_time=5.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | import time 8 | import subprocess 9 | 10 | # Run the script at the specified time 11 | def run_script(): 12 | subprocess.run(["python", "dummy.py"]) 13 | 14 | # Check the time every minute 15 | while True: 16 | # Get the current time 17 | current_time = time.localtime() 18 | 19 | # Check if it's 5 o'clock 20 | if current_time.tm_hour == 5 and current_time.tm_min == 0: 21 | run_script() 22 | 23 | # Wait for a minute 24 | time.sleep(60) 25 | 26 | -------------------------------------------------------------------------------- /scripts/file_and_directory_permissions.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | import os 8 | 9 | # Set the path to the file or directory you want to modify 10 | path ="/home/f/syscall_analysis/creating_a_system_service_which_will" 11 | 12 | # Set the desired ownership 13 | owner = "falco4" 14 | 15 | # Set the desired access permissions 16 | permissions = "777" # for example, 755 or 644 17 | 18 | # Change ownership 19 | os.system("chown " + owner + " " + path) 20 | 21 | # Change permissions 22 | os.system("chmod " + permissions + " " + path) 23 | 24 | -------------------------------------------------------------------------------- /scripts/domain_trust_discovery.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | # Simulate an ldapsearch command that attempts to enumerate domain trusts 4 | subprocess.run(['ldapsearch', '-h', 'domain.com', '-b', 'DC=domain,DC=com', '-s', 'base', '(objectclass=*)']) 5 | 6 | # Simulate a net command that attempts to enumerate domain trusts 7 | subprocess.run(['net', 'rpc', 'trustdom', 'list', '-U', 'Administrator%password']) 8 | 9 | # Simulate an rpcclient command that attempts to enumerate domain trusts 10 | subprocess.run(['rpcclient', '-U', 'Administrator%password', '-c', 'enumtrustdom', 'domain']) 11 | 12 | -------------------------------------------------------------------------------- /index.yaml: -------------------------------------------------------------------------------- 1 | - name: falco_extended_rules 2 | type: rulesfile 3 | registry: ghcr.io 4 | repository: CloudDefenseAI/falco_extended_rules/ruleset/falco_extended_rules 5 | description: Extended Falco rules developed by CloudDefense.ai 6 | home: https://github.com/CloudDefenseAI/falco_extended_rules/tree/master/rules 7 | keywords: 8 | - mitre 9 | - clouddefense 10 | license: Apache-2.0 11 | maintainers: 12 | - email: contact@clouddefense.ai 13 | name: CloudDefenseAI 14 | sources: 15 | - https://github.com/CloudDefenseAI/falco_extended_rules/tree/main/rules/docker_rules.yaml -------------------------------------------------------------------------------- /scripts/service_stop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | import subprocess 8 | 9 | # Define the service name 10 | service_name = "cups.service" 11 | 12 | # Disable the service from starting at boot 13 | subprocess.run(["sudo", "systemctl", "disable", service_name], check=True) 14 | 15 | # Confirm that the service is disabled 16 | output = subprocess.run(["sudo", "systemctl", "is-enabled", service_name], capture_output=True) 17 | if output.stdout.strip() == b"disabled": 18 | print(f"The {service_name} service has been successfully disabled.") 19 | else: 20 | print(f"Error: Failed to disable the {service_name} service.") 21 | 22 | -------------------------------------------------------------------------------- /scripts/script_to_create_child_process_and_run_it.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | #!/usr/bin/env python3 8 | 9 | import os 10 | 11 | # Set the path to the Python script you want to execute 12 | script_path = "dummy.py" 13 | 14 | # Use os.fork() to create a new process 15 | pid = os.fork() 16 | 17 | # If pid is 0, we're in the child process 18 | if pid == 0: 19 | # Use os.execvp() to replace the child process with the Python interpreter running the script 20 | os.execvp("python3", ["python3", script_path]) 21 | 22 | # If pid is not 0, we're in the parent process 23 | else: 24 | # Print the child process's PID 25 | print(f"Child process created with PID {pid}") 26 | 27 | -------------------------------------------------------------------------------- /scripts/creating_a_system_service_which_will.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | import os 8 | 9 | # Define the contents of the service file 10 | SERVICE_FILE = f"""\ 11 | [Unit] 12 | Description=My Python Script 13 | 14 | [Service] 15 | Type=simple 16 | ExecStart=/usr/bin/python {os.path.abspath('/home/f/test/execute_on_time_=5.py')} 17 | WorkingDirectory={os.path.abspath('/home/f/test/')} 18 | Restart=on-failure 19 | User={os.getlogin()} 20 | 21 | [Install] 22 | WantedBy=multi-user.target 23 | """ 24 | 25 | # Write the service file to disk 26 | with open('/etc/systemd/system/my_python_script.service', 'w') as f: 27 | f.write(SERVICE_FILE) 28 | f.close() 29 | 30 | # Enable the service 31 | os.system('systemctl enable my_python_script.service') 32 | 33 | -------------------------------------------------------------------------------- /rules/read_disk_block_command.yaml: -------------------------------------------------------------------------------- 1 | #This Falco rule is designed to detect the execution of commands that read disk blocks. 2 | #The rule starts by creating a list of commands that are known to read disk blocks, which includes dd, hdparm, readsector, and ddrescue 3 | #https://attack.mitre.org/techniques/T1006/ 4 | #Mitre Defense evasion: direct volume acccess subscenarrio 5 | 6 | - list: disk_read 7 | items: ['dd', 'hdparm', 'readsector', 'ddrescue'] 8 | 9 | - rule: Read Disk Block Command 10 | desc: Detects execution of commands that read disk blocks 11 | condition: > 12 | proc.name in (disk_read) 13 | enabled: true 14 | output: > 15 | Read disk block command detected (user=%user.name command=%proc.cmdline) 16 | priority: ERROR 17 | tags: [host, container, disk, mitre_defense_evasion, direct_volume_access, T1006] 18 | -------------------------------------------------------------------------------- /scripts/data_destruction_for_impact.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | import subprocess 8 | 9 | # Securely delete a file using shred 10 | filename = "/home/f/syscall_analysis/ab" 11 | subprocess.run(["shred", "-n", "3", "-vz", filename], check=True) 12 | print(f"{filename} has been securely deleted.") 13 | 14 | # Overwrite a block device with zeros using dd 15 | device = "/dev/sdX" # Replace X with the correct device letter 16 | subprocess.run(["sudo", "dd", "if=/dev/zero", f"of={device}", "bs=1M"], check=True) 17 | print(f"{device} has been overwritten with zeros.") 18 | 19 | # Wipe free space on a mounted device using wipe 20 | mountpoint = "/path/to/mounted/device" 21 | subprocess.run(["wipe", "-kQqf", mountpoint], check=True) 22 | print(f"Free space on {mountpoint} has been wiped securely.") 23 | 24 | -------------------------------------------------------------------------------- /rules/boot_or_logon_autostart_execution.yaml: -------------------------------------------------------------------------------- 1 | #This Falco rule is designed to detect attempts to embed a script to execute at the time of boot or logon on a Linux system. 2 | #The rule will trigger an error priority alert if it detects any write access to the commonly used /etc directory, 3 | #which is often used for system configuration files and startup scripts. 4 | #https://attack.mitre.org/techniques/T1547/ 5 | #Mitre Persistance: boot or logon autostart execution subscenario 6 | 7 | - rule: Boot or Logon Autostart Execution 8 | desc: an attempt to embedd a script to execute at the time of boot or logon 9 | condition: write_etc_common 10 | enabled: true 11 | output: A script is embedded below /etc to start its execution on boot or logon in to the system 12 | priority: ERROR 13 | tags: [host, container, process, mitre_persistance, boot_or_logon_autostart_execution, T1547] 14 | -------------------------------------------------------------------------------- /rules/create_or_modify_system_process.yaml: -------------------------------------------------------------------------------- 1 | 2 | #this Falco rule is designed to detect attempts to create or modify system processes on a Linux system, 3 | #which can be a sign of a malicious actor attempting to maintain persistence on the system. 4 | #https://attack.mitre.org/techniques/T1543/ 5 | #Mitre Persistance: Create or Modify system process 6 | #Mitre Priviledge Escalarion: Create or modify system process 7 | 8 | - rule: Create or Modify System Process 9 | desc: a system process may be created or a existing process may be modified to keep malicious process running continuously 10 | condition: write_etc_common 11 | enabled: true 12 | output: A malicious system process is created or a existing process is modified to act like a malicious one 13 | priority: ERROR 14 | tags: [host, container, process, mitre_priviledge_escalation, create_or_modify_system_service, T1543] 15 | -------------------------------------------------------------------------------- /scripts/system_date_time_and_region_discovery.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | # Get current date and time 4 | date_output = subprocess.check_output(['date', '+%Y-%m-%d %H:%M:%S']) 5 | print("Current Date and Time:") 6 | print(date_output.decode()) 7 | 8 | # Get time zone information 9 | timedatectl_output = subprocess.check_output(['timedatectl', 'show', '-p', 'Timezone']) 10 | timezone = timedatectl_output.decode().split('=')[1].strip() 11 | print("Timezone:") 12 | print(timezone) 13 | 14 | # Get region information 15 | locale_output = subprocess.check_output(['locale']) 16 | region = locale_output.decode().split('=')[1].strip().split('.')[0] 17 | print("Region:") 18 | print(region) 19 | 20 | # Get hostname information 21 | hostnamectl_output = subprocess.check_output(['hostnamectl', 'status']) 22 | hostname = hostnamectl_output.decode().split(' ')[3].strip() 23 | print("Hostname:") 24 | print(hostname) 25 | 26 | -------------------------------------------------------------------------------- /scripts/steal_or_forge_kerberos_ticket.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | import ldap 8 | 9 | secrets_db_path = "/var/lib/samba/private/secrets.ldb" 10 | secrets_mkey_path = "/var/lib/samba/private/.secrets.mkey" 11 | 12 | def read_secrets_db(): 13 | secrets_db = ldap.initialize("ldapi:///") 14 | secrets_db.simple_bind_s() 15 | secrets_db_data = secrets_db.search_s("", ldap.SCOPE_SUBTREE, "(objectclass=*)", ['nTSecurityDescriptor']) 16 | print("secrets.ldb data:\n", secrets_db_data) 17 | 18 | def read_secrets_mkey(): 19 | with open(secrets_mkey_path, "a") as f: 20 | secrets_mkey_data = f.read() 21 | secrets_mkey_data=secrets_mkey_data+"I know a secret" 22 | f.write(secrets_mkey_data) 23 | print("secrets.mkey data:\n", secrets_mkey_data) 24 | 25 | if __name__ == "__main__": 26 | read_secrets_db() 27 | read_secrets_mkey() 28 | 29 | -------------------------------------------------------------------------------- /rules/detect_suspicious_disk_activity.yaml: -------------------------------------------------------------------------------- 1 | 2 | #The SuspiciousDiskActivity rule in Falco is designed to detect suspicious disk activity on a system. 3 | #The rule matches against processes that are known to be involved in activities such as wiping, overwriting or corrupting raw disk data, 4 | #such as dd, shred, hdparm, fdisk, blkdiscard, wipe, badblocks, fsck, parted, and mkfs.ext4. 5 | #https://attack.mitre.org/techniques/T1561/ 6 | #Mitre Impact: disk wipe subscenario 7 | 8 | - rule: Suspicious Disk Activity 9 | desc: Detects suspicious disk activity such as wiping, overwriting or corrupting raw disk data. 10 | condition: (proc.name in ("dd", "shred", "hdparm", "fdisk", "blkdiscard", "wipe", "badblocks", "fsck", "parted", "mkfs.ext4")) 11 | enabled: true 12 | output: "Suspicious disk activity (command=%proc.cmdline) detected" 13 | priority: WARNING 14 | tags: [host, container, disk, mitre_impact, disk_wipe, T1561] 15 | -------------------------------------------------------------------------------- /rules/create_nodeport_service.yaml: -------------------------------------------------------------------------------- 1 | #This is a Falco rule designed to detect an attempt to create a NodePort service in a Kubernetes cluster. 2 | #The rule will trigger an alert if it detects a Kubernetes API server event related to creating a NodePort service. 3 | #A Kubernetes event (kevt) must occur 4 | #The event must be related to creating a service (service) 5 | #The creation must be performed using the "kubectl create" command (kcreate) 6 | #The service type must be NodePort (ka.req.service.type=NodePort) 7 | 8 | - rule: Create NodePort Service 9 | desc: > 10 | Detect an attempt to start a service with a NodePort service type 11 | condition: kevt and service and kcreate and ka.req.service.type=NodePort 12 | enabled: true 13 | output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports) 14 | priority: WARNING 15 | source: k8s_audit 16 | tags: [k8s, nodeport] 17 | -------------------------------------------------------------------------------- /rules/chown_chmod_operations.yaml: -------------------------------------------------------------------------------- 1 | #This is a Falco rule that is designed to detect chown or chmod operations on a system. 2 | #The rule looks for instances where the chown or chmod command is executed using the execve system call. 3 | #The evt.type is set to execve, indicating that a process is being executed. 4 | #The name of the process being executed matches either chown or chmod. 5 | #https://attack.mitre.org/techniques/T1222/ 6 | #Mitre Defense Evasion: file and directory permission modification 7 | 8 | - rule: Chown or Chmod Operation 9 | desc: Detects chown or chmod operations 10 | condition: (evt.type = execve and 11 | (proc.name = chown or proc.name = chmod)) 12 | enabled: true 13 | output: "Chown or chmod operation detected 14 | (user=%user.name command=%proc.cmdline)" 15 | priority: WARNING 16 | tags: [host, container, permission, file, directory, mitre_defense_evasion, file_and_directory_permission_modification, T1222] 17 | -------------------------------------------------------------------------------- /rules/system_location_retrieval.yaml: -------------------------------------------------------------------------------- 1 | #The given falco rule detects attempts to retrieve system information by monitoring the execution of certain commands. 2 | #The rule checks if the event type is 'execve' and if the process name is one of the following: 'ip', 'cat', 'nmcli', 'iw', 'wpa_cli', 'geoiplookup', 'ifconfig', or 'hostname' 3 | #https://attack.mitre.org/techniques/T1614/ 4 | #Mitre Discovery: system location discovery subscenario 5 | 6 | - rule: Detect System Location Information Retrieval 7 | desc: Detects attempts to retrieve system information 8 | condition: > 9 | ( (evt.type=execve) and 10 | ( 11 | proc.name in (ip, cat, nmcli, iw, wpa_cli, geoiplookup, ifconfig, hostname) 12 | ) 13 | ) 14 | enabled: true 15 | output: > 16 | System information may be retrieved (user=%user.name command=%proc.cmdline) 17 | priority: WARNING 18 | tags: [host, container, location, mitre_discovery, system_location_discovery, T1614] 19 | -------------------------------------------------------------------------------- /scripts/create_or_modify_system_process.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | #!/usr/bin/env python3 8 | 9 | import os 10 | 11 | # Set the path to the Python script you want to execute 12 | script_path = "/home/f/test/script_to_create_child_process_and_run_it.py" 13 | 14 | # Set the name of the systemd service 15 | service_name = "malicious1.service" 16 | 17 | # Create the systemd service file 18 | service_file = f"""[Unit] 19 | Description=My service 20 | 21 | [Service] 22 | ExecStart=/usr/bin/python3 {script_path} 23 | Restart=always 24 | 25 | [Install] 26 | WantedBy=multi-user.target 27 | """ 28 | 29 | # Write the service file to disk 30 | service_path = f"/etc/systemd/system/{service_name}" 31 | with open(service_path, "w") as f: 32 | f.write(service_file) 33 | 34 | # Enable and start the systemd service 35 | os.system(f"systemctl enable {service_name}") 36 | os.system(f"systemctl start {service_name}") 37 | 38 | -------------------------------------------------------------------------------- /rules/modify_authentication_process.yaml: -------------------------------------------------------------------------------- 1 | 2 | #This Falco rule detects attempts to modify the authentication process by reading sensitive files that 3 | #contain user/password/authentication information by non-trusted programs. The condition checks for any read 4 | #operation on sensitive files by a process that is not a known trusted program. 5 | #https://attack.mitre.org/techniques/T1556/ 6 | #Mitre Credential Access: Modify Authentication Process subscenario 7 | 8 | - rule: Modify authentication process 9 | desc: > 10 | an attempt to read any sensitive file (e.g. files containing user/password/authentication 11 | information). Exceptions are made for known trusted programs. 12 | condition: > 13 | sensitive_files and open_read 14 | and proc_name_exists 15 | enabled: true 16 | output: > 17 | Sensitive file opened for reading by non-trusted program to modify the authentication process 18 | priority: WARNING 19 | tags: [host, container] 20 | -------------------------------------------------------------------------------- /rules/process_injection.yaml: -------------------------------------------------------------------------------- 1 | #This Falco rule detects an attempt to inject code into a process using PTRACE. 2 | #The condition checks for a PTRACE event of type ptrace, with direction greater than, 3 | #and with the request argument set to one of the specified values (5, 6, 11, 20, 27). 4 | #Additionally, the condition checks if the process name exists and is not in the list of known ptrace processes. 5 | #https://attack.mitre.org/techniques/T1055/ 6 | #Mitre Priviledge Escalation: Process Injection 7 | 8 | - rule: Process Injection 9 | desc: "This rule detects an attempt to inject code into a process using PTRACE." 10 | condition: evt.type=ptrace and evt.dir=> and evt.arg.request in (5, 6, 11, 20, 27) and proc_name_exists and not known_ptrace_procs 11 | enabled: true 12 | output: A process is injected in to a known process binary to execute 13 | priority: WARNING 14 | tags: [host, container, process, mitre_priviledge_escalation, process_injection, T1055] 15 | -------------------------------------------------------------------------------- /rules/suspicious_info_gathering.yaml: -------------------------------------------------------------------------------- 1 | #The following rule is designed to detect suspicious commands related to gathering system information. 2 | #It uses the condition field to check if the command executed matches any of the suspicious commands such as dpkg -l, lsb_release -a, uname -r, or ls -l /usr/bin. 3 | #https://attack.mitre.org/techniques/T1518/ 4 | #Mitre Discovery: Software dicovery subsceanrio 5 | 6 | - rule: Suspicious System Information Gathering 7 | desc: Detects suspicious commands related to gathering system information 8 | condition: > 9 | (proc.args contains "dpkg -l" or 10 | proc.args contains "lsb_release -a" or 11 | proc.args contains "uname -r" or 12 | proc.args contains "ls -l /usr/bin") 13 | enabled: true 14 | output: > 15 | Suspicious system information gathering detected (user=%user.name command=%proc.cmdline) 16 | priority: WARNING 17 | tags: [host, container, data, mitre_discovery, software_discovery, T1518] 18 | -------------------------------------------------------------------------------- /rules/memory_maps_of_processes.yaml: -------------------------------------------------------------------------------- 1 | #This is a Falco rule that is designed to detect when an attempt is made to read the maps file of a process. 2 | #The maps file is a file that provides information about the memory mappings of a process. 3 | #The open_read system call is used to read a file. 4 | #The name of the file being read matches the glob pattern /proc/*/maps, which means that the file is located in, 5 | #the /proc directory and has a name that consists of a numerical process ID followed by the string "maps". 6 | #https://attack.mitre.org/techniques/T1003/ 7 | #Mitre Credential Access: os credential dumping subscenario 8 | 9 | - rule: Read Maps File of Process 10 | desc: An attempt to read the maps file of a process was detected 11 | condition: open_read and (fd.name glob /proc/*/maps) 12 | enabled: true 13 | output: Reading maps file of process 14 | priority: ERROR 15 | tags: [host, container, process, mitre_creential_access, os_credential_dumping, T1003] 16 | -------------------------------------------------------------------------------- /scripts/permission_groups_members_discovery.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[2]: 5 | 6 | 7 | import os 8 | 9 | # Get list of groups 10 | groups = {} 11 | with open('/etc/group', 'r') as f: 12 | for line in f: 13 | group_info = line.strip().split(':') 14 | group_name = group_info[0] 15 | group_members = group_info[3].split(',') 16 | groups[group_name] = group_members 17 | 18 | # Print list of groups and their members 19 | print("Groups:\n") 20 | for group, members in groups.items(): 21 | print(f" {group}: {', '.join(members)}\n") 22 | 23 | # Get file permissions 24 | files = ['/etc/group', '/etc/passwd', '/etc/shadow', '/etc/sudoers'] 25 | print("\nFile permissions:") 26 | for file in files: 27 | try: 28 | mode = os.stat(file).st_mode 29 | print(f" {file}: {oct(mode)[-3:]}\n") 30 | except FileNotFoundError: 31 | print(f" {file} not found\n") 32 | 33 | 34 | # In[ ]: 35 | 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /scripts/boot_or_logon_autostart_execution.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | #!/usr/bin/env python3 8 | 9 | import os 10 | 11 | # Set the path to the program you want to run 12 | program_path = "/home/f/test/dummy.py" 13 | 14 | # Set the name of the systemd service 15 | service_name = "malicious.service" 16 | 17 | # Create the systemd service file 18 | service_file = f"""[Unit] 19 | Description=My program 20 | After=network.target 21 | 22 | [Service] 23 | WorkingDirectory=/home/f/test/ 24 | ExecStart=/usr/bin/python3 {program_path} 25 | Restart=always 26 | 27 | [Install] 28 | WantedBy=default.target 29 | """ 30 | 31 | # Write the service file to disk 32 | service_path = f"/etc/systemd/system/{service_name}" 33 | with open(service_path, "w") as f: 34 | f.write(service_file) 35 | f.close() 36 | 37 | # Enable and start the systemd service 38 | os.system(f"systemctl --user enable {service_name}") 39 | os.system(f"systemctl --user start {service_name}") 40 | 41 | -------------------------------------------------------------------------------- /rules/detect_service_disable.yaml: -------------------------------------------------------------------------------- 1 | #This Falco rule is designed to detect when a non-root user disables a service using the systemctl command. 2 | #The rule checks if the process name is systemctl, the arguments contain the string disable, and if the arguments also contain the .service string. 3 | #If all conditions are met, the rule triggers and generates an alert with a warning priority, 4 | #indicating that a service disable operation using systemctl has been detected. 5 | #https://attack.mitre.org/techniques/T1489/ 6 | #Mitre Impact: service stop subscenario 7 | 8 | - rule: Detect Service Disable Using Systemctl 9 | desc: Detects when a user disables a service using the systemctl command. 10 | condition: > 11 | proc.name = "systemctl" and 12 | proc.args contains "disable" and 13 | proc.args contains ".service" and 14 | user.name != "root" 15 | enabled: true 16 | output: > 17 | Service disable using systemctl detected. 18 | priority: WARNING 19 | tags: [host, container, service, process, mitre_impact, service_stop, T1489] 20 | -------------------------------------------------------------------------------- /scripts/test/inhibit_system_recovery.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | # Remove a directory and its contents recursively and forcefully 4 | subprocess.run(['rm', '-rf', '/home/f/forfun']) 5 | 6 | # Make a file immutable 7 | subprocess.run(['chattr', '+i', '/home/f/test/Traffic_signaling_raw_sockets.py']) 8 | 9 | # Create a file system without support for discarding blocks 10 | subprocess.run(['mkfs.ext4', '-E', 'nodiscard', '/dev/sda']) 11 | 12 | # Remount the root filesystem as read-only 13 | subprocess.run(['mount', '-o', 'remount,ro', '/']) 14 | 15 | # Disable systemd-backlight service 16 | subprocess.run(['systemctl', 'disable', 'systemd-backlight@.service']) 17 | 18 | # Disable apport service 19 | subprocess.run(['systemctl', 'disable', 'apport.service']) 20 | 21 | # Disable rescue service 22 | subprocess.run(['systemctl', 'disable', 'rescue.service']) 23 | 24 | # Disable emergency service 25 | subprocess.run(['systemctl', 'disable', 'emergency.service']) 26 | 27 | # Disable recovery-mode service 28 | subprocess.run(['systemctl', 'disable', 'recovery-mode.service']) 29 | 30 | -------------------------------------------------------------------------------- /rules/password_policy_discovery.yaml: -------------------------------------------------------------------------------- 1 | #This falco rule detects an attempt to read sensitive files, 2 | #such as files containing user/password/authentication information, by a non-trusted program to discover information about the password policy of a system. 3 | #The condition for triggering the rule is that a sensitive file is being read in an open state by a process that is not a known trusted program. 4 | #https://attack.mitre.org/techniques/T1201/ 5 | #Mitre Discovery: password policy discovery subscenario 6 | 7 | - rule: Password Policy Discovery 8 | desc: > 9 | an attempt to read any sensitive file (e.g. files containing user/password/authentication 10 | information). Exceptions are made for known trusted programs. 11 | condition: > 12 | sensitive_files and open_read 13 | and proc_name_exists 14 | enabled: true 15 | output: > 16 | Sensitive file opened for reading by non-trusted program to get information about set password policy of a system 17 | priority: WARNING 18 | tags: [host, container, authentication, mitre_discovery, password_policy_discovery, T1201] 19 | -------------------------------------------------------------------------------- /scripts/new_process_injection.py: -------------------------------------------------------------------------------- 1 | import ctypes 2 | 3 | # Define the code to be injected 4 | code_to_inject = """ 5 | def greet(name): 6 | print(f"Hello, {name}!") 7 | """ 8 | 9 | # Get the process ID of the target process from the command line arguments 10 | pid = int(156) 11 | 12 | # Attach to the target process using ptrace 13 | libc = ctypes.CDLL("libc.so.6") 14 | libc.ptrace(0, pid, 0, 0) 15 | 16 | # Import the missing constants and symbols from ctypes 17 | PROT_READ = 0x1 18 | PROT_WRITE = 0x2 19 | PROT_EXEC = 0x4 20 | MAP_PRIVATE = 0x2 21 | MAP_ANONYMOUS = 0x20 22 | dlopen = ctypes.CDLL(None).dlopen 23 | 24 | # Allocate some memory in the target process's address space 25 | addr = libc.mmap( 26 | None, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0 27 | ) 28 | 29 | # Write the code to the allocated memory 30 | libc.ptrace(4, pid, addr, code_to_inject.encode()) 31 | 32 | # Call the `dlopen` function in the target process to load the injected code 33 | dlopen_addr = dlopen(None, 1) 34 | libc.ptrace(0x5555, pid, dlopen_addr, addr) 35 | 36 | # Detach from the target process 37 | libc.ptrace(17, pid, None, None) 38 | -------------------------------------------------------------------------------- /scripts/software_discovery.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | # List all installed packages and their versions using dpkg 4 | print('List of installed packages and their versions:') 5 | dpkg_process = subprocess.Popen(['dpkg', '-l'], stdout=subprocess.PIPE) 6 | output, error = dpkg_process.communicate() 7 | print(output.decode()) 8 | 9 | # Display information about the Ubuntu distribution 10 | print('Information about the Ubuntu distribution:') 11 | lsb_process = subprocess.Popen(['lsb_release', '-a'], stdout=subprocess.PIPE) 12 | output, error = lsb_process.communicate() 13 | print(output.decode()) 14 | 15 | # Display the version number of the Ubuntu kernel 16 | print('Version number of the Ubuntu kernel:') 17 | uname_process = subprocess.Popen(['uname', '-r'], stdout=subprocess.PIPE) 18 | output, error = uname_process.communicate() 19 | print(output.decode()) 20 | 21 | # List the files in the /usr/bin directory and their versions 22 | print('List of files in /usr/bin directory and their versions:') 23 | ls_process = subprocess.Popen(['ls', '-l', '/usr/bin'], stdout=subprocess.PIPE) 24 | output, error = ls_process.communicate() 25 | print(output.decode()) 26 | 27 | -------------------------------------------------------------------------------- /rules/enumerate_domain_trust.yaml: -------------------------------------------------------------------------------- 1 | 2 | #The above Falco rule set detects attempts to enumerate domain trusts in Linux systems using specific commands, such as ldapsearch, net, and rpcclient. 3 | #The process name is one of the commands listed in the domain_trust_commands list OR 4 | #The process command-line contains the string ldapsearch OR 5 | #The process command-line contains the string net OR 6 | #The process command-line contains the string rpcclient 7 | #https://attack.mitre.org/techniques/T1482/ 8 | #Mitre Discovery: domain trust discovery subscenario 9 | 10 | - list: domain_trust_commands 11 | items: [ldapsearch, net, rpcclient] 12 | 13 | - rule: Enumerate Domain Trusts 14 | desc: Detects attempts to enumerate domain trusts in Linux systems 15 | condition: > 16 | (proc.name in (domain_trust_commands) or 17 | proc.cmdline contains "ldapsearch" or 18 | proc.cmdline contains "net" or 19 | proc.cmdline contains "rpcclient") 20 | enabled: true 21 | output: > 22 | Domain trust enumeration attempt detected (user=%user.name command=%proc.cmdline) 23 | priority: WARNING 24 | tags: [host, container, mitre_discovery, domain_trust_discovery, T1482] 25 | -------------------------------------------------------------------------------- /rules/account_manipulation_in_ssh.yaml: -------------------------------------------------------------------------------- 1 | - list: ssh_files 2 | items: [/etc/ssh/sshd_config, /.ssh/authorized_keys] 3 | 4 | #The given Falco rule is designed to detect any attempt to perform account manipulation using SSH. 5 | #The rule is triggered when a process attempts to read or write files that are related to SSH. 6 | #The "condition" parameter of the rule uses the "open_read" and "open_write" system calls to monitor attempts to read from or write to files respectively. 7 | #The "fd.name" parameter specifies the name of the files that should be monitored, which are related to SSH in this case. 8 | #https://attack.mitre.org/techniques/T1098/ 9 | #Mitre Discovery: Account Manipulation subscenario 10 | 11 | - rule: Account Manipulation in SSH 12 | desc: an attempt to do account manipulation using ssh 13 | 14 | condition: > 15 | ((open_read and (fd.name in (ssh_files))) 16 | or (open_write and (fd.name in (ssh_files)))) 17 | enabled: true 18 | output: > 19 | A process with process id=%proc.pid is spawned to do account manipulation 20 | at ssh_files 21 | priority: ERROR 22 | tags: [host, container, account, mitre_discovery, account_manipulation, T1098] 23 | -------------------------------------------------------------------------------- /scripts/process_injection.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | import ctypes 4 | import struct 5 | 6 | # Define the code to be injected 7 | code_to_inject = """ 8 | def greet(name): 9 | print(f"Hello, {name}!") 10 | """ 11 | 12 | # Get the process ID of the target process from the command line arguments 13 | pid = int(156) 14 | 15 | # Attach to the target process using ptrace 16 | libc = ctypes.CDLL("libc.so.6") 17 | libc.ptrace(0, pid, 0, 0) 18 | 19 | # Import the missing constants and symbols from ctypes 20 | PROT_READ = 0x1 21 | PROT_WRITE = 0x2 22 | PROT_EXEC = 0x4 23 | MAP_PRIVATE = 0x2 24 | MAP_ANONYMOUS = 0x20 25 | dlopen = ctypes.CDLL(None).dlopen 26 | 27 | # Allocate some memory in the target process's address space 28 | addr = libc.mmap(None, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0) 29 | 30 | # Write the code to the allocated memory 31 | libc.ptrace(4, pid, addr, code_to_inject.encode()) 32 | 33 | # Call the `dlopen` function in the target process to load the injected code 34 | dlopen_addr = dlopen(None, 1) 35 | libc.ptrace(0x5555, pid, dlopen_addr, addr) 36 | 37 | # Detach from the target process 38 | libc.ptrace(17, pid, None, None) 39 | 40 | -------------------------------------------------------------------------------- /rules/attempt_to_access_bash_history.yaml: -------------------------------------------------------------------------------- 1 | - list: unsec_file 2 | items: [.bash_history] 3 | 4 | #This is a Falco rule designed to detect attempts to access the bash history file on a Linux system. 5 | #The rule will trigger an alert if it detects an "openat" system call with a file descriptor (fd) that matches the path of the bash history file. 6 | #The type of event must be an "openat" event, which means a file was opened using an absolute or relative path 7 | #The path of the file being opened must match the path of the bash history file, which is typically located at "~/.bash_history" 8 | #The file being opened must be in the list of unsecured files (unsec_file) 9 | #https://attack.mitre.org/techniques/T1552/ 10 | #Mitre Credential Access : Unsecured credential access subscenario 11 | 12 | - rule: Attempt to Access Bash History File 13 | desc: Someone is attempting to access the bash history file 14 | condition: evt.type = openat and fd.filename in (unsec_file) 15 | enabled: true 16 | output: "Access to bash history file (user=%user.name, command=%evt.arg.cmdline)" 17 | priority: CRITICAL 18 | tags: [host, container, bash, mitre_credential_accesss, unsecured_credential_access, T1552] 19 | 20 | -------------------------------------------------------------------------------- /rules/create_account_add_user.yaml: -------------------------------------------------------------------------------- 1 | #This Falco rule is designed to detect attempts to create user accounts or add users to a system. 2 | #A process has been spawned 3 | #The name of the process matches one of the user management binaries listed in the configuration (user_mgmt_binaries) 4 | #The process is not being executed within a container 5 | #The command line used to execute the process is not excluded by the configuration 6 | #https://attack.mitre.org/techniques/T1136/ 7 | #Mitre Persistance: Create account subscenario 8 | 9 | - rule: Create Account or Add User 10 | desc: > 11 | activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. 12 | Activity in containers is also excluded--some containers create custom users on top 13 | of a base linux distribution at startup. 14 | Some innocuous command lines that don't actually change anything are excluded. 15 | condition: > 16 | spawned_process and proc.name in (user_mgmt_binaries) 17 | enabled: true 18 | output: > 19 | an user is added or a account is created to get persistance access of system 20 | priority: NOTICE 21 | tags: [host, container, user, account, mitre_persistance, create_account, T1136] 22 | -------------------------------------------------------------------------------- /rules/credentials_from_password_file.yaml: -------------------------------------------------------------------------------- 1 | #system, which can be a sign of an attacker attempting to steal credentials. 2 | #The conditions for the rule to trigger are specified in the condition field, 3 | #which checks for any activity by programs that can manage users, passwords, or permissions. However, 4 | #the sudo and su programs are excluded from the rule, as they are legitimate tools that can be used for managing users and permissions. 5 | #https://attack.mitre.org/techniques/T1555/ 6 | #Mitre Credential Access: Credential from password stores 7 | 8 | - rule: Credentials From Password File 9 | desc: > 10 | activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. 11 | Activity in containers is also excluded--some containers create custom users on top 12 | of a base linux distribution at startup. 13 | Some innocuous command lines that don't actually change anything are excluded. 14 | condition: > 15 | spawned_process and proc.name in (user_mgmt_binaries) 16 | enabled: true 17 | output: > 18 | An attempt is made to access password file present on system to get credential access 19 | priority: NOTICE 20 | tags: [host, container, credentials, mitre_credential_access, credentials_from_password_stores, T1555] 21 | -------------------------------------------------------------------------------- /scripts/application_window_discovery.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | # Get the window ID of the currently active window 4 | active_window_id = subprocess.check_output(['xdotool', 'getactivewindow']).decode().strip() 5 | 6 | # Get information about the active window 7 | active_window_info = subprocess.check_output(['xwininfo', '-id', active_window_id]).decode().strip() 8 | 9 | # Get a list of all open windows 10 | window_list = subprocess.check_output(['wmctrl', '-l']).decode().strip().split('\n') 11 | 12 | # Get information about each open window 13 | for window in window_list: 14 | window_id = window.split()[0] 15 | window_info = subprocess.check_output(['xwininfo', '-id', window_id]).decode().strip() 16 | print(window_info) 17 | 18 | # Get a list of all open applications 19 | app_list = subprocess.check_output(['xlsclients']).decode().strip().split('\n') 20 | 21 | # Get information about each open application 22 | for app in app_list: 23 | app_id = app.split()[0] 24 | app_info = subprocess.check_output(['xprop', '-id', app_id]).decode().strip() 25 | print(app_info) 26 | 27 | # Monitor events in the X server 28 | xev_process = subprocess.Popen(['xev'], stdout=subprocess.PIPE) 29 | for line in iter(xev_process.stdout.readline, ''): 30 | print(line.decode()) 31 | 32 | -------------------------------------------------------------------------------- /rules/system_service_discovery.yaml: -------------------------------------------------------------------------------- 1 | - list: system_executables_files 2 | items: [/proc/filesystems, /proc/self/stat, /usr/lib/locale/locale-archive, / 3 | usr/bin/systemctl] 4 | - list: system_executables_directories 5 | items: [/run/systemd/system, /etc/systemd/system-preset, /usr/lib/systemd/sys 6 | tem-preset, /run/systemd/system-preset, /usr/local/lib/systemd/system-preset] 7 | 8 | 9 | #The given Falco rule is designed to detect any attempt to discover all services running on a system. 10 | #The rule is triggered by a newly spawned process or by an attempt to read files from system executable directories or files. 11 | #https://attack.mitre.org/techniques/T1007/ 12 | #Mitre Discovery: system service discovery subscenario 13 | 14 | - rule: System Service Discovery 15 | desc: an attempt to discover all services that are running in system 16 | condition: > 17 | spawned_process 18 | or (open_read and (fd.directory in (system_executables_directories)) or 19 | (fd.filename in (system_executables_files))) 20 | enabled: false 21 | output: > 22 | A process with process id=%proc.pid is spawned to discover all the system 23 | system services present in the system. 24 | priority: ERROR 25 | tags: [host, container, process, mitre_discovery, system_service_discovery, T1007] 26 | -------------------------------------------------------------------------------- /rules/suspicious_time_Date.yaml: -------------------------------------------------------------------------------- 1 | #This is a Falco rule designed to detect suspicious command execution related to time, date, and region information. 2 | #The rule will trigger an alert if it detects the execution of certain commands that may be used to gather such information. 3 | #The type of event must be an "execve" event, which means a process was executed 4 | #The direction of the event must be "<", which means the process was executed by the shell (as opposed to being spawned by another process) 5 | #The name of the process must match one of the following: "date", "timedatectl", "locale", or "hostnamectl" 6 | #https://attack.mitre.org/techniques/T1124/ 7 | #Mitre Discovery: System time discovery subscenario 8 | 9 | - rule: Suspicious Time and Date Command Execution 10 | desc: Detects the execution of commands that may be used to gather time, date, and region information 11 | condition: evt.type = execve and evt.dir = < and (proc.name = "date" or proc.name = "timedatectl" or proc.name = "locale" or proc.name = "hostnamectl") 12 | enabled: true 13 | output: "Suspicious time and date command executed: user=%user.name pid=%proc.pid ppid=%proc.ppid exe=%proc.exepath cmdline=%proc.cmdline" 14 | priority: WARNING 15 | tags: [host, container, time, date, mitre_discovery, system_time_discovery, T1124] 16 | -------------------------------------------------------------------------------- /rules/detect_data_destruction_activity.yaml: -------------------------------------------------------------------------------- 1 | - list: data_destruction_cmd 2 | items: ["shred", "dd", "wipe"] 3 | 4 | #This is a Falco rule that is designed to detect activity related to data destruction, such as file shredding or disk wiping. 5 | #The rule looks for instances where a specific command is executed or files with certain names are accessed. 6 | #The evt.type is set to execve, indicating that a process is being executed, and the name of the process matches one of the commands specified in the data_destruction_cmd list. 7 | #The evt.type is set to openat, indicating that a file is being accessed, and the name of the file being accessed ends with either .shred or .wipe. 8 | #https://attack.mitre.org/techniques/T1485/ 9 | #Mitre Impact: data destruction for impact subscenario 10 | 11 | - rule: Detect Data Destruction Activity 12 | desc: Detects activity related to data destruction, 13 | such as file shredding or disk wiping. 14 | condition: > 15 | (evt.type = execve and proc.name in (data_destruction_cmd)) or 16 | (evt.type = openat and fd.name endswith ".shred" or 17 | fd.name endswith ".wipe") 18 | enabled: true 19 | output: > 20 | Data destruction activity detected. 21 | priority: WARNING 22 | tags: [host, container, filesystem, process, mitre_impact, data_destruction_for_impact, T1485] 23 | -------------------------------------------------------------------------------- /scripts/direct_volume_access.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | # Set the disk device and block size 4 | disk_device = '/dev/sda' 5 | block_size = '4096' 6 | sector_number = '1234' 7 | 8 | # Use dd command to read disk block 9 | dd_command = ['dd', 'if={}'.format(disk_device), 'bs={}'.format(block_size), 'skip={}'.format(sector_number)] 10 | dd_output = subprocess.check_output(dd_command) 11 | 12 | # Use hdparm to read disk block 13 | hdparm_command = ['sudo', 'hdparm', '--read-sector', sector_number, disk_device] 14 | hdparm_output = subprocess.check_output(hdparm_command) 15 | 16 | # Use readsector to read disk block 17 | readsector_command = ['sudo', 'readsector', '-s', sector_number, disk_device] 18 | readsector_output = subprocess.check_output(readsector_command) 19 | 20 | # Use ddrescue to read disk block 21 | ddrescue_command = ['sudo', 'ddrescue', '-i={}'.format(disk_device), '-s={}'.format(sector_number), '/dev/null', 'output_file'] 22 | ddrescue_output = subprocess.check_output(ddrescue_command) 23 | 24 | # Print the output of each command 25 | print("dd command output:\n{}".format(dd_output.decode('utf-8'))) 26 | print("hdparm command output:\n{}".format(hdparm_output.decode('utf-8'))) 27 | print("readsector command output:\n{}".format(readsector_output.decode('utf-8'))) 28 | print("ddrescue command output:\n{}".format(ddrescue_output.decode('utf-8'))) 29 | 30 | -------------------------------------------------------------------------------- /rules/permission_group_members_discovery.yaml: -------------------------------------------------------------------------------- 1 | - list: groups 2 | items: [/etc/group] 3 | - list: critical_files 4 | items: [/etc/group, /etc/passwd, /etc/shadow, /etc/sudoers] 5 | 6 | #This is a Falco rule that is designed to detect processes that attempt to discover the permissions of files and groups, 7 | # including the group members. The rule looks for processes that read group files or attempt to get information about critical files. 8 | #The open_read system call is used to read a file, and the name of the file matches one of the group files specified in the groups list. 9 | #The evt.type is set to stat, indicating that a process is querying file metadata, 10 | #and the name of the file being queried matches one of the critical files specified in the critical_files list. 11 | #https://attack.mitre.org/techniques/T1069/ 12 | #Mitre Discovery: permission groups discovery 13 | 14 | - rule: Permission and Group Members Discovery 15 | desc: rule to detect permission of files and group and its group members 16 | condition: > 17 | (open_read and (fd.name in (groups))) or 18 | (evt.type = stat and (fd.filename in (critical_files))) 19 | enabled: true 20 | output: suspicious process is spawwned to check file permissions 21 | and group members. 22 | priority: ERROR 23 | tags: [host, container, permission, group, mitre_discovery, permission_groups_discovery, T1069] 24 | -------------------------------------------------------------------------------- /scripts/archive_collected_data.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | import shutil 7 | import subprocess 8 | 9 | 10 | # Function to create a tar archive 11 | def create_tar_archive(directory_path, archive_name): 12 | archive_path = archive_name + ".tar.gz" 13 | subprocess.call(["tar", "-czf", archive_path, directory_path]) 14 | return archive_path 15 | 16 | 17 | # Function to create a zip archive 18 | def create_zip_archive(directory_path, archive_name): 19 | archive_path = archive_name + ".zip" 20 | shutil.make_archive(archive_name, "zip", directory_path) 21 | return archive_path 22 | 23 | 24 | # Function to compress a file using gzip 25 | def gzip_file(file_path): 26 | subprocess.call(["gzip", file_path]) 27 | 28 | 29 | # Function to compress a file using bzip2 30 | def bzip2_file(file_path): 31 | subprocess.call(["bzip2", file_path]) 32 | 33 | 34 | # Example usage 35 | if __name__ == "__main__": 36 | # Create a tar archive of the "data" directory 37 | create_tar_archive("/home/f/syscall_analysis", "data_archive_tar") 38 | 39 | # Create a zip archive of the "data" directory 40 | create_zip_archive("/home/f/syscall_analysis", "data_archive_zip") 41 | 42 | # Compress a file using gzip 43 | gzip_file("/home/f/syscall_analysis/cd") 44 | 45 | # Compress a file using bzip2 46 | bzip2_file("/home/f/syscall_analysis/ef") 47 | -------------------------------------------------------------------------------- /rules/execute_command_via_utility.yaml: -------------------------------------------------------------------------------- 1 | #This Falco rule is designed to detect the execution of commands via commonly used utilities such as awk, sed, grep, Python, 2 | #Perl, Bash, cron, systemd-timer, and atd on a Linux system. 3 | #The rule checks for the execve event type and then looks for the presence of these utilities either in the proc.name field or in the proc.cmdline field. 4 | #https://attack.mitre.org/techniques/T1202/ 5 | #Mitre Defense Evasion: indirect command execution subscenario 6 | 7 | - list: other_utilities 8 | items: [awk, sed, grep, python, perl, bash, cron, systemd-timer, atd] 9 | 10 | - rule: Execute Command Via Utility 11 | desc: Detects execution of commands via utilities commonly used to parse text, scripting languages, and system utilities 12 | condition: > 13 | (evt.type = execve and 14 | (proc.name in (other_utilities) or 15 | proc.cmdline contains awk or 16 | proc.cmdline contains sed or 17 | proc.cmdline contains grep or 18 | proc.cmdline contains python or 19 | proc.cmdline contains perl or 20 | proc.cmdline contains bash or 21 | proc.cmdline contains cron or 22 | proc.cmdline contains systemd-timer or 23 | proc.cmdline contains atd)) 24 | enabled: true 25 | output: > 26 | Command executed via utility detected (user=%user.name command=%proc.cmdline) 27 | priority: WARNING 28 | tags: [host, container, command, mitre_defense_evasion, indirect_command_execution, T1202] 29 | -------------------------------------------------------------------------------- /rules/detect_peripheral_device_enumeration.yaml: -------------------------------------------------------------------------------- 1 | - list: device_enumeration 2 | items: ["lsusb", "lspci", "dmesg", "lsblk", "lshw", "hwinfo"] 3 | 4 | #This Falco rule detects if someone runs commands that enumerate peripheral devices. 5 | # It does this by checking if a process is spawned and its name is in a predefined list of commands that enumerate peripheral devices, 6 | #or if its command line contains specific keywords such as "lsusb", "lspci", "dmesg", "lsblk", "lshw", or "hwinfo". If the condition is met, 7 | #the rule generates an alert with a warning priority indicating that a peripheral device enumeration command has been detected. 8 | #https://attack.mitre.org/techniques/T1120/ 9 | #Mitre Discovery: Peripheral Device Discovery subscenario 10 | 11 | - rule: Detect Peripheral Device Enumeration Commands 12 | desc: Detects if someone runs commands that enumerate peripheral devices. 13 | condition: > 14 | spawned_process and 15 | ( 16 | proc.name in (device_enumeration) or 17 | proc.cmdline contains "lsusb" or 18 | proc.cmdline contains "lspci" or 19 | proc.cmdline contains "dmesg" or 20 | proc.cmdline contains "lsblk" or 21 | proc.cmdline contains "lshw" or 22 | proc.cmdline contains "hwinfo" 23 | ) 24 | enabled: true 25 | output: > 26 | Peripheral device enumeration command detected. 27 | priority: WARNING 28 | tags: [host, container, device, hardware, mitre_discovery, peripheral_device_discovery, T1120] 29 | -------------------------------------------------------------------------------- /rules/get_info_about_open_application_windows.yaml: -------------------------------------------------------------------------------- 1 | #The falco rule "Get info about open windows" is designed to detect attempts to get information 2 | #about open application windows by monitoring specific commands such as "xwininfo", "wmctrl", "xprop", 3 | #"xlsclients", "xdotool", "xrestop", "xwininfo", "xdpyinfo", "glxinfo", "xrandr", "xset", "xdriinfo", "xhost", "xev", "xdotool", and "xsetroot". 4 | #https://attack.mitre.org/techniques/T1010/ 5 | #Mitre Discovery: application window discovery subscenario 6 | 7 | - rule: Get Information About Open Application Windows 8 | desc: Detects attempts to get information about open application windows 9 | condition: > 10 | proc.name in ("xwininfo", "wmctrl", "xprop", "xlsclients", "xdotool", "xrestop", "xwininfo", "xdpyinfo", "glxinfo", "xrandr", "xset", "xdriinfo", "xhost", "xev", "xdotool", "xsetroot") 11 | enabled: true 12 | output: "Get info about open windows in system detected (proc.cmdline=%proc.cmdline connection=%fd.name user.name=%user.name user.loginuid=%user.loginuid container.id=%container.id evt.type=%evt.type evt.res=%evt.res proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginname=%user.loginname group.gid=%group.gid group.name=%group.name container.name=%container.name image=%container.image.repository)" 13 | priority: WARNING 14 | tags: [host, container, process, mitre_discovery, application_window_discovery, T1010] 15 | -------------------------------------------------------------------------------- /rules/suspicious_network_spanning_command.yaml: -------------------------------------------------------------------------------- 1 | - list: network_tools 2 | items: ["nmap", "ping", "dig", "nslookup", "arp"] 3 | 4 | #This is a Falco rule that is designed to detect suspicious network scanning commands. 5 | #The rule looks for commands that are commonly used for network scanning activities 6 | #and have certain flags or arguments that suggest that the command is being used for malicious purposes. 7 | #The name of the process matches one of several common network scanning tools, including nmap, ping, dig, nslookup, and arp. 8 | #The command line arguments passed to the process contain one or more of the following flags or arguments: 9 | #-sP: sends a Ping Scan to determine which hosts are online. 10 | #-c: specifies the number of packets to send in a Ping or TCP SYN scan. 11 | #+short: returns only the IP address for a DNS query instead of the full output. 12 | #-a: performs a reverse DNS lookup to determine the hostname associated with an IP address. 13 | #https://attack.mitre.org/techniques/T1018/ 14 | #Mitre Discovery: remote system discovery subscenario 15 | 16 | - rule: Suspicious Network Scanning Command 17 | desc: Detects suspicious network scanning commands 18 | condition: 19 | (proc.name=nmap or proc.name=ping or proc.name=dig or 20 | proc.name=nslookup or proc.name=arp) and 21 | ( 22 | proc.args contains "-sP" or 23 | proc.args contains "-c" or 24 | proc.args contains "+short" or 25 | proc.args contains "-a" 26 | ) 27 | enabled: true 28 | output: Suspicious network scanning command executed 29 | (user=%user.name command=%proc.cmdline) 30 | priority: WARNING 31 | tags: [host, container, network, mitre_discovery, remote_system_discovery, T1018] 32 | -------------------------------------------------------------------------------- /scripts/Account_manipulation.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | import os 8 | 9 | # Path to authorized_keys file 10 | authorized_keys_path = "/home/f/.ssh/authorized_keys" 11 | 12 | # Path to sshd_config file 13 | sshd_config_path = "/etc/ssh/sshd_config" 14 | 15 | # Add a new public key to authorized_keys file 16 | with open(authorized_keys_path, "a") as f: 17 | f.write( 18 | "\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3dY6Z5g6xP+oLW8I3qCvbBUmJyvzCZ68W8QXzjKbP7SKvT35B+T8TJ01fgTb1yBv1Iucb+p8SEtPZoMnZcT0GbdT+T8Dyghya1y2K1tD0WzsI8WsXJ+rAVZcYwbxH+lr0hs8qF3CqPYEJ+LzC1f2PN9uxzGZbLO/t4vNbuB4QFbG6NnyjjRwKIFzoDlUJ8qU6Y5U6Z1xZOJjK6eP/ZmFZHmC+JvMcNVdwTXK7zX/s+tsW8FpzMQV7h9bUS+spUC7xEum8PshPKmJj+TlRJ0m8ZzWox6ZWbjF6+dc2sJQb6xFq2aC+Dx00uVg4z8F84W+7PNPOmnUSX9VYoSv8ouYofwA5SKxJx/W/B+IvPnlfDQHdx2XrX9rI5g5rE45XTzGJiLhqIPQcglXX8qAqJqwVKaRLnX9Rz/Xn1/xYLeEVwzEDx22a0rbLVaG3ZK3OJzutn0iXlRm0jKpYbLfUKi81xOvr/5dwnZ0I04i2GtquH9Xr5rB/l5Yt7PDM= user@host\n" 19 | ) 20 | f.close() 21 | 22 | # Modify the sshd_config file to disable root login and password authentication 23 | with open(sshd_config_path, "r") as f: 24 | config_lines = f.readlines() 25 | f.close() 26 | 27 | # Replace the line containing "PermitRootLogin" with a new line that disables root login 28 | for i in range(len(config_lines)): 29 | if "PermitRootLogin" in config_lines[i]: 30 | config_lines[i] = "PermitRootLogin no\n" 31 | 32 | # Replace the line containing "PasswordAuthentication" with a new line that disables password authentication 33 | for i in range(len(config_lines)): 34 | if "PasswordAuthentication" in config_lines[i]: 35 | config_lines[i] = "PasswordAuthentication no\n" 36 | 37 | # Write the modified sshd_config file back to disk 38 | with open(sshd_config_path, "w") as f: 39 | f.writelines(config_lines) 40 | f.close() 41 | -------------------------------------------------------------------------------- /scripts/modify_authentication_process.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[ ]: 5 | 6 | 7 | import subprocess 8 | 9 | # Define the PAM configuration file path 10 | pam_config_file = "/etc/pam.d/common-auth" 11 | 12 | # Add a new authentication module to the PAM configuration 13 | subprocess.run(["sudo", "sed", "-i", "s/^auth\s*required\s*pam_unix.so$/auth required pam_unix.so\nauth required pam_mymodule.so/", pam_config_file]) 14 | 15 | # Remove an existing authentication module from the PAM configuration 16 | subprocess.run(["sudo", "sed", "-i", "/^auth\s*required\s*pam_permit.so/d", pam_config_file]) 17 | 18 | # Modify an existing authentication module in the PAM configuration 19 | subprocess.run(["sudo", "sed", "-i", "s/^auth\s*required\s*pam_deny.so$/auth required pam_deny.so debug/", pam_config_file]) 20 | 21 | 22 | # In[ ]: 23 | 24 | 25 | import fileinput 26 | 27 | # Open the common-auth file for editing 28 | with fileinput.FileInput("/etc/pam.d/common-auth", inplace=True) as file: 29 | 30 | # Iterate over each line in the file 31 | for line in file: 32 | 33 | # If the line contains "auth sufficient pam_unix.so", replace it with "auth sufficient pam_unix.so my_custom_module.so" 34 | if "auth sufficient pam_unix.so" in line: 35 | print(line.replace("auth sufficient pam_unix.so", "auth sufficient pam_unix.so my_custom_module.so")) 36 | 37 | # If the line contains "auth [success=1 default=ignore] pam_unix.so", replace it with "auth [success=1 default=ignore] pam_unix.so my_custom_module.so" 38 | elif "auth [success=1 default=ignore] pam_unix.so" in line: 39 | print(line.replace("auth [success=1 default=ignore] pam_unix.so", "auth [success=1 default=ignore] pam_unix.so my_custom_module.so")) 40 | 41 | # Otherwise, print the line as-is 42 | else: 43 | print(line, end="") 44 | 45 | -------------------------------------------------------------------------------- /rules/archive_and_compression_activity.yaml: -------------------------------------------------------------------------------- 1 | #This is a Falco rule that is designed to detect archive and compression activity using popular tools like tar, zip, gzip, and bzip2. 2 | #The rule looks for instances where these commands are being used to create or extract compressed archives. 3 | #If the process name is "zip" and the event direction is "<", indicating that files are being added to a zip archive. 4 | #If the process name is "tar" and the second argument is set to either "-czf" or "-cpf", indicating that files are being compressed and added to a tar archive. 5 | #If the process name is "gzip" and the event direction is "<", indicating that files are being compressed with gzip. 6 | #If the process name is "bzip2" and the event direction is "<", indicating that files are being compressed with bzip2. 7 | #https://attack.mitre.org/techniques/T1560/ 8 | #Mitre collection: Archive collected data subscenario 9 | - list: encryption_proc 10 | items: ["zip", "tar", "gzip", "bzip2"] 11 | 12 | - rule: Archive and Compression Activity 13 | desc: Detects archive and compression activity using tar, zip, gzip, and bzip2. 14 | condition: > 15 | spawned_process and 16 | ((proc.name in (encryption_proc)) and 17 | (evt.dir = "<" or evt.arg[1] = "-czf" or evt.arg[1] = "-cpf")) 18 | enabled: true 19 | output: > 20 | "Archive and compression activity detected (proc.cmdline=%proc.cmdline connection=%fd.name user.name=%user.name user.loginuid=%user.loginuid container.id=%container.id evt.type=%evt.type evt.res=%evt.res proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginname=%user.loginname group.gid=%group.gid group.name=%group.name container.name=%container.name image=%container.image.repository)" 21 | priority: WARNING 22 | tags: [host, container, data, mitre_collection, archive_collected_data, T1560] 23 | -------------------------------------------------------------------------------- /scripts/Password_policy_discovery.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[2]: 5 | 6 | 7 | 8 | 9 | 10 | # In[4]: 11 | 12 | 13 | import pam 14 | 15 | # Define the PAM service to use for authentication 16 | PAM_SERVICE = "pwquality.conf" 17 | 18 | # Create a new PAM instance 19 | p = pam.pam() 20 | 21 | # Define a dictionary to store the password policies 22 | password_policies = {} 23 | 24 | # Get the password policies from the PAM configuration 25 | pam_config = open("/etc/security/" + PAM_SERVICE, "r").readlines() 26 | for i in pam_config: 27 | print(i) 28 | for line in pam_config: 29 | line = line.strip() 30 | if line.startswith("password"): 31 | words = line.split() 32 | if "required" in words: 33 | if "minlen=" in words: 34 | password_policies["min_length"] = int(words[words.index("minlen=")+1]) 35 | if "dcredit=" in words: 36 | password_policies["min_digit"] = int(words[words.index("dcredit=")+1]) 37 | if "ucredit=" in words: 38 | password_policies["min_uppercase"] = int(words[words.index("ucredit=")+1]) 39 | if "lcredit=" in words: 40 | password_policies["min_lowercase"] = int(words[words.index("lcredit=")+1]) 41 | if "ocredit=" in words: 42 | password_policies["min_special_chars"] = int(words[words.index("ocredit=")+1]) 43 | if "maxrepeat=" in words: 44 | password_policies["max_repeat"] = int(words[words.index("maxrepeat=")+1]) 45 | if "minclass=" in words: 46 | password_policies["min_character_classes"] = int(words[words.index("minclass=")+1]) 47 | if "remember=" in words: 48 | password_policies["password_history"] = int(words[words.index("remember=")+1]) 49 | 50 | # Print the password policies 51 | print(password_policies) 52 | 53 | 54 | # In[ ]: 55 | 56 | 57 | 58 | 59 | -------------------------------------------------------------------------------- /rules/disable_recovery_features.yaml: -------------------------------------------------------------------------------- 1 | #The given rule is designed to detect suspicious activities related to disabling system recovery features. 2 | #The rule looks for specific commands being executed such as rm -rf, chattr +i, mkfs.ext4 -E nodiscard, mount remount,ro, 3 | #and disabling certain services such as systemd-backlight@.service, apport.service, rescue.service, emergency.service, and recovery-mode.service. 4 | #https://attack.mitre.org/techniques/T1490/ 5 | #Mitre Impact: Inhibit system recovery 6 | - list: recovery_files 7 | items: [/etc/default/grub, /etc/inittab, /usr/lib/systemd/system/rescue.service] 8 | 9 | - list: critical_dir 10 | items: [/boot, /bin, /etc, /lib, /sbin, /usr, ~/.local/share/Trash, ~/.local/share/Trash/files] 11 | 12 | - list: recovery_proc_args 13 | items: ["disable systemd-backlight@.service", "disable apport.service", "disable rescue.service", "disable emergency.service", "disable recovery-mode.service"] 14 | 15 | - rule: Disable Recovery Features 16 | desc: Detects disabling system recovery features by deleting or disabling services and commands. 17 | condition: > 18 | (spawned_process) and 19 | ((proc.name = "chattr" and proc.args contains "+i") or 20 | (proc.name = "mkfs.ext4" and proc.args contains "-E nodiscard") or 21 | (proc.name = "mount" and proc.args contains "remount,ro") or 22 | (proc.name = "systemctl" and proc.args in (recovery_proc_args)) or 23 | (open_write and fd.name in (recovery_files)) or 24 | (remove and (fd.name pmatch (critical_dir)))) 25 | enabled: true 26 | output: command related to Disabling recovery features so that system becomes non recoverable in case of failure is executed .(user=%user.name user_loginuid=%user.loginuid 27 | command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)" 28 | priority: CRITICAL 29 | tags: [host, container, recovery, mitre_impact, inhibit_system_recovery, T1490] 30 | -------------------------------------------------------------------------------- /scripts/remote_system_discovery.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[3]: 5 | 6 | 7 | import subprocess 8 | 9 | # Using the "ping" command 10 | def ping(host): 11 | cmd = f"ping -c 1 {host}" 12 | return subprocess.call(cmd, shell=True) == 0 13 | 14 | # Using the "nmap" command 15 | def nmap_scan(network): 16 | cmd = f"nmap -sP {network}" 17 | output = subprocess.check_output(cmd, shell=True) 18 | return [line.split()[4] for line in output.decode().split("\n") if "Nmap scan report for" in line] 19 | 20 | # Using the "arp" command 21 | #def arp_scan(): 22 | # cmd = "arp -a" 23 | # output = subprocess.check_output(cmd, shell=True) 24 | # return [line.split()[1][1:-1] for line in output.decode().split("\n") if len(line.split()) >= 4] 25 | 26 | # Using the "host" command 27 | def host_lookup(host): 28 | cmd = f"host {host}" 29 | output = subprocess.check_output(cmd, shell=True) 30 | return output.decode().split()[3] 31 | 32 | # Using the "dig" command 33 | def dig_lookup(host): 34 | cmd = f"dig +short {host}" 35 | output = subprocess.check_output(cmd, shell=True) 36 | return output.decode().strip() 37 | 38 | # Using the "nslookup" command 39 | def nslookup(host): 40 | cmd = f"nslookup {host}" 41 | output = subprocess.check_output(cmd, shell=True) 42 | return output.decode().split()[4] 43 | 44 | if __name__ == '__main__': 45 | # Replace the parameters with the desired values 46 | host = "www.google.com" 47 | network = "10.0.2.15/24" 48 | 49 | if ping(host): 50 | print(f"{host} is up!") 51 | else: 52 | print(f"{host} is down.") 53 | 54 | print(f"Scanning network {network}...") 55 | hosts = nmap_scan(network) 56 | print(f"Found hosts: {hosts}") 57 | 58 | #arp_hosts = arp_scan() 59 | #print(f"ARP hosts: {arp_hosts}") 60 | 61 | print(f"Host lookup for {host}: {host_lookup(host)}") 62 | print(f"DIG lookup for {host}: {dig_lookup(host)}") 63 | print(f"NSLookup for {host}: {nslookup(host)}") 64 | 65 | 66 | # In[ ]: 67 | 68 | 69 | 70 | 71 | 72 | # In[ ]: 73 | 74 | 75 | 76 | 77 | -------------------------------------------------------------------------------- /.github/workflows/release.yaml: -------------------------------------------------------------------------------- 1 | name: Release Rules 2 | 3 | on: 4 | push: 5 | tags: 6 | - '*.*.*' 7 | 8 | env: 9 | OCI_REGISTRY: ghcr.io 10 | RULES_NAME: falco_extended_rules 11 | 12 | permissions: 13 | contents: write 14 | packages: write 15 | 16 | jobs: 17 | publish-oci-artifacts: 18 | runs-on: ubuntu-latest 19 | steps: 20 | - name: Checkout Falcoctl Repo 21 | uses: actions/checkout@v3 22 | with: 23 | repository: falcosecurity/falcoctl 24 | ref: main 25 | path: tools/falcoctl 26 | - name: Setup Golang 27 | uses: actions/setup-go@v4 28 | with: 29 | go-version: '^1.20' 30 | cache-dependency-path: tools/falcoctl/go.sum 31 | - name: Build falcoctl 32 | run: make 33 | working-directory: tools/falcoctl 34 | - name: Checkout 35 | uses: actions/checkout@v3 36 | with: 37 | path: plugin 38 | - name: Build the plugin 39 | run: make build 40 | working-directory: plugin 41 | - id: StringRepoName 42 | uses: ASzc/change-string-case-action@v5 43 | with: 44 | string: ${{ github.repository }} 45 | - name: Upload OCI artifacts to GitHub packages 46 | run: | 47 | MAJOR=$(echo ${{ github.ref_name }} | cut -f1 -d".") 48 | MINOR=$(echo ${{ github.ref_name }} | cut -f1,2 -d".") 49 | DIR=$(pwd) 50 | 51 | cd rules/ 52 | for i in $(ls *.yaml); 53 | do 54 | cat ${i} >> ${{ env.RULES_NAME }}.yaml 55 | echo "" >> ${{ env.RULES_NAME }}.yaml 56 | done 57 | sed -i -e 's/ *$//g' ${{ env.RULES_NAME }}.yaml 58 | $DIR/tools/falcoctl/falcoctl registry push \ 59 | ${{ env.OCI_REGISTRY }}/${{ steps.StringRepoName.outputs.lowercase }}/ruleset/${{ env.RULES_NAME }}:${{ github.ref_name }} \ 60 | --config /dev/null \ 61 | --type rulesfile \ 62 | --version "${{ github.ref_name }}" \ 63 | --tag latest --tag $MAJOR --tag $MINOR \ 64 | --name ${{ env.RULES_NAME }} \ 65 | ${{ env.RULES_NAME }}_rules.yaml 66 | env: 67 | FALCOCTL_REGISTRY_AUTH_BASIC: ${{ env.OCI_REGISTRY }},${{ github.repository_owner }},${{ secrets.GITHUB_TOKEN }} 68 | 69 | release: 70 | runs-on: ubuntu-latest 71 | steps: 72 | - name: Checkout 73 | uses: actions/checkout@v3 74 | with: 75 | fetch-depth: 0 76 | - name: Setup Golang 77 | uses: actions/setup-go@v3 78 | with: 79 | go-version: '1.19' 80 | - name: Run GoReleaser 81 | uses: goreleaser/goreleaser-action@v4 82 | with: 83 | version: latest 84 | args: release --clean --timeout 120m 85 | env: 86 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 87 | LDFLAGS: "-buildmode=c-shared" 88 | GOPATH: /home/runner/go -------------------------------------------------------------------------------- /scripts/system_location_discovery.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import subprocess 4 | 5 | # Obtain the network name and signal strength using nmcli 6 | nmcli_command = "nmcli -f all device show wlan0" 7 | nmcli_output = subprocess.check_output(nmcli_command.split()).decode() 8 | network_name = None 9 | signal_strength = None 10 | for line in nmcli_output.split('\n'): 11 | if line.startswith('GENERAL.NAME:'): 12 | network_name = line.split(':')[1].strip() 13 | elif line.startswith('GENERAL.SIGNAL:'): 14 | signal_strength = line.split(':')[1].strip() 15 | if network_name: 16 | print(f"Network name: {network_name}") 17 | if signal_strength: 18 | print(f"Signal strength: {signal_strength}") 19 | 20 | # Obtain the MAC address of the access point using iw 21 | iw_command = "iw dev wlan0 link" 22 | iw_output = subprocess.check_output(iw_command.split()).decode() 23 | mac_address = None 24 | for line in iw_output.split('\n'): 25 | if line.startswith('Connected to'): 26 | mac_address = line.split()[2] 27 | if mac_address: 28 | print(f"MAC address: {mac_address}") 29 | 30 | # Obtain the location of the network gateway using geoiplookup 31 | ip_command = "ip route show | awk '/^default/{print $3}'" 32 | ip_address = subprocess.check_output(ip_command.split()).decode().strip() 33 | geoip_command = f"geoiplookup {ip_address}" 34 | geoip_output = subprocess.check_output(geoip_command.split()).decode() 35 | location_info = None 36 | for line in geoip_output.split('\n'): 37 | if line.startswith('GeoIP City Edition'): 38 | location_info = line.split(',')[2].strip() 39 | if location_info: 40 | print(f"Location info: {location_info}") 41 | 42 | # Obtain the hostname of the system 43 | hostname_command = "hostname" 44 | hostname_output = subprocess.check_output(hostname_command.split()).decode().strip() 45 | print(f"Hostname: {hostname_output}") 46 | 47 | # Obtain the system's public IP address using curl and ipify.org 48 | ipify_command = "curl https://api.ipify.org" 49 | public_ip_address = subprocess.check_output(ipify_command.split()).decode().strip() 50 | if public_ip_address: 51 | print(f"Public IP address: {public_ip_address}") 52 | 53 | # Obtain the system's timezone using timedatectl 54 | timedatectl_command = "timedatectl | grep Timezone | awk '{print $2}'" 55 | timezone_output = subprocess.check_output(timedatectl_command.split()).decode().strip() 56 | if timezone_output: 57 | print(f"Timezone: {timezone_output}") 58 | 59 | # Obtain the system's latitude and longitude using geoclue2 60 | geoclue_command = "geoclue2-lookup" 61 | geoclue_output = subprocess.check_output(geoclue_command.split()).decode() 62 | latitude = None 63 | longitude = None 64 | for line in geoclue_output.split('\n'): 65 | if line.startswith('Latitude='): 66 | latitude = line.split('=')[1].strip() 67 | elif line.startswith('Longitude='): 68 | longitude = line.split('=')[1].strip() 69 | if latitude and longitude: 70 | print(f"Latitude: {latitude}") 71 | print(f"Longitude: {longitude}") 72 | 73 | -------------------------------------------------------------------------------- /scripts/Traffic_signaling_raw_sockets.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # In[2]: 5 | 6 | 7 | import socket 8 | import struct 9 | 10 | # Destination IP address and port 11 | DEST_IP = "192.168.0.1" 12 | DEST_PORT = 1234 13 | 14 | # Create a raw socket 15 | s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) 16 | 17 | # Set the IP header fields 18 | ip_version = 4 19 | ip_header_length = 5 # 5 32-bit words 20 | ip_tos = 0 21 | ip_total_length = 20 + 8 # IP header + custom payload 22 | ip_id = 0 23 | ip_flags = 0 24 | ip_ttl = 64 25 | ip_protocol = socket.IPPROTO_TCP 26 | ip_checksum = 0 # Will be calculated later 27 | ip_src = socket.inet_aton("192.168.0.2") 28 | ip_dst = socket.inet_aton(DEST_IP) 29 | 30 | # Assemble the IP header 31 | ip_header = struct.pack("!BBHHHBBH4s4s", 32 | (ip_version << 4) + ip_header_length, # Version and header length 33 | ip_tos, # Type of service 34 | ip_total_length, # Total length 35 | ip_id, # Identification 36 | (ip_flags << 13), # Flags and fragment offset 37 | ip_ttl, # Time to live 38 | ip_protocol, # Protocol 39 | ip_checksum, # Checksum (will be calculated later) 40 | ip_src, # Source IP address 41 | ip_dst) # Destination IP address 42 | 43 | # Calculate the IP header checksum 44 | ip_checksum = calculate_checksum(ip_header) 45 | ip_header = struct.pack("!BBHHHBBH4s4s", 46 | (ip_version << 4) + ip_header_length, # Version and header length 47 | ip_tos, # Type of service 48 | ip_total_length, # Total length 49 | ip_id, # Identification 50 | (ip_flags << 13), # Flags and fragment offset 51 | ip_ttl, # Time to live 52 | ip_protocol, # Protocol 53 | ip_checksum, # Checksum 54 | ip_src, # Source IP address 55 | ip_dst) # Destination IP address 56 | 57 | # Set the TCP header fields 58 | tcp_src_port = 1234 59 | tcp_dst_port = DEST_PORT 60 | tcp_seq_num = 0 61 | tcp_ack_num = 0 62 | tcp_header_length = 5 # 5 32-bit words 63 | tcp_flags = 2 # SYN flag 64 | tcp_window_size = socket.htons(5840) # Maximum amount of data the sender is willing to receive 65 | tcp_checksum = 0 # Will be calculated later 66 | tcp_urgent_pointer = 0 67 | 68 | # Assemble the TCP header 69 | tcp_header = struct.pack("!HHLLBBHHH", 70 | tcp_src_port, # Source port 71 | tcp_dst_port, # Destination port 72 | tcp_seq_num, # Sequence number 73 | tcp_ack_num, # Acknowledgment number 74 | (tcp_header_length << 4), # Data offset and reserved bits 75 | tcp_flags, # Control flags 76 | tcp_window_size, # Window size 77 | tcp_checksum, # Checksum (will be calculated later) 78 | tcp_urgent_pointer) # Urgent pointer 79 | 80 | # Assemble the custom payload 81 | payload = b"Hello, world!" 82 | 83 | # Calculate the TCP pseudo-header for checksum calculation 84 | tcp_pseudo_header = struct.pack("!4s4sBBH", 85 | ip_src, # Source IP address 86 | ip_dst,) # Destination IP 87 | 88 | 89 | # In[ ]: 90 | 91 | 92 | 93 | 94 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | ![CD-Logo](https://github.com/CloudDefenseAI/falco_extended_rules/assets/28846178/58bd666b-7a99-453e-a777-4a41bf789153) 3 | 4 | ## Falco rules hosted by CloudDefenseAI 5 | https://attack.mitre.org/matrices/enterprise/cloud/ . 6 | This repository contains a collection of extended [Falco](https://falco.org/) rules developed by CloudDefense.ai. 7 | 8 | Falco is a powerful open-source behavioral activity monitor designed to detect and alert on unexpected application behavior in containers and Kubernetes. These extended rules provided by CloudDefense.ai enhance the default rule set and offer additional detection capabilities to strengthen the security of your containerized environment. 9 | 10 | The image below shows the mitre attack coverage by Falco & extended coverage added by [Clouddefense.ai](https://www.clouddefense.ai/) 11 | 12 | 13 | ![kkkk](https://github.com/CloudDefenseAI/falco_extended_rules/assets/28846178/0f490715-8d74-4950-8b2b-5baf54d870db) 14 | 15 | 16 | 17 | ## Prerequisites 18 | Before you begin, make sure you have the following prerequisites in place: 19 | 20 | 1. Falco Installed: Ensure that you have Falco installed on the target system where you want to enable runtime security. Refer to the official [Falco documentation](https://falco.org/docs/) for installation instructions. 21 | 22 | 2. Falco Configuration: Set up your Falco configuration file (falco.yaml) according to your specific needs. Make sure you have configured Falco to load external rule files. 23 | 24 | ## Local Installation 25 | To install and use the extended rule set for Falco runtime security, follow these steps: 26 | 27 | 1. Clone the Repository: Start by cloning this GitHub repository to your local system: 28 | ``` 29 | git clone https://github.com/CloudDefenseAI/falco_extended_rules.git 30 | ``` 31 | 2. Navigate to the Repository: Change to the repository directory: 32 | ``` 33 | cd falco_extended_rules 34 | ``` 35 | 3. Add Rules: Copy the extended rule files (custom_rules.yaml) from the cloned repository to a location accessible by Falco. For example, you can place them in the same directory as your Falco configuration file or in a separate directory, depending on your preference. 36 | 4. Update Falco Configuration: Open your Falco configuration file (falco.yaml) and add the following lines under the rules_file section: 37 | ``` 38 | rules_file: 39 | -/path/to/your/rules/file1.yaml 40 | -/path/to/your/rules/file2.yaml 41 | ``` 42 | 5. Restart Falco: Restart the Falco service to apply the changes and load the new rules. 43 | ``` 44 | # Restart Falco on systemd-based systems 45 | sudo systemctl restart falco 46 | 47 | # Restart Falco on non-systemd systems 48 | sudo service falco restart 49 | ``` 50 | ## Installation with Falcoctl 51 | 52 | ## With falcoctl 53 | 54 | Add the index: 55 | ```shell 56 | sudo falcoctl index add clouddefense https://raw.githubusercontent.com/CloudDefenseAI/falco_extended_rules/master/index.yaml 57 | ``` 58 | 59 | Install the rules: 60 | ```shell 61 | sudo falcoctl artifact install falco_extended_rules:latest 62 | ``` 63 | 64 | ## List of rules 65 | 66 | Below table shows the list of hosted rules in this repository: 67 | 68 | | S. No | Rule Name | Purpose | Corresponding Mitre | 69 | | -------- | -------- | -------- | -------- | 70 | |1|Account manipulation in ssh| account manipulation |Mitre Persistance| 71 | |2|Suspicious disk activity|Detects disk wiping, overwriting or corrupting raw disk data|Mitre Impact| 72 | |3|Disable Recovery Features|Dtects disabling of system recovery features|Mitre Impact| 73 | |4|Detect Data Destruction Activity|Detects activity related to data destruction|Mitre Imapct| 74 | |5|Suspicious Network Scanning Command|Detects suspicious network scanning commands|Mitre Discovery| 75 | |6|Permission and Group Members Discovery|Detects permission of files and group and its group members|Mitre Discovery| 76 | |7|Detect Peripheral Device Enumeration Commands|Detects if someone runs commands that enumerate peripheral devices|Mitre Discovery| 77 | |8|Suspicious Time and Date Command Execution|Detects the execution of commands that may be used to gather time, date, and region information|Mitre Discovery| 78 | |9|Enumerate Domain Trusts|Detects attempts to enumerate domain trusts in Linux systems|Mitre Discovery| 79 | |10|Detect System Location Information Retrieval|Detects attempts to retrieve system information|Mitre Discovery| 80 | |11|Get Information About Open Application Windows|Detects attempts to get information about open application windows|Mitre Discovery| 81 | |12|Suspicious System Information Gathering|Detects suspicious commands related to gathering system information|Mitre Discovery| 82 | |13|Read Maps File of Process|An attempt to read the maps file of a process will be detected|Mitre Credential Access| 83 | |14|Attempt to Access Bash History File|Someone is attempting to access the bash history file|Mitre Credential Access| 84 | |15| Chown or Chmod Operation|Detects chown or chmod operations|Mitre Defense Evasion| 85 | |16|Execute Command Via Utility|Detects execution of commands via parse text, scripting languages, and system utilities|Mitre Defense Evasion| 86 | |17|Read Disk Block Command|Detects execution of commands that read disk blocks|Mitre Defense Evasion| 87 | |18|Archive and Compression Activity|Detects archive and compression activity using tar, zip, gzip, and bzip2|Mitre Collection| 88 | |19|Detect Service Disable Using Systemctl|Detect Service Disable Using Systemctl|Mitre Impact| 89 | |20|System Service Discovery|an attempt to discover all services that are running in system|Mitre Discovery| 90 | 91 | 92 | 93 | The extended Falco rules included in this repository are carefully crafted and continuously updated by the experienced security experts at CloudDefense.ai. They address a wide range of potential security threats and anomalies, enabling you to identify suspicious activities, unauthorized access attempts, privilege escalations, and other malicious behaviors. 94 | 95 | By leveraging these extended Falco rules, you can enhance your security posture, proactively monitor your containerized environment, and respond swiftly to any potential security incidents. Additionally, you have the flexibility to customize and fine-tune the rules according to your specific requirements and environment. 96 | 97 | ## Testing the Rules 98 | To ensure that the extended rules are functioning correctly, you can perform some test scenarios in your runtime environment. These can include simulating potential security events or actions that the rules are designed to detect. Monitor the Falco output, logs, or any configured alerting mechanism to observe the detection and response to these test scenarios. 99 | ## Contributing 100 | If you want to help and wish to contribute, please review our contribution guidelines. Code contributions are always encouraged and welcome! 101 | ## Join the community 102 | Join us on discord here, [#general](https://discord.gg/MyEJFm2hK7) 103 | ## License 104 | This extended rule set for Falco runtime security is released under the [Apache-2.0 License](url). 105 | ## Disclaimer: 106 | 107 | The content and code available in this GitHub repository are currently a work in progress. Please note that the rules, guidelines, or any other materials provided here are subject to change without prior notice. 108 | While we aim to ensure the accuracy and completeness of the information presented, there may be errors or omissions. We kindly request users to exercise caution and critical judgment when utilizing or relying on any content found in this repository. 109 | We appreciate your understanding and patience as we continue to develop and refine the content within this repository. Contributions, feedback, and suggestions are welcome and greatly valued, as they contribute to the ongoing improvement of this project. 110 | 111 | ## Who Uses Extended rules? 112 | If your organization uses these rules, please file a PR and update this list. Say hi on Discord too! 113 | 114 | 115 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /rules/custom_rules.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - list: system_executables_files 3 | items: [/proc/filesystems, /proc/self/stat, /usr/lib/locale/locale-archive, / 4 | usr/bin/systemctl] 5 | - list: system_executables_directories 6 | items: [/run/systemd/system, /etc/systemd/system-preset, /usr/lib/systemd/sys 7 | tem-preset, /run/systemd/system-preset, /usr/local/lib/systemd/system-preset] 8 | 9 | 10 | #The given Falco rule is designed to detect any attempt to discover all services running on a system. 11 | #The rule is triggered by a newly spawned process or by an attempt to read files from system executable directories or files. 12 | #https://attack.mitre.org/techniques/T1007/ 13 | #Mitre Discovery: system service discovery subscenario 14 | 15 | - rule: System Service Discovery 16 | desc: an attempt to discover all services that are running in system 17 | condition: > 18 | spawned_process 19 | or (open_read and (fd.directory in (system_executables_directories)) or 20 | (fd.filename in (system_executables_files))) 21 | enabled: false 22 | output: > 23 | A process with process id=%proc.pid is spawned to discover all the system 24 | system services present in the system. 25 | priority: ERROR 26 | tags: [host, container, process, mitre_discovery, system_service_discovery, T1007] 27 | 28 | - list: ssh_files 29 | items: [/etc/ssh/sshd_config, /.ssh/authorized_keys] 30 | 31 | #The given Falco rule is designed to detect any attempt to perform account manipulation using SSH. 32 | #The rule is triggered when a process attempts to read or write files that are related to SSH. 33 | #The "condition" parameter of the rule uses the "open_read" and "open_write" system calls to monitor attempts to read from or write to files respectively. 34 | #The "fd.name" parameter specifies the name of the files that should be monitored, which are related to SSH in this case. 35 | #https://attack.mitre.org/techniques/T1098/ 36 | #Mitre Discovery: Account Manipulation subscenario 37 | 38 | - rule: Account Manipulation in SSH 39 | desc: an attempt to do account manipulation using ssh 40 | 41 | condition: > 42 | ((open_read and (fd.name in (ssh_files))) 43 | or (open_write and (fd.name in (ssh_files)))) 44 | enabled: true 45 | output: > 46 | A process with process id=%proc.pid is spawned to do account manipulation 47 | at ssh_files 48 | priority: ERROR 49 | tags: [host, container, account, mitre_discovery, account_manipulation, T1098] 50 | 51 | #This is a Falco rule that is designed to detect when an attempt is made to read the maps file of a process. 52 | #The maps file is a file that provides information about the memory mappings of a process. 53 | #The open_read system call is used to read a file. 54 | #The name of the file being read matches the glob pattern /proc/*/maps, which means that the file is located in, 55 | #the /proc directory and has a name that consists of a numerical process ID followed by the string "maps". 56 | #https://attack.mitre.org/techniques/T1003/ 57 | #Mitre Credential Access: os credential dumping subscenario 58 | 59 | - rule: Read Maps File of Process 60 | desc: An attempt to read the maps file of a process was detected 61 | condition: open_read and (fd.name glob /proc/*/maps) 62 | enabled: true 63 | output: Reading maps file of process 64 | priority: ERROR 65 | tags: [host, container, process, mitre_creential_access, os_credential_dumping, T1003] 66 | 67 | - list: network_tools 68 | items: ["nmap", "ping", "dig", "nslookup", "arp"] 69 | 70 | #This is a Falco rule that is designed to detect suspicious network scanning commands. 71 | #The rule looks for commands that are commonly used for network scanning activities 72 | #and have certain flags or arguments that suggest that the command is being used for malicious purposes. 73 | #The name of the process matches one of several common network scanning tools, including nmap, ping, dig, nslookup, and arp. 74 | #The command line arguments passed to the process contain one or more of the following flags or arguments: 75 | #-sP: sends a Ping Scan to determine which hosts are online. 76 | #-c: specifies the number of packets to send in a Ping or TCP SYN scan. 77 | #+short: returns only the IP address for a DNS query instead of the full output. 78 | #-a: performs a reverse DNS lookup to determine the hostname associated with an IP address. 79 | #https://attack.mitre.org/techniques/T1018/ 80 | #Mitre Discovery: remote system discovery subscenario 81 | 82 | - rule: Suspicious Network Scanning Command 83 | desc: Detects suspicious network scanning commands 84 | condition: 85 | (proc.name=nmap or proc.name=ping or proc.name=dig or 86 | proc.name=nslookup or proc.name=arp) and 87 | ( 88 | proc.args contains "-sP" or 89 | proc.args contains "-c" or 90 | proc.args contains "+short" or 91 | proc.args contains "-a" 92 | ) 93 | enabled: true 94 | output: Suspicious network scanning command executed 95 | (user=%user.name command=%proc.cmdline) 96 | priority: WARNING 97 | tags: [host, container, network, mitre_discovery, remote_system_discovery, T1018] 98 | 99 | #This is a Falco rule that is designed to detect chown or chmod operations on a system. 100 | #The rule looks for instances where the chown or chmod command is executed using the execve system call. 101 | #The evt.type is set to execve, indicating that a process is being executed. 102 | #The name of the process being executed matches either chown or chmod. 103 | #https://attack.mitre.org/techniques/T1222/ 104 | #Mitre Defense Evasion: file and directory permission modification 105 | 106 | - rule: Chown or Chmod Operation 107 | desc: Detects chown or chmod operations 108 | condition: (evt.type = execve and 109 | (proc.name = chown or proc.name = chmod)) 110 | enabled: true 111 | output: "Chown or chmod operation detected 112 | (user=%user.name command=%proc.cmdline)" 113 | priority: WARNING 114 | tags: [host, container, permission, file, directory, mitre_defense_evasion, file_and_directory_permission_modification, T1222] 115 | 116 | - list: groups 117 | items: [/etc/group] 118 | - list: critical_files 119 | items: [/etc/group, /etc/passwd, /etc/shadow, /etc/sudoers] 120 | 121 | #This is a Falco rule that is designed to detect processes that attempt to discover the permissions of files and groups, 122 | # including the group members. The rule looks for processes that read group files or attempt to get information about critical files. 123 | #The open_read system call is used to read a file, and the name of the file matches one of the group files specified in the groups list. 124 | #The evt.type is set to stat, indicating that a process is querying file metadata, 125 | #and the name of the file being queried matches one of the critical files specified in the critical_files list. 126 | #https://attack.mitre.org/techniques/T1069/ 127 | #Mitre Discovery: permission groups discovery 128 | 129 | - rule: Permission and Group Members Discovery 130 | desc: rule to detect permission of files and group and its group members 131 | condition: > 132 | (open_read and (fd.name in (groups))) or 133 | (evt.type = stat and (fd.filename in (critical_files))) 134 | enabled: true 135 | output: suspicious process is spawwned to check file permissions 136 | and group members. 137 | priority: ERROR 138 | tags: [host, container, permission, group, mitre_discovery, permission_groups_discovery, T1069] 139 | 140 | - list: data_destruction_cmd 141 | items: ["shred", "dd", "wipe"] 142 | 143 | #This is a Falco rule that is designed to detect activity related to data destruction, such as file shredding or disk wiping. 144 | #The rule looks for instances where a specific command is executed or files with certain names are accessed. 145 | #The evt.type is set to execve, indicating that a process is being executed, and the name of the process matches one of the commands specified in the data_destruction_cmd list. 146 | #The evt.type is set to openat, indicating that a file is being accessed, and the name of the file being accessed ends with either .shred or .wipe. 147 | #https://attack.mitre.org/techniques/T1485/ 148 | #Mitre Impact: data destruction for impact subscenario 149 | 150 | - rule: Detect Data Destruction Activity 151 | desc: Detects activity related to data destruction, 152 | such as file shredding or disk wiping. 153 | condition: > 154 | (evt.type = execve and proc.name in (data_destruction_cmd)) or 155 | (evt.type = openat and fd.name endswith ".shred" or 156 | fd.name endswith ".wipe") 157 | enabled: true 158 | output: > 159 | Data destruction activity detected. 160 | priority: WARNING 161 | tags: [host, container, filesystem, process, mitre_impact, data_destruction_for_impact, T1485] 162 | 163 | #This is a Falco rule that is designed to detect archive and compression activity using popular tools like tar, zip, gzip, and bzip2. 164 | #The rule looks for instances where these commands are being used to create or extract compressed archives. 165 | #If the process name is "zip" and the event direction is "<", indicating that files are being added to a zip archive. 166 | #If the process name is "tar" and the second argument is set to either "-czf" or "-cpf", indicating that files are being compressed and added to a tar archive. 167 | #If the process name is "gzip" and the event direction is "<", indicating that files are being compressed with gzip. 168 | #If the process name is "bzip2" and the event direction is "<", indicating that files are being compressed with bzip2. 169 | #https://attack.mitre.org/techniques/T1560/ 170 | #Mitre collection: Archive collected data subscenario 171 | - list: encryption_proc 172 | items: ["zip", "tar", "gzip", "bzip2"] 173 | 174 | - rule: Archive and Compression Activity 175 | desc: Detects archive and compression activity using tar, zip, gzip, and bzip2. 176 | condition: > 177 | spawned_process and 178 | ((proc.name in (encryption_proc)) and 179 | (evt.dir = "<" or evt.arg[1] = "-czf" or evt.arg[1] = "-cpf")) 180 | enabled: true 181 | output: > 182 | "Archive and compression activity detected (proc.cmdline=%proc.cmdline connection=%fd.name user.name=%user.name user.loginuid=%user.loginuid container.id=%container.id evt.type=%evt.type evt.res=%evt.res proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginname=%user.loginname group.gid=%group.gid group.name=%group.name container.name=%container.name image=%container.image.repository)" 183 | priority: WARNING 184 | tags: [host, container, data, mitre_collection, archive_collected_data, T1560] 185 | 186 | - list: device_enumeration 187 | items: ["lsusb", "lspci", "dmesg", "lsblk", "lshw", "hwinfo"] 188 | 189 | #This Falco rule detects if someone runs commands that enumerate peripheral devices. 190 | # It does this by checking if a process is spawned and its name is in a predefined list of commands that enumerate peripheral devices, 191 | #or if its command line contains specific keywords such as "lsusb", "lspci", "dmesg", "lsblk", "lshw", or "hwinfo". If the condition is met, 192 | #the rule generates an alert with a warning priority indicating that a peripheral device enumeration command has been detected. 193 | #https://attack.mitre.org/techniques/T1120/ 194 | #Mitre Discovery: Peripheral Device Discovery subscenario 195 | 196 | - rule: Detect Peripheral Device Enumeration Commands 197 | desc: Detects if someone runs commands that enumerate peripheral devices. 198 | condition: > 199 | spawned_process and 200 | ( 201 | proc.name in (device_enumeration) or 202 | proc.cmdline contains "lsusb" or 203 | proc.cmdline contains "lspci" or 204 | proc.cmdline contains "dmesg" or 205 | proc.cmdline contains "lsblk" or 206 | proc.cmdline contains "lshw" or 207 | proc.cmdline contains "hwinfo" 208 | ) 209 | enabled: true 210 | output: > 211 | Peripheral device enumeration command detected. 212 | priority: WARNING 213 | tags: [host, container, device, hardware, mitre_discovery, peripheral_device_discovery, T1120] 214 | 215 | #This Falco rule is designed to detect when a non-root user disables a service using the systemctl command. 216 | #The rule checks if the process name is systemctl, the arguments contain the string disable, and if the arguments also contain the .service string. 217 | #If all conditions are met, the rule triggers and generates an alert with a warning priority, 218 | #indicating that a service disable operation using systemctl has been detected. 219 | #https://attack.mitre.org/techniques/T1489/ 220 | #Mitre Impact: service stop subscenario 221 | 222 | - rule: Detect Service Disable Using Systemctl 223 | desc: Detects when a user disables a service using the systemctl command. 224 | condition: > 225 | proc.name = "systemctl" and 226 | proc.args contains "disable" and 227 | proc.args contains ".service" and 228 | user.name != "root" 229 | enabled: true 230 | output: > 231 | Service disable using systemctl detected. 232 | priority: WARNING 233 | tags: [host, container, service, process, mitre_impact, service_stop, T1489] 234 | 235 | 236 | #This is a Falco rule designed to detect an attempt to create a NodePort service in a Kubernetes cluster. 237 | #The rule will trigger an alert if it detects a Kubernetes API server event related to creating a NodePort service. 238 | #A Kubernetes event (kevt) must occur 239 | #The event must be related to creating a service (service) 240 | #The creation must be performed using the "kubectl create" command (kcreate) 241 | #The service type must be NodePort (ka.req.service.type=NodePort) 242 | 243 | - rule: Create NodePort Service 244 | desc: > 245 | Detect an attempt to start a service with a NodePort service type 246 | condition: kevt and service and kcreate and ka.req.service.type=NodePort 247 | enabled: true 248 | output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports) 249 | priority: WARNING 250 | source: k8s_audit 251 | tags: [k8s, nodeport] 252 | 253 | #This is a Falco rule designed to detect suspicious command execution related to time, date, and region information. 254 | #The rule will trigger an alert if it detects the execution of certain commands that may be used to gather such information. 255 | #The type of event must be an "execve" event, which means a process was executed 256 | #The direction of the event must be "<", which means the process was executed by the shell (as opposed to being spawned by another process) 257 | #The name of the process must match one of the following: "date", "timedatectl", "locale", or "hostnamectl" 258 | #https://attack.mitre.org/techniques/T1124/ 259 | #Mitre Discovery: System time discovery subscenario 260 | 261 | - rule: Suspicious Time and Date Command Execution 262 | desc: Detects the execution of commands that may be used to gather time, date, and region information 263 | condition: evt.type = execve and evt.dir = < and (proc.name = "date" or proc.name = "timedatectl" or proc.name = "locale" or proc.name = "hostnamectl") 264 | enabled: true 265 | output: "Suspicious time and date command executed: user=%user.name pid=%proc.pid ppid=%proc.ppid exe=%proc.exepath cmdline=%proc.cmdline" 266 | priority: WARNING 267 | tags: [host, container, time, date, mitre_discovery, system_time_discovery, T1124] 268 | 269 | #This Falco rule is designed to detect the execution of commands that read disk blocks. 270 | #The rule starts by creating a list of commands that are known to read disk blocks, which includes dd, hdparm, readsector, and ddrescue 271 | #https://attack.mitre.org/techniques/T1006/ 272 | #Mitre Defense evasion: direct volume acccess subscenarrio 273 | 274 | - list: disk_read 275 | items: ['dd', 'hdparm', 'readsector', 'ddrescue'] 276 | 277 | - rule: Read Disk Block Command 278 | desc: Detects execution of commands that read disk blocks 279 | condition: > 280 | proc.name in (disk_read) 281 | enabled: true 282 | output: > 283 | Read disk block command detected (user=%user.name command=%proc.cmdline) 284 | priority: ERROR 285 | tags: [host, container, disk, mitre_defense_evasion, direct_volume_access, T1006] 286 | 287 | #This Falco rule is designed to detect the execution of commands via commonly used utilities such as awk, sed, grep, Python, 288 | #Perl, Bash, cron, systemd-timer, and atd on a Linux system. 289 | #The rule checks for the execve event type and then looks for the presence of these utilities either in the proc.name field or in the proc.cmdline field. 290 | #https://attack.mitre.org/techniques/T1202/ 291 | #Mitre Defense Evasion: indirect command execution subscenario 292 | 293 | - list: other_utilities 294 | items: [awk, sed, grep, python, perl, bash, cron, systemd-timer, atd] 295 | 296 | - rule: Execute Command Via Utility 297 | desc: Detects execution of commands via utilities commonly used to parse text, scripting languages, and system utilities 298 | condition: > 299 | (evt.type = execve and 300 | (proc.name in (other_utilities) or 301 | proc.cmdline contains awk or 302 | proc.cmdline contains sed or 303 | proc.cmdline contains grep or 304 | proc.cmdline contains python or 305 | proc.cmdline contains perl or 306 | proc.cmdline contains bash or 307 | proc.cmdline contains cron or 308 | proc.cmdline contains systemd-timer or 309 | proc.cmdline contains atd)) 310 | enabled: true 311 | output: > 312 | Command executed via utility detected (user=%user.name command=%proc.cmdline) 313 | priority: WARNING 314 | tags: [host, container, command, mitre_defense_evasion, indirect_command_execution, T1202] 315 | 316 | #The above Falco rule set detects attempts to enumerate domain trusts in Linux systems using specific commands, such as ldapsearch, net, and rpcclient. 317 | #The process name is one of the commands listed in the domain_trust_commands list OR 318 | #The process command-line contains the string ldapsearch OR 319 | #The process command-line contains the string net OR 320 | #The process command-line contains the string rpcclient 321 | #https://attack.mitre.org/techniques/T1482/ 322 | #Mitre Discovery: domain trust discovery subscenario 323 | 324 | - list: domain_trust_commands 325 | items: [ldapsearch, net, rpcclient] 326 | 327 | - rule: Enumerate Domain Trusts 328 | desc: Detects attempts to enumerate domain trusts in Linux systems 329 | condition: > 330 | (proc.name in (domain_trust_commands) or 331 | proc.cmdline contains "ldapsearch" or 332 | proc.cmdline contains "net" or 333 | proc.cmdline contains "rpcclient") 334 | enabled: true 335 | output: > 336 | Domain trust enumeration attempt detected (user=%user.name command=%proc.cmdline) 337 | priority: WARNING 338 | tags: [host, container, mitre_discovery, domain_trust_discovery, T1482] 339 | 340 | #The given falco rule detects attempts to retrieve system information by monitoring the execution of certain commands. 341 | #The rule checks if the event type is 'execve' and if the process name is one of the following: 'ip', 'cat', 'nmcli', 'iw', 'wpa_cli', 'geoiplookup', 'ifconfig', or 'hostname' 342 | #https://attack.mitre.org/techniques/T1614/ 343 | #Mitre Discovery: system location discovery subscenario 344 | 345 | - rule: Detect System Location Information Retrieval 346 | desc: Detects attempts to retrieve system information 347 | condition: > 348 | ( (evt.type=execve) and 349 | ( 350 | proc.name in (ip, cat, nmcli, iw, wpa_cli, geoiplookup, ifconfig, hostname) 351 | ) 352 | ) 353 | enabled: true 354 | output: > 355 | System information may be retrieved (user=%user.name command=%proc.cmdline) 356 | priority: WARNING 357 | tags: [host, container, location, mitre_discovery, system_location_discovery, T1614] 358 | 359 | 360 | - list: unsec_file 361 | items: [.bash_history] 362 | 363 | #This is a Falco rule designed to detect attempts to access the bash history file on a Linux system. 364 | #The rule will trigger an alert if it detects an "openat" system call with a file descriptor (fd) that matches the path of the bash history file. 365 | #The type of event must be an "openat" event, which means a file was opened using an absolute or relative path 366 | #The path of the file being opened must match the path of the bash history file, which is typically located at "~/.bash_history" 367 | #The file being opened must be in the list of unsecured files (unsec_file) 368 | #https://attack.mitre.org/techniques/T1552/ 369 | #Mitre Credential Access : Unsecured credential access subscenario 370 | 371 | - rule: Attempt to Access Bash History File 372 | desc: Someone is attempting to access the bash history file 373 | condition: evt.type = openat and fd.filename in (unsec_file) 374 | enabled: true 375 | output: "Access to bash history file (user=%user.name, command=%evt.arg.cmdline)" 376 | priority: CRITICAL 377 | tags: [host, container, bash, mitre_credential_accesss, unsecured_credential_access, T1552] 378 | 379 | #The falco rule "Get info about open windows" is designed to detect attempts to get information 380 | #about open application windows by monitoring specific commands such as "xwininfo", "wmctrl", "xprop", 381 | #"xlsclients", "xdotool", "xrestop", "xwininfo", "xdpyinfo", "glxinfo", "xrandr", "xset", "xdriinfo", "xhost", "xev", "xdotool", and "xsetroot". 382 | #https://attack.mitre.org/techniques/T1010/ 383 | #Mitre Discovery: application window discovery subscenario 384 | 385 | - rule: Get Information About Open Application Windows 386 | desc: Detects attempts to get information about open application windows 387 | condition: > 388 | proc.name in ("xwininfo", "wmctrl", "xprop", "xlsclients", "xdotool", "xrestop", "xwininfo", "xdpyinfo", "glxinfo", "xrandr", "xset", "xdriinfo", "xhost", "xev", "xdotool", "xsetroot") 389 | enabled: true 390 | output: "Get info about open windows in system detected (proc.cmdline=%proc.cmdline connection=%fd.name user.name=%user.name user.loginuid=%user.loginuid container.id=%container.id evt.type=%evt.type evt.res=%evt.res proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginname=%user.loginname group.gid=%group.gid group.name=%group.name container.name=%container.name image=%container.image.repository)" 391 | priority: WARNING 392 | tags: [host, container, process, mitre_discovery, application_window_discovery, T1010] 393 | 394 | #The following rule is designed to detect suspicious commands related to gathering system information. 395 | #It uses the condition field to check if the command executed matches any of the suspicious commands such as dpkg -l, lsb_release -a, uname -r, or ls -l /usr/bin. 396 | #https://attack.mitre.org/techniques/T1518/ 397 | #Mitre Discovery: Software dicovery subsceanrio 398 | 399 | - rule: Suspicious System Information Gathering 400 | desc: Detects suspicious commands related to gathering system information 401 | condition: > 402 | (proc.args contains "dpkg -l" or 403 | proc.args contains "lsb_release -a" or 404 | proc.args contains "uname -r" or 405 | proc.args contains "ls -l /usr/bin") 406 | enabled: true 407 | output: > 408 | Suspicious system information gathering detected (user=%user.name command=%proc.cmdline) 409 | priority: WARNING 410 | tags: [host, container, data, mitre_discovery, software_discovery, T1518] 411 | 412 | #The given rule is designed to detect suspicious activities related to disabling system recovery features. 413 | #The rule looks for specific commands being executed such as rm -rf, chattr +i, mkfs.ext4 -E nodiscard, mount remount,ro, 414 | #and disabling certain services such as systemd-backlight@.service, apport.service, rescue.service, emergency.service, and recovery-mode.service. 415 | #https://attack.mitre.org/techniques/T1490/ 416 | #Mitre Impact: Inhibit system recovery 417 | - list: recovery_files 418 | items: [/etc/default/grub, /etc/inittab, /usr/lib/systemd/system/rescue.service] 419 | 420 | - list: critical_dir 421 | items: [/boot, /bin, /etc, /lib, /sbin, /usr, ~/.local/share/Trash, ~/.local/share/Trash/files] 422 | 423 | - list: recovery_proc_args 424 | items: ["disable systemd-backlight@.service", "disable apport.service", "disable rescue.service", "disable emergency.service", "disable recovery-mode.service"] 425 | 426 | - rule: Disable Recovery Features 427 | desc: Detects disabling system recovery features by deleting or disabling services and commands. 428 | condition: > 429 | (spawned_process) and 430 | ((proc.name = "chattr" and proc.args contains "+i") or 431 | (proc.name = "mkfs.ext4" and proc.args contains "-E nodiscard") or 432 | (proc.name = "mount" and proc.args contains "remount,ro") or 433 | (proc.name = "systemctl" and proc.args in (recovery_proc_args)) or 434 | (open_write and fd.name in (recovery_files)) or 435 | (remove and (fd.name pmatch (critical_dir)))) 436 | enabled: true 437 | output: command related to Disabling recovery features so that system becomes non recoverable in case of failure is executed .(user=%user.name user_loginuid=%user.loginuid 438 | command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)" 439 | priority: CRITICAL 440 | tags: [host, container, recovery, mitre_impact, inhibit_system_recovery, T1490] 441 | 442 | #The SuspiciousDiskActivity rule in Falco is designed to detect suspicious disk activity on a system. 443 | #The rule matches against processes that are known to be involved in activities such as wiping, overwriting or corrupting raw disk data, 444 | #such as dd, shred, hdparm, fdisk, blkdiscard, wipe, badblocks, fsck, parted, and mkfs.ext4. 445 | #https://attack.mitre.org/techniques/T1561/ 446 | #Mitre Impact: disk wipe subscenario 447 | 448 | - rule: Suspicious Disk Activity 449 | desc: Detects suspicious disk activity such as wiping, overwriting or corrupting raw disk data. 450 | condition: (proc.name in ("dd", "shred", "hdparm", "fdisk", "blkdiscard", "wipe", "badblocks", "fsck", "parted", "mkfs.ext4")) 451 | enabled: true 452 | output: "Suspicious disk activity (command=%proc.cmdline) detected" 453 | priority: WARNING 454 | tags: [host, container, disk, mitre_impact, disk_wipe, T1561] 455 | 456 | #This Falco rule is designed to detect attempts to embed a script to execute at the time of boot or logon on a Linux system. 457 | #The rule will trigger an error priority alert if it detects any write access to the commonly used /etc directory, 458 | #which is often used for system configuration files and startup scripts. 459 | #https://attack.mitre.org/techniques/T1547/ 460 | #Mitre Persistance: boot or logon autostart execution subscenario 461 | 462 | - rule: Boot or Logon Autostart Execution 463 | desc: an attempt to embedd a script to execute at the time of boot or logon 464 | condition: write_etc_common 465 | enabled: true 466 | output: A script is embedded below /etc to start its execution on boot or logon in to the system 467 | priority: ERROR 468 | tags: [host, container, process, mitre_persistance, boot_or_logon_autostart_execution, T1547] 469 | 470 | #This Falco rule is designed to detect attempts to create user accounts or add users to a system. 471 | #A process has been spawned 472 | #The name of the process matches one of the user management binaries listed in the configuration (user_mgmt_binaries) 473 | #The process is not being executed within a container 474 | #The command line used to execute the process is not excluded by the configuration 475 | #https://attack.mitre.org/techniques/T1136/ 476 | #Mitre Persistance: Create account subscenario 477 | 478 | - rule: Create Account or Add User 479 | desc: > 480 | activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. 481 | Activity in containers is also excluded--some containers create custom users on top 482 | of a base linux distribution at startup. 483 | Some innocuous command lines that don't actually change anything are excluded. 484 | condition: > 485 | spawned_process and proc.name in (user_mgmt_binaries) 486 | enabled: true 487 | output: > 488 | an user is added or a account is created to get persistance access of system 489 | priority: NOTICE 490 | tags: [host, container, user, account, mitre_persistance, create_account, T1136] 491 | 492 | #this Falco rule is designed to detect attempts to create or modify system processes on a Linux system, 493 | #which can be a sign of a malicious actor attempting to maintain persistence on the system. 494 | #https://attack.mitre.org/techniques/T1543/ 495 | #Mitre Persistance: Create or Modify system process 496 | #Mitre Priviledge Escalarion: Create or modify system process 497 | 498 | - rule: Create or Modify System Process 499 | desc: a system process may be created or a existing process may be modified to keep malicious process running continuously 500 | condition: write_etc_common 501 | enabled: true 502 | output: A malicious system process is created or a existing process is modified to act like a malicious one 503 | priority: ERROR 504 | tags: [host, container, process, mitre_priviledge_escalation, create_or_modify_system_service, T1543] 505 | 506 | #system, which can be a sign of an attacker attempting to steal credentials. 507 | #The conditions for the rule to trigger are specified in the condition field, 508 | #which checks for any activity by programs that can manage users, passwords, or permissions. However, 509 | #the sudo and su programs are excluded from the rule, as they are legitimate tools that can be used for managing users and permissions. 510 | #https://attack.mitre.org/techniques/T1555/ 511 | #Mitre Credential Access: Credential from password stores 512 | 513 | - rule: Credentials From Password File 514 | desc: > 515 | activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. 516 | Activity in containers is also excluded--some containers create custom users on top 517 | of a base linux distribution at startup. 518 | Some innocuous command lines that don't actually change anything are excluded. 519 | condition: > 520 | spawned_process and proc.name in (user_mgmt_binaries) 521 | enabled: true 522 | output: > 523 | An attempt is made to access password file present on system to get credential access 524 | priority: NOTICE 525 | tags: [host, container, credentials, mitre_credential_access, credentials_from_password_stores, T1555] 526 | 527 | #This Falco rule detects attempts to modify the authentication process by reading sensitive files that 528 | #contain user/password/authentication information by non-trusted programs. The condition checks for any read 529 | #operation on sensitive files by a process that is not a known trusted program. 530 | #https://attack.mitre.org/techniques/T1556/ 531 | #Mitre Credential Access: Modify Authentication Process subscenario 532 | 533 | - rule: Modify authentication process 534 | desc: > 535 | an attempt to read any sensitive file (e.g. files containing user/password/authentication 536 | information). Exceptions are made for known trusted programs. 537 | condition: > 538 | sensitive_files and open_read 539 | and proc_name_exists 540 | enabled: true 541 | output: > 542 | Sensitive file opened for reading by non-trusted program to modify the authentication process 543 | priority: WARNING 544 | tags: [host, container] 545 | 546 | #This Falco rule detects an attempt to inject code into a process using PTRACE. 547 | #The condition checks for a PTRACE event of type ptrace, with direction greater than, 548 | #and with the request argument set to one of the specified values (5, 6, 11, 20, 27). 549 | #Additionally, the condition checks if the process name exists and is not in the list of known ptrace processes. 550 | #https://attack.mitre.org/techniques/T1055/ 551 | #Mitre Priviledge Escalation: Process Injection 552 | 553 | - rule: Process Injection 554 | desc: "This rule detects an attempt to inject code into a process using PTRACE." 555 | condition: evt.type=ptrace and evt.dir=> and evt.arg.request in (5, 6, 11, 20, 27) and proc_name_exists and not known_ptrace_procs 556 | enabled: true 557 | output: A process is injected in to a known process binary to execute 558 | priority: WARNING 559 | tags: [host, container, process, mitre_priviledge_escalation, process_injection, T1055] 560 | 561 | #This falco rule detects an attempt to read sensitive files, 562 | #such as files containing user/password/authentication information, by a non-trusted program to discover information about the password policy of a system. 563 | #The condition for triggering the rule is that a sensitive file is being read in an open state by a process that is not a known trusted program. 564 | #https://attack.mitre.org/techniques/T1201/ 565 | #Mitre Discovery: password policy discovery subscenario 566 | 567 | - rule: Password Policy Discovery 568 | desc: > 569 | an attempt to read any sensitive file (e.g. files containing user/password/authentication 570 | information). Exceptions are made for known trusted programs. 571 | condition: > 572 | sensitive_files and open_read 573 | and proc_name_exists 574 | enabled: true 575 | output: > 576 | Sensitive file opened for reading by non-trusted program to get information about set password policy of a system 577 | priority: WARNING 578 | tags: [host, container, authentication, mitre_discovery, password_policy_discovery, T1201] 579 | --------------------------------------------------------------------------------