From a06393655b478f9e93f201e9dba5a903ba501f86 Mon Sep 17 00:00:00 2001
From: javery-sysdig <jason.avery@sysdig.com>
Date: Wed, 26 Feb 2025 11:21:23 -0500
Subject: [PATCH] Update

---
 metadata/rules_metadata.json | 103 ++++++++++++++++++++++++++++++-----
 1 file changed, 88 insertions(+), 15 deletions(-)

diff --git a/metadata/rules_metadata.json b/metadata/rules_metadata.json
index 90a7fdb..5bb2a44 100644
--- a/metadata/rules_metadata.json
+++ b/metadata/rules_metadata.json
@@ -13410,6 +13410,7 @@
     "severity": 3,
     "source": "observation",
     "tags": [
+      "MITRE",
       "MITRE T1033 system owner user discovery",
       "MITRE T1119 automated collection",
       "MITRE T1528 steal application access token",
@@ -13420,12 +13421,42 @@
       "MITRE TA0006 credential access",
       "MITRE TA0007 discovery",
       "MITRE TA0009 collection",
+      "MITRE TA0010 exfiltration",
       "Aws",
       "Container",
       "Host",
       "Network"
     ]
   },
+  {
+    "desc": "This rule detects the retrieval of Azure credentials from the IMDS server and the subsequent exfiltration of these credentials to a remote destination through a command line capable of uploading data. This activity could suggest unauthorized access to Azure resources and the exfiltration of sensitive data, potentially enabling attackers to move laterally within the cloud.",
+    "disabled": false,
+    "has_exceptions": false,
+    "oss_rule": false,
+    "policy": "Sysdig Runtime Behavioral Analytics",
+    "priority": "CRITICAL",
+    "rule": "Exfiltration of Azure IMDS Credentials Using LOTL Binary",
+    "severity": 3,
+    "source": "observation",
+    "tags": [
+      "MITRE",
+      "MITRE T1033 system owner user discovery",
+      "MITRE T1119 automated collection",
+      "MITRE T1528 steal application access token",
+      "MITRE T1550.001 application access token",
+      "MITRE T1550 use alternate authentication material",
+      "MITRE T1552.005 unsecured credentials cloud instance metadata api",
+      "MITRE T1552.007 unsecured credentials container api",
+      "MITRE TA0006 credential access",
+      "MITRE TA0007 discovery",
+      "MITRE TA0009 collection",
+      "MITRE TA0010 exfiltration",
+      "Azure",
+      "Container",
+      "Host",
+      "Network"
+    ]
+  },
   {
     "desc": "Detects an attempt of the command shell process to create a file in the system directory",
     "disabled": true,
@@ -13501,7 +13532,7 @@
     "updated_oss_condition": true
   },
   {
-    "desc": "This rule detects authentication certificate theft on Linux systems by monitoring for suspicious activities in directories related to certificate storage. An attacker could steal the authentication certificates and misuse them to gain unauthorized access or impersonate legitimate users.",
+    "desc": "This rule detects authentication certificate theft on Linux systems by monitoring for suspicious activities in directories related to certificate storage and certificate private keys. An attacker could steal the authentication certificates with its keys and misuse them to gain unauthorized access or impersonate legitimate users.",
     "disabled": true,
     "has_exceptions": true,
     "oss_rule": false,
@@ -13568,6 +13599,46 @@
       "Process"
     ]
   },
+  {
+    "desc": "This rule detects activities searching for private keys or passwords through the process 'find', alerting on potential credential exposure. An attacker could gain unauthorized access to sensitive information such as credentials in plain text, compromising system security.",
+    "disabled": true,
+    "has_exceptions": true,
+    "oss_rule": false,
+    "priority": "WARNING",
+    "rule": "Find Private Keys or Passwords",
+    "source": "falco",
+    "tags": [
+      "HIPAA",
+      "HIPAA 164.308(a)",
+      "HITRUST",
+      "HITRUST CSF",
+      "HITRUST CSF 01.w",
+      "ISO",
+      "ISO 27001",
+      "ISO 27001 A.9.4.1",
+      "MITRE",
+      "MITRE T119 automated-collection",
+      "MITRE T1552.004 unsecured credentials private keys",
+      "MITRE T1552 unsecured credentials",
+      "MITRE TA0006 credential access",
+      "MITRE TA0007 discovery",
+      "MITRE TA0009 collection",
+      "NIST",
+      "NIST 800-171",
+      "NIST 800-171 3.13.4",
+      "NIST 800-190",
+      "NIST 800-190 3.1.4",
+      "NIST 800-53",
+      "NIST 800-53 SC-4",
+      "NIST 800-53 SI-4(18)",
+      "SOC2",
+      "SOC2 CC6.3",
+      "SOC2 CC6.7",
+      "Container",
+      "Host",
+      "Process"
+    ]
+  },
   {
     "desc": "Detect any k8s operation by a user name that may be an administrator with full access.",
     "disabled": true,
@@ -18890,11 +18961,13 @@
   },
   {
     "desc": "Detects the allocation of large, anonymous memory regions (64 MB or more) by a process, where the memory is initially unused (PROT_NONE) and not linked to any file descriptor. The process utilizes this memory space for execution entirely within memory, without writing to disk, which is a common characteristic of fileless malware. This behavior indicates that the allocated memory is reserved for later use, often involving fileless payloads or malicious code that resides and executes solely in memory, thus evading traditional file-based detection methods.",
-    "disabled": true,
+    "disabled": false,
     "has_exceptions": true,
     "oss_rule": false,
-    "priority": "WARNING",
+    "policy": "Sysdig Runtime Threat Detection",
+    "priority": "CRITICAL",
     "rule": "Memory Manipulation by Fileless Program",
+    "severity": 3,
     "source": "falco",
     "tags": [
       "MITRE",
@@ -19703,11 +19776,13 @@
   },
   {
     "desc": "Detects spawning of security tools and suspicious tools often used during penetration testing activities. Attackers commonly employ these tools as well to search for vulnerabilities, exploits and execute malicious payloads on a targeted system.",
-    "disabled": true,
+    "disabled": false,
     "has_exceptions": true,
     "oss_rule": false,
-    "priority": "WARNING",
+    "policy": "Sysdig Runtime Threat Detection",
+    "priority": "CRITICAL",
     "rule": "Offensive Security Tool Detected",
+    "severity": 3,
     "source": "falco",
     "tags": [
       "MITRE",
@@ -21694,13 +21769,11 @@
   },
   {
     "desc": "An attempt was made to enumerate SUID binaries. This typically occurs as part of reconnaissance on a compromised machine, where an attacker is looking to escalate privileges.",
-    "disabled": false,
+    "disabled": true,
     "has_exceptions": true,
     "oss_rule": false,
-    "policy": "Sysdig Runtime Threat Detection",
-    "priority": "CRITICAL",
+    "priority": "WARNING",
     "rule": "Reconnaissance attempt to find SUID binaries",
-    "severity": 3,
     "source": "falco",
     "tags": [
       "CIS",
@@ -22876,11 +22949,13 @@
   },
   {
     "desc": "This rule detects potential data exfiltration activities over SSH, specifically for data transfers through the network from a piped input received by a common compression tools, such as tar. Attackers may first need to perform archival and/or compression activities on the compromised system before transferring any information through the network.",
-    "disabled": true,
+    "disabled": false,
     "has_exceptions": true,
     "oss_rule": false,
-    "priority": "WARNING",
+    "policy": "Sysdig Runtime Threat Detection",
+    "priority": "CRITICAL",
     "rule": "SSH Exfiltration Activities Detected",
+    "severity": 3,
     "source": "falco",
     "tags": [
       "MITRE",
@@ -23091,13 +23166,11 @@
   },
   {
     "desc": "This rule detects activities searching for private keys or passwords, alerting on potential credential exposure. An attacker could gain unauthorized access to sensitive information such as SSH keys, compromising system security.",
-    "disabled": false,
+    "disabled": true,
     "has_exceptions": true,
     "oss_rule": true,
-    "policy": "Sysdig Runtime Threat Detection",
-    "priority": "CRITICAL",
+    "priority": "WARNING",
     "rule": "Search Private Keys or Passwords",
-    "severity": 3,
     "source": "falco",
     "tags": [
       "HIPAA",