Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

0.193.0 Update #57

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

0.193.0 Update #57

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
103 changes: 88 additions & 15 deletions metadata/rules_metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13410,6 +13410,7 @@
"severity": 3,
"source": "observation",
"tags": [
"MITRE",
"MITRE T1033 system owner user discovery",
"MITRE T1119 automated collection",
"MITRE T1528 steal application access token",
Expand All @@ -13420,12 +13421,42 @@
"MITRE TA0006 credential access",
"MITRE TA0007 discovery",
"MITRE TA0009 collection",
"MITRE TA0010 exfiltration",
"Aws",
"Container",
"Host",
"Network"
]
},
{
"desc": "This rule detects the retrieval of Azure credentials from the IMDS server and the subsequent exfiltration of these credentials to a remote destination through a command line capable of uploading data. This activity could suggest unauthorized access to Azure resources and the exfiltration of sensitive data, potentially enabling attackers to move laterally within the cloud.",
"disabled": false,
"has_exceptions": false,
"oss_rule": false,
"policy": "Sysdig Runtime Behavioral Analytics",
"priority": "CRITICAL",
"rule": "Exfiltration of Azure IMDS Credentials Using LOTL Binary",
"severity": 3,
"source": "observation",
"tags": [
"MITRE",
"MITRE T1033 system owner user discovery",
"MITRE T1119 automated collection",
"MITRE T1528 steal application access token",
"MITRE T1550.001 application access token",
"MITRE T1550 use alternate authentication material",
"MITRE T1552.005 unsecured credentials cloud instance metadata api",
"MITRE T1552.007 unsecured credentials container api",
"MITRE TA0006 credential access",
"MITRE TA0007 discovery",
"MITRE TA0009 collection",
"MITRE TA0010 exfiltration",
"Azure",
"Container",
"Host",
"Network"
]
},
{
"desc": "Detects an attempt of the command shell process to create a file in the system directory",
"disabled": true,
Expand Down Expand Up @@ -13501,7 +13532,7 @@
"updated_oss_condition": true
},
{
"desc": "This rule detects authentication certificate theft on Linux systems by monitoring for suspicious activities in directories related to certificate storage. An attacker could steal the authentication certificates and misuse them to gain unauthorized access or impersonate legitimate users.",
"desc": "This rule detects authentication certificate theft on Linux systems by monitoring for suspicious activities in directories related to certificate storage and certificate private keys. An attacker could steal the authentication certificates with its keys and misuse them to gain unauthorized access or impersonate legitimate users.",
"disabled": true,
"has_exceptions": true,
"oss_rule": false,
Expand Down Expand Up @@ -13568,6 +13599,46 @@
"Process"
]
},
{
"desc": "This rule detects activities searching for private keys or passwords through the process 'find', alerting on potential credential exposure. An attacker could gain unauthorized access to sensitive information such as credentials in plain text, compromising system security.",
"disabled": true,
"has_exceptions": true,
"oss_rule": false,
"priority": "WARNING",
"rule": "Find Private Keys or Passwords",
"source": "falco",
"tags": [
"HIPAA",
"HIPAA 164.308(a)",
"HITRUST",
"HITRUST CSF",
"HITRUST CSF 01.w",
"ISO",
"ISO 27001",
"ISO 27001 A.9.4.1",
"MITRE",
"MITRE T119 automated-collection",
"MITRE T1552.004 unsecured credentials private keys",
"MITRE T1552 unsecured credentials",
"MITRE TA0006 credential access",
"MITRE TA0007 discovery",
"MITRE TA0009 collection",
"NIST",
"NIST 800-171",
"NIST 800-171 3.13.4",
"NIST 800-190",
"NIST 800-190 3.1.4",
"NIST 800-53",
"NIST 800-53 SC-4",
"NIST 800-53 SI-4(18)",
"SOC2",
"SOC2 CC6.3",
"SOC2 CC6.7",
"Container",
"Host",
"Process"
]
},
{
"desc": "Detect any k8s operation by a user name that may be an administrator with full access.",
"disabled": true,
Expand Down Expand Up @@ -18890,11 +18961,13 @@
},
{
"desc": "Detects the allocation of large, anonymous memory regions (64 MB or more) by a process, where the memory is initially unused (PROT_NONE) and not linked to any file descriptor. The process utilizes this memory space for execution entirely within memory, without writing to disk, which is a common characteristic of fileless malware. This behavior indicates that the allocated memory is reserved for later use, often involving fileless payloads or malicious code that resides and executes solely in memory, thus evading traditional file-based detection methods.",
"disabled": true,
"disabled": false,
"has_exceptions": true,
"oss_rule": false,
"priority": "WARNING",
"policy": "Sysdig Runtime Threat Detection",
"priority": "CRITICAL",
"rule": "Memory Manipulation by Fileless Program",
"severity": 3,
"source": "falco",
"tags": [
"MITRE",
Expand Down Expand Up @@ -19703,11 +19776,13 @@
},
{
"desc": "Detects spawning of security tools and suspicious tools often used during penetration testing activities. Attackers commonly employ these tools as well to search for vulnerabilities, exploits and execute malicious payloads on a targeted system.",
"disabled": true,
"disabled": false,
"has_exceptions": true,
"oss_rule": false,
"priority": "WARNING",
"policy": "Sysdig Runtime Threat Detection",
"priority": "CRITICAL",
"rule": "Offensive Security Tool Detected",
"severity": 3,
"source": "falco",
"tags": [
"MITRE",
Expand Down Expand Up @@ -21694,13 +21769,11 @@
},
{
"desc": "An attempt was made to enumerate SUID binaries. This typically occurs as part of reconnaissance on a compromised machine, where an attacker is looking to escalate privileges.",
"disabled": false,
"disabled": true,
"has_exceptions": true,
"oss_rule": false,
"policy": "Sysdig Runtime Threat Detection",
"priority": "CRITICAL",
"priority": "WARNING",
"rule": "Reconnaissance attempt to find SUID binaries",
"severity": 3,
"source": "falco",
"tags": [
"CIS",
Expand Down Expand Up @@ -22876,11 +22949,13 @@
},
{
"desc": "This rule detects potential data exfiltration activities over SSH, specifically for data transfers through the network from a piped input received by a common compression tools, such as tar. Attackers may first need to perform archival and/or compression activities on the compromised system before transferring any information through the network.",
"disabled": true,
"disabled": false,
"has_exceptions": true,
"oss_rule": false,
"priority": "WARNING",
"policy": "Sysdig Runtime Threat Detection",
"priority": "CRITICAL",
"rule": "SSH Exfiltration Activities Detected",
"severity": 3,
"source": "falco",
"tags": [
"MITRE",
Expand Down Expand Up @@ -23091,13 +23166,11 @@
},
{
"desc": "This rule detects activities searching for private keys or passwords, alerting on potential credential exposure. An attacker could gain unauthorized access to sensitive information such as SSH keys, compromising system security.",
"disabled": false,
"disabled": true,
"has_exceptions": true,
"oss_rule": true,
"policy": "Sysdig Runtime Threat Detection",
"priority": "CRITICAL",
"priority": "WARNING",
"rule": "Search Private Keys or Passwords",
"severity": 3,
"source": "falco",
"tags": [
"HIPAA",
Expand Down