* Deprecation Notice to Cloud Defend Rules
* Udpate names in investigation guide
* Adding deprecation note under Setup field
* reverting back to setup field name
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
* [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container
This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special
file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside
a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access
sensitive host level files which could be used for further privilege escalation and container escapes to the host
machine.
* added references
* Apply suggestions from code review
* Update rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Apply suggestions from code review
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [New Rule] Mount Launched Inside a Privileged Container
This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a
device or file system accessible to the system, and then to connect its root directory to a specified mount point on the
local file system. When launched inside a privileged container--a container deployed with all the capabilities of the
host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation
and container escapes to the host machine. Any usage of mount inside a running privileged container should be further
investigated.
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [New Rule] Potential Container Escape via Modified notify_on_release File
This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release
flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the
command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN
capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take
advantage of this feature, which could be used for further privilege escalation and container escapes to the host
machine.
* Apply suggestions from code review
* suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* [New Rule] Potential Container Escape via Modified release_agent File
This rule detects modification of the CGroup release_agent file from inside a privileged container. The release_agent is a script that is executed at the termination of any process on that CGroup and is invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a CGroup directory and modify the release_agent which could be used for further privilege escalation and container escapes to the host machine.
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* [New Rule] File Made Executable via Chmod Inside A Container
new rule
* edit threat matrix urls
add final / to reference urls
* Apply suggestions from code review
removed unused fields, adjust from field for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
rule query change to remove exclusion and add more common chmod executable patterns, nit review comments, additional tactic, technique and subtechnique
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
added Defense Evasion tag
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
adjusted tags
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
changed rule type to file instead of process to eliminate false positive results from adding the number modification parts of the query
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [New Rule] Netcat Listener Established Inside A Container
new rule toml
* remove references
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* remove false_positives
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* adjust from field from s to m for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update execution_netcat_listener_established_inside_a_container.toml
updated query, updated risk score, expanded explanation for 2nd part of the query where process args is used to search for target executables
* optimized query
optimized query to deduplicate fields based on review feedback
* Update execution_netcat_listener_established_inside_a_container.toml
updated query comment
* Update execution_netcat_listener_established_inside_a_container.toml
added false positive section
* Update execution_netcat_listener_established_inside_a_container.toml
adjusted tags
* removed the != end query parameter
removed the exclusion of end events for this to account for short-lived netcat listener processes
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Create execution_interactive_shell_spawned_from_inside_a_container.toml
new rule
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
edited threat matrix
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
changed boolean in query from string type
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
added timestamp_override field
* Apply suggestions from code review
readability from field change, removed references field
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* Apply suggestions from code review
index spacing, rule name, comment change
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
updated description, updated query to utilize container.id field to distinguish container vs linux rule, remove unneccesary comments and simplify the query.
* Update rule query
updated rule query to use process.executable and an or field for event.action
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
adjusted tags
* changed "not" in query
event.action != end based on review suggestion
* spacing around comments
* removed ending wildcard causing FPs
removed ending wildcard for process.args /sh as it's causing FPs and will risk being too noisy
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
shashank-elastic