308b755d92
[Rule Tuning] Tune Attempts to Brute Force a Microsoft 365 User Account ( #3860 )
...
* tuning 'Attempts to Brute Force a Microsoft 365 User Account'
* added reference
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 7f3c977192
2024-07-08 17:10:42 +00:00
461e72cf9c
[Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId ( #3685 )
...
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit cd716e5248
2024-07-05 04:49:50 +00:00
e36686570f
[New Rule] AWS RDS DB Instance Made Public ( #3836 )
...
* [New Rule] AWS RDS DB Instance Made Public
...
* Apply suggestions from code review
* added coverage for instances created with public access
* rule review edits
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 83be212632
2024-07-03 05:04:37 +00:00
85f949539c
[New Rule] AWS RDS DB Instance or Cluster Deletion Protection Disabled ( #3851 )
...
* [New Rule] AWS RDS DB Instance or Cluster Deletion Protection Removed
...
* insert rule_id
* rule name change
(cherry picked from commit 3a5c5c20a8
2024-07-02 21:25:12 +00:00
634a3f50d5
[New Rule] AWS RDS DB Instance or Cluster Password Modified ( #3844 )
...
* [New Rule] AWS RDS DB Instance or Cluster Password Modified
..
* Update rules/integrations/aws/persistence_rds_db_instance_password_modified.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 9f4956f542
2024-07-02 20:18:06 +00:00
8e9f3659ed
[New Rule] AWS RDS Snapshot Shared with Another Account ( #3831 )
...
* [New Rule] AWS RDS DB Snapshot Shared with Another Account
...
* Update exfiltration_rds_snapshot_shared_with_another_account.toml
* edit threat matrix format
* Apply suggestions from code review
* Update rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 43fbf94d8a
2024-07-02 19:39:56 +00:00
594b8a1574
[New Rule] AWS RDS Snapshot Deleted ( #3852 )
...
* [New Rule] AWS RDS Snapshot Deleted
* added coverage for backupRetentionPeriod set to 0
(cherry picked from commit aaf014390b
2024-07-02 18:04:22 +00:00
6fb82a87e4
[Rule Tuning] Tuning Google Workspace Rules and File Name Length Reduction ( #3849 )
...
* tuning google workspace rules
* removed verbiage about runtime
(cherry picked from commit 5fe7833312
2024-07-01 19:53:27 +00:00
0b808211f6
[New Rule] Entra ID Device Code Auth with Broker Client ( #3819 )
...
* new rule 'Entra ID Device Code Auth with Broker Client'
* updated azure integration, non-ecs updated, rule date updated
* updates tags
* updated query to add Azure activity logs
* merging in main
* updated azure manifest and schemas
* updated azure manifest and schemas
* updated index map for summary and changelog
* removed string imports
* reverting packaging.py updates
* adjusted query
* adjusted query to be more optimized
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit 99a4d629c9
2024-07-01 14:34:42 +00:00
d47d87386c
[Rule Tuning] AWS RDS Snapshot Restored ( #3809 )
...
* [Tuning] AWS RDS Instance Restored
-name and description change to better describe behavior
- rule file name changed to match tactic
- query change to add coverage for restore from S3
- rule type changed to eql
- subtechnique added for creaing instance
- tag added for RDS datasource
- Investigation Guide added
* Update defense_evasion_rds_instance_restored.toml
* Update defense_evasion_rds_instance_restored.toml
* removed investigation guide place holder
* deprecated old rule because of name change
* change rule_id
* Revert "change rule_id"
This reverts commit 0764c932f412439319e2d15a6bd80c360cf3fdc2.
* Revert "deprecated old rule because of name change"
This reverts commit fd62673380b40ba9ee432a271da3a8c5374e7129.
(cherry picked from commit f62644887e
2024-06-29 00:46:01 +00:00
408442e185
[Rule Tuning] Multiple Device Token Hashes for Single Okta Session ( #3814 )
...
* tuning 'Multiple Device Token Hashes for Single Okta Session'
* adjusted file name
* updated tags
* updated file name extension
* updated min-stack comments
(cherry picked from commit 2e3aca62f0
2024-06-28 17:02:28 +00:00
cbc7fb5224
Adding setup templates to the ML rules ( #3798 )
...
* Added setup instructions for ml rules
(cherry picked from commit 51b9717ac0
2024-06-19 14:08:24 +00:00
96c7509c20
Closes #2216 ( #2855 )
...
* Update privilege_escalation_sts_assumerole_usage.toml
* Update privilege_escalation_sts_assumerole_usage.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
(cherry picked from commit c1dcd21531
2024-06-13 20:56:04 +00:00
bc578b5464
Update FIM integration Setup sequence ( #3781 )
...
(cherry picked from commit 89d89f15d2
2024-06-12 11:14:29 +00:00
d8131f9c60
Add exceptions to C2 Beaconing Activity ( #3771 )
...
(cherry picked from commit 8baf5dc2d8
2024-06-11 13:17:09 +00:00
d26951d94e
[New Rule] Suspicious File Modification ( #3746 )
...
* [New Rule] Suspicious File Modification
* Update persistence_suspicious_file_modifications.toml
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Updates
* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit ec223a4a05
2024-06-11 11:06:39 +00:00
522719cc9e
[New Rule] AWS EC2 Instance Connect SSH Public Key Uploaded ( #3634 )
...
* new rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'
* changed tactic to privilege escalation
* added additional reference
* added investigation guide
* updated summary
* changed risk score to medium; adjusted tags
* fixed mitre mapping
* Update rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 9f67585332
2024-06-05 14:36:53 +00:00
124fdc93a7
[New Rule] AWS Systems Manager SecureString Parameter Request with Decryption Flag ( #3590 )
...
* new rule 'First Occurrence of Resource Accessing AWS Systems Manager SecureString Parameters with Decryption Flag'
* updated rule contents
* added investigation guide; changed new terms to uder.id
* adjusted time window
* adjusted rule name
* updated query, adjusted new terms value
(cherry picked from commit 05ac4e1bd3
2024-06-05 14:26:05 +00:00
9475cf942d
[New Rule] AWS IAM Roles Anywhere Profile Creation and Trusted Anchor with External CA Created ( #3609 )
...
* new rule 'AWS IAM Roles Anywhere Role Creation'
* adjusted rule to focus on Roles Anywhere profile creation
* added rule for roles anywhere trusted anchor; updated rule file naming
* added investigation guide
* added investigation guide
* adjusted rule and file name
* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit c77eb1d915
2024-06-05 14:14:27 +00:00
06660cb2e1
Refresh MITRE Attack v15.1.0 ( #3725 )
...
(cherry picked from commit e357a2c050
2024-06-04 14:48:18 +00:00
d7db6be0aa
[New Rule] Rapid Secret Retrieval Attempts from AWS SecretsManager ( #3589 )
...
* new rule 'Rapid Secret Retrieval Attempts from AWS SecretsManager'
* updated user identity arn to user.id for cross-service password retrieval
* added investigation guides; bumped dates; adjusted threshold value
* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 59b7e3bde4
2024-06-04 13:23:16 +00:00
6924fddf65
[New Rule] AWS Lambda Function Policy Updated To Allow Public Invocation ( #3632 )
...
* new rule 'AWS Lambda Function Policy Updated To Allow Public Invocation'
* updated rule UUID
* added investigation guide
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 0885032b2c
2024-06-03 15:46:31 +00:00
1b586e7485
[New Rule] AWS Lambda Layer Added to Existing Function ( #3631 )
...
* new rule 'AWS Lambda Layer Added to Existing Function'
* updated query logic; added investigation note
(cherry picked from commit 70469b4cdb
2024-06-02 12:44:13 +00:00
9b487a7ea3
[New Rule] AWS S3 Bucket Policy Added to Share with External Account ( #3603 )
...
* new rule 'AWS S3 Bucket Policy Added to Share with External Account'
* added investigation guide
* Update rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml
(cherry picked from commit 7c82e75cf4
2024-06-01 14:34:49 +00:00
032a8c9623
[New Rule] AWS GetCallerIdentity API Called for the First Time ( #3711 )
...
* [New Rule] AWS GetCallerIdentity API Called for the First Time
issue
* Apply suggestions from code review
name change, false positive additions, remove Setup, change new_terms window from 15d to 10d
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
fixed missing closing quotes
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 23ce41d8af
2024-05-31 21:58:11 +00:00
9a92326b0d
Remove unwanted backticks ( #3724 )
...
(cherry picked from commit 418a95205e
2024-05-31 16:19:24 +00:00
444ae196ac
Add exceptions to brute force threshold rule. ( #3712 )
...
High volume, machine generated failures or MFA interruptions have been added to the rule.
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 34294fbe6d
2024-05-30 08:16:09 +00:00
e1230b6b26
Update rule setup instructions for UEBA packages ( #3652 )
...
* update detection-rules instructions for UEBA packages
---------
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com >
(cherry picked from commit 8b28a515c1
2024-05-28 19:24:45 +00:00
a32759a51f
[New Rule] First Occurrence of AWS Resource Starting SSM Session to EC2 Instance ( #3598 )
...
* new rule 'First Occurrence of AWS Resource Starting SSM Session to EC2 Instance'
* added investigation guide
* changed file name to match tactic
* changed reference
* updated tags
* updated investigation notes
* changed new terms value; adjusted rule name
(cherry picked from commit d5c57463e1
2024-05-28 15:26:33 +00:00
2691273c93
[New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports ( #3599 )
...
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'
* updated rule name
* changed file name; added false-positive note
* changed rule UUID
* adjusted file name
* updated tags
* added investigation guide; updated query logic
* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* updated query and name
* updated query optimization
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 527f785a60
2024-05-28 14:52:40 +00:00
18fcd83683
Back-porting Version Trimming ( #3704 )
...
(cherry picked from commit 63e91c2f12
2024-05-22 19:18:10 +00:00
bc95221e93
[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added ( #3591 )
...
* new rule 'AWS S3 Bucket Expiration Lifecycle Configuration Added'
* added investigation guide
* updated query logic
(cherry picked from commit 137b74c3aa
2024-05-20 20:23:52 +00:00
1d7e597662
[Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId ( #3677 )
...
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit f0b226c2b0
2024-05-15 17:20:18 +00:00
ca8af123d2
[FR] Add max_signal note, unit test, and rule tuning ( #3669 )
...
(cherry picked from commit f07a9e6fbc
2024-05-14 16:23:18 +00:00
9dceb36a7e
[New Rule] Route53 Resolver Query Log Configuration Deleted ( #3592 )
...
* new rule 'Route53 Resolver Query Log Configuration Deleted'
* added investigation guide
* adjusted investigation notes
* Update rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 2375297879
2024-05-14 14:32:44 +00:00
f918f091c3
[New Rule] AWS EC2 AMI Shared with Another Account ( #3600 )
...
* new rule 'AWS EC2 AMI Shared with Another Account'
* linted; updated UUID
* added investigation guide
* updated description
* fixed spelling errors
* Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* fixed spacing issue
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit d505b95f3c
2024-05-14 06:04:20 +00:00
727e7ada2e
[New Rule] First Occurrence of User Identity Retrieving Credentials from EC2 Instance with an Assumed Role ( #3586 )
...
* new rule 'First Occurrence of User Identity Sending Requests to EC2 Instance'
* updated description and name
* added investigation guide; adjusted description
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* updated query logic
* fixed spacing issue
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 38e0f13e23
2024-05-14 03:15:43 +00:00
868ab80c63
Fix minstack version for 0365 in azure integration rules ( #3612 )
...
(cherry picked from commit 7673ba484d
2024-04-22 13:55:15 +00:00
f3d95cccce
adjust aws rule index patterns and tags ( #3595 )
...
(cherry picked from commit 74312797bf
2024-04-16 14:16:36 +00:00
4e88c2d024
Fix minstack version for O365 prod rules ( #3565 )
...
(cherry picked from commit 0e2eb5a84c
2024-04-02 16:13:40 +00:00
c1dd8cae21
Update setup guide for ML integration packages ( #3475 )
...
* Add more detail to ingest pipeline install
* Add more info to anomaly detection setup
* Update draft
* Fix typo
* Bulk add doc updates
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
* Address Kseniia feedback
* Update updated_date per review feedback
---------
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 400a84628e
2024-04-01 19:10:34 +00:00
078c86ab40
[Rule Tuning] Tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager' ( #3494 )
...
* tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager'
* reverting lookback window
* missing word in description
(cherry picked from commit f6e79944f2
2024-03-15 23:17:27 +00:00
0a729b77a4
Beaconing - Add whitelist to rules, with some more processes ( #3497 )
...
* Add whitelist to rules, with some more processes
* Update rules exceptionlist
* Update exceptions
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit a4ecfe3ccf
2024-03-14 19:56:12 +00:00
9101dfc064
[Security Content] Small tweaks on the setup guides ( #3308 )
...
* [Security Content] Small tweaks on the setup guides
* Additional Fixes
* Avoid touching deprecated rules
(cherry picked from commit 458e67918a
2024-03-11 12:15:22 +00:00
6241e8c7b4
fix: correct the provider for the create, delete and modify routes in EC2 VPCs ( #3500 )
...
(cherry picked from commit 709cfddcbe
2024-03-08 19:07:31 +00:00
cfb4f1a013
[New Rules] UEBA GItHub BBRs and Rules ( #3174 )
...
* [New Rules] UEBA GItHub BBRs and Rules
A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.
* Update rules/integrations/github/impact_github_member_removed_from_organization.toml
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* edited BBR rules
-removed newly added member rule
* updated integration manifests and schemas
* Updated min_stack for some rules based on newest GitHub integration schema manifest
* testing min_stack bump to 8.8 for new fields
* removing offending rule to troubleshoot seperately
* added UEBA tags and created UEBA threshold rule
* updated non-ecs-schema to add signal.rule.tags
* updated non-ecs-schema with kibana.alert.workflow_status
* updated rule.threat.tactic
* added user.name to non-ecs-schema
* added quotes to kibana.alert.workflow_status value
* removed trailing space from rule name
* update tags and optimize query for UEBA threshold rule
* removed integration field from Higher-Order rule
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* adjusted new_terms order and rule types based on review feedback
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* remove user.name from detection_rules/etc/non-ecs-schema.json
* fix json formatting
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 442435830f
2024-01-22 17:53:42 +00:00
7367f37584
[Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field ( #3368 )
...
* updated timestamp override unit test; fixed rules missing this field
* fixed flake error
* simplified and consolidated logic
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* added comments
* updated logic; added comments; removed unused variables
* removed custom python script
* updated dates
* removed deprecated rule change
* updated dates
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 1c10c37468
2024-01-17 19:20:19 +00:00
92ed682a51
[Tuning] Update min_stack for container rules new ecs field ( #3370 )
...
* Update privilege_escalation_mount_launched_inside_a_privileged_container.toml
update min_stack and comments
* Update privilege_escalation_debugfs_launched_inside_a_privileged_container.toml
update min_stack and comments
(cherry picked from commit a0f82c3f12
2024-01-05 23:47:45 +00:00
d7cc37993d
[New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container ( #3241 )
...
* [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container
This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special
file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside
a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access
sensitive host level files which could be used for further privilege escalation and container escapes to the host
machine.
* added references
* Apply suggestions from code review
* Update rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Apply suggestions from code review
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 10b241dcc5
2024-01-05 15:33:31 +00:00
4638fae505
[New Rule] Mount Launched Inside a Privileged Container ( #3245 )
...
* [New Rule] Mount Launched Inside a Privileged Container
This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a
device or file system accessible to the system, and then to connect its root directory to a specified mount point on the
local file system. When launched inside a privileged container--a container deployed with all the capabilities of the
host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation
and container escapes to the host machine. Any usage of mount inside a running privileged container should be further
investigated.
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit db5e1e5cf2
2024-01-05 15:22:59 +00:00
Terrance DeJesus