new(rules): Exfiltrating Artifacts via Kubernetes Control Plane (kube…

…ctl cp) Signed-off-by: Melissa Kilby <[email protected]>
falcosecurity · Aug 23, 2023 · a066c1b · a066c1b
1 parent 7347f69
commit a066c1b
Showing 1 changed file with 29 additions and 2 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -71,8 +71,8 @@
 # - macro: custom_procs
 #   condition: (proc.name in (custom1, custom2, custom3))
 
-# - macro: always_true
-#   condition: (evt.num>=0)
+- macro: always_true
+  condition: (evt.num>=0)
 
 # In some cases, such as dropped system call events, information about
 # the process name may be missing. For some rules that really depend
@@ -3393,6 +3393,33 @@
   output: File execution detected from /dev/shm (evt_res=%evt.res file=%fd.name proc_cwd=%proc.cwd proc_pcmdline=%proc.pcmdline user_loginname=%user.loginname group_gid=%group.gid group_name=%group.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
   priority: WARNING
   tags: [maturity_sandbox, host, container, mitre_execution, T1059.004]
+
+# Customize the placeholder macro by overriding it with a suitable logical condition for your environment. An example is provided below.
+# - macro: monitored_containers_namespaces_kubectl_cp
+#   condition: ( (k8s.ns.name contains "crown_jewels") or (container.image.repository in (x, y, z)) )
+- macro: monitored_containers_namespaces_kubectl_cp
+  condition: (always_true)
+
+- macro: system_level_side_effect_artifacts_kubectl_cp
+  condition: (fd.name startswith /etc or 
+              fd.name startswith /proc or 
+              fd.name startswith /lib or 
+              fd.name startswith /run or 
+              fd.name startswith /usr or 
+              fd.name="/")
+
+- rule: Exfiltrating Artifacts via Kubernetes Control Plane (kubectl cp)
+  desc: >
+    Copy artifacts using Kubernetes control plane (kubectl cp). Detect potential exfiltration of application secrets or data from containers' file systems, 
+    in cases of unauthorized access and misuse of the control plane (e.g. using stolen credentials like Kubernetes serviceaccount tokens). Can be configured 
+    to monitor specific artifact paths, containers, or namespaces.
+  condition: >
+    open_read and container and proc.name=tar and container_entrypoint and proc.tty=0  
+    and monitored_containers_namespaces_kubectl_cp 
+    and not system_level_side_effect_artifacts_kubectl_cp
+  output: Exfiltrating Artifacts via Kubernetes Control Plane (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
+  priority: NOTICE
+  tags: [maturity_incubating, container, filesystem, mitre_exfiltration, TA0010]
 
 # List of allowed container images that are known to execute binaries not part of their base image.
 - list: known_drop_and_execute_containers