search

falcosecurity / rules

Falco rule repository
https://falcosecurity.github.io/rules/
Apache License 2.0
88 stars 64 forks source link

Improving rule: Netcat Remote Code Execution in Container #239

Open b3n3d17 opened 2 months ago

b3n3d17 commented 2 months ago

Motivation

When using Falco and testing various variations of certain techniques It became apparent that the rule Netcat Remote Code Execution in Containers does not trigger when the nc binary has been linked with ln or ln -s. In these cases the proc.cmdline variable may not contain nc or ncat. I would like to ask if you also think that using proc_exepath=/usr/bin/nc.traditional and checking for contains nc and in addition to proc.cmdline would be beneficial.

Old Rule:

rule: Netcat Remote Code Execution in Container
  desc: > 
    Netcat Program runs inside container that allows remote code execution and may be utilized 
    as a part of a variety of reverse shell payload https://github.com/swisskyrepo/PayloadsAllTheThings/.
    These programs are of higher relevance as they are commonly installed on UNIX-like operating systems.
    Can fire in combination with the "Redirect STDOUT/STDIN to Network Connection in Container" 
    rule as it utilizes a different evt.type.
  condition: >
    spawned_process 
    and container 
    and ((proc.name = "nc" and (proc.cmdline contains " -e" or 
                                proc.cmdline contains " -c")) or
         (proc.name = "ncat" and (proc.args contains "--sh-exec" or 
                                  proc.args contains "--exec" or proc.args contains "-e " or
                                  proc.args contains "-c " or proc.args contains "--lua-exec"))
         )
  output: Netcat runs inside container that allows remote code execution (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
  priority: WARNING
  tags: [maturity_stable, container, network, process, mitre_execution, T1059]

Feature

Proposal:

((proc.name = "nc" or proc.exepath contains "/nc" ) and (proc.cmdline contains " -e" or 
proc.cmdline contains " -c")or 
(proc.name = "ncat" or proc.exepath contains "/ncat" (proc.args contains "--sh-exec" or 
                         proc.args contains "--exec" or proc.args contains "-e " or
                         proc.args contains "-c " or proc.args contains "--lua-exec"))
         )