Revert "chore: static sig metadata declaration"

This reverts commit 7bb2d59. commit: ed8304d (main), cherry-pick
aquasecurity · Sep 24, 2024 · f3d5ac1 · f3d5ac1
1 parent 29a0e29
commit f3d5ac1
Show file tree

Hide file tree

Showing 31 changed files with 462 additions and 524 deletions.
diff --git a/signatures/golang/anti_debugging_ptraceme.go b/signatures/golang/anti_debugging_ptraceme.go
@@ -14,30 +14,28 @@ type AntiDebuggingPtraceme struct {
  ptraceTraceMe string
 }
 
-var antiDebuggingPtracemeMetada = detect.SignatureMetadata{
- ID: "TRC-102",
- Version: "1",
- Name: "Anti-Debugging detected",
- EventName: "anti_debugging",
- Description: "A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.",
- Properties: map[string]interface{}{
- "Severity": 1,
- "Category": "defense-evasion",
- "Technique": "Debugger Evasion",
- "Kubernetes_Technique": "",
- "id": "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391",
- "external_id": "T1622",
- },
-}
-
 func (sig *AntiDebuggingPtraceme) Init(ctx detect.SignatureContext) error {
  sig.cb = ctx.Callback
  sig.ptraceTraceMe = "PTRACE_TRACEME"
  return nil
 }
 
 func (sig *AntiDebuggingPtraceme) GetMetadata() (detect.SignatureMetadata, error) {
- return antiDebuggingPtracemeMetada, nil
+ return detect.SignatureMetadata{
+ ID: "TRC-102",
+ Version: "1",
+ Name: "Anti-Debugging detected",
+ EventName: "anti_debugging",
+ Description: "A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.",
+ Properties: map[string]interface{}{
+ "Severity": 1,
+ "Category": "defense-evasion",
+ "Technique": "Debugger Evasion",
+ "Kubernetes_Technique": "",
+ "id": "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391",
+ "external_id": "T1622",
+ },
+ }, nil
 }
 
 func (sig *AntiDebuggingPtraceme) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

diff --git a/signatures/golang/aslr_inspection.go b/signatures/golang/aslr_inspection.go
@@ -14,30 +14,28 @@ type AslrInspection struct {
  aslrPath string
 }
 
-var aslrInspectionMetadata = detect.SignatureMetadata{
- ID: "TRC-109",
- Version: "1",
- Name: "ASLR inspection detected",
- EventName: "aslr_inspection",
- Description: "The ASLR (address space layout randomization) configuration was inspected. ASLR is used by Linux to prevent memory vulnerabilities. An adversary may want to inspect and change the ASLR configuration in order to avoid detection.",
- Properties: map[string]interface{}{
- "Severity": 0,
- "Category": "privilege-escalation",
- "Technique": "Exploitation for Privilege Escalation",
- "Kubernetes_Technique": "",
- "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839",
- "external_id": "T1068",
- },
-}
-
 func (sig *AslrInspection) Init(ctx detect.SignatureContext) error {
  sig.cb = ctx.Callback
  sig.aslrPath = "/proc/sys/kernel/randomize_va_space"
  return nil
 }
 
 func (sig *AslrInspection) GetMetadata() (detect.SignatureMetadata, error) {
- return aslrInspectionMetadata, nil
+ return detect.SignatureMetadata{
+ ID: "TRC-109",
+ Version: "1",
+ Name: "ASLR inspection detected",
+ EventName: "aslr_inspection",
+ Description: "The ASLR (address space layout randomization) configuration was inspected. ASLR is used by Linux to prevent memory vulnerabilities. An adversary may want to inspect and change the ASLR configuration in order to avoid detection.",
+ Properties: map[string]interface{}{
+ "Severity": 0,
+ "Category": "privilege-escalation",
+ "Technique": "Exploitation for Privilege Escalation",
+ "Kubernetes_Technique": "",
+ "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839",
+ "external_id": "T1068",
+ },
+ }, nil
 }
 
 func (sig *AslrInspection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

diff --git a/signatures/golang/cgroup_notify_on_release_modification.go b/signatures/golang/cgroup_notify_on_release_modification.go
@@ -15,30 +15,28 @@ type CgroupNotifyOnReleaseModification struct {
  notifyFileName string
 }
 
-var cgroupNotifyOnReleaseModificationMetadata = detect.SignatureMetadata{
- ID: "TRC-106",
- Version: "1",
- Name: "Cgroups notify_on_release file modification",
- EventName: "cgroup_notify_on_release",
- Description: "An attempt to modify Cgroup notify_on_release file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",
- Properties: map[string]interface{}{
- "Severity": 3,
- "Category": "privilege-escalation",
- "Technique": "Escape to Host",
- "Kubernetes_Technique": "",
- "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
- "external_id": "T1611",
- },
-}
-
 func (sig *CgroupNotifyOnReleaseModification) Init(ctx detect.SignatureContext) error {
  sig.cb = ctx.Callback
  sig.notifyFileName = "notify_on_release"
  return nil
 }
 
 func (sig *CgroupNotifyOnReleaseModification) GetMetadata() (detect.SignatureMetadata, error) {
- return cgroupNotifyOnReleaseModificationMetadata, nil
+ return detect.SignatureMetadata{
+ ID: "TRC-106",
+ Version: "1",
+ Name: "Cgroups notify_on_release file modification",
+ EventName: "cgroup_notify_on_release",
+ Description: "An attempt to modify Cgroup notify_on_release file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",
+ Properties: map[string]interface{}{
+ "Severity": 3,
+ "Category": "privilege-escalation",
+ "Technique": "Escape to Host",
+ "Kubernetes_Technique": "",
+ "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
+ "external_id": "T1611",
+ },
+ }, nil
 }
 
 func (sig *CgroupNotifyOnReleaseModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

diff --git a/signatures/golang/cgroup_release_agent_modification.go b/signatures/golang/cgroup_release_agent_modification.go
@@ -15,30 +15,28 @@ type CgroupReleaseAgentModification struct {
  releaseAgentName string
 }
 
-var cgroupReleaseAgentModificationMetadata = detect.SignatureMetadata{
- ID: "TRC-1010",
- Version: "1",
- Name: "Cgroups release agent file modification",
- EventName: "cgroup_release_agent",
- Description: "An attempt to modify Cgroup release agent file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",
- Properties: map[string]interface{}{
- "Severity": 3,
- "Category": "privilege-escalation",
- "Technique": "Escape to Host",
- "Kubernetes_Technique": "",
- "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
- "external_id": "T1611",
- },
-}
-
 func (sig *CgroupReleaseAgentModification) Init(ctx detect.SignatureContext) error {
  sig.cb = ctx.Callback
  sig.releaseAgentName = "release_agent"
  return nil
 }
 
 func (sig *CgroupReleaseAgentModification) GetMetadata() (detect.SignatureMetadata, error) {
- return cgroupReleaseAgentModificationMetadata, nil
+ return detect.SignatureMetadata{
+ ID: "TRC-1010",
+ Version: "1",
+ Name: "Cgroups release agent file modification",
+ EventName: "cgroup_release_agent",
+ Description: "An attempt to modify Cgroup release agent file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",
+ Properties: map[string]interface{}{
+ "Severity": 3,
+ "Category": "privilege-escalation",
+ "Technique": "Escape to Host",
+ "Kubernetes_Technique": "",
+ "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
+ "external_id": "T1611",
+ },
+ }, nil
 }
 
 func (sig *CgroupReleaseAgentModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

diff --git a/signatures/golang/core_pattern_modification.go b/signatures/golang/core_pattern_modification.go
@@ -15,30 +15,28 @@ type CorePatternModification struct {
  corePattern string
 }
 
-var corePatternModificationMetadata = detect.SignatureMetadata{
- ID: "TRC-1011",
- Version: "1",
- Name: "Core dumps configuration file modification detected",
- EventName: "core_pattern_modification",
- Description: "Modification of the core dump configuration file (core_pattern) detected. Core dumps are usually written to disk when a program crashes. Certain modifications enable container escaping through the kernel core_pattern feature.",
- Properties: map[string]interface{}{
- "Severity": 3,
- "Category": "privilege-escalation",
- "Technique": "Escape to Host",
- "Kubernetes_Technique": "",
- "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
- "external_id": "T1611",
- },
-}
-
 func (sig *CorePatternModification) Init(ctx detect.SignatureContext) error {
  sig.cb = ctx.Callback
  sig.corePattern = "/proc/sys/kernel/core_pattern"
  return nil
 }
 
 func (sig *CorePatternModification) GetMetadata() (detect.SignatureMetadata, error) {
- return corePatternModificationMetadata, nil
+ return detect.SignatureMetadata{
+ ID: "TRC-1011",
+ Version: "1",
+ Name: "Core dumps configuration file modification detected",
+ EventName: "core_pattern_modification",
+ Description: "Modification of the core dump configuration file (core_pattern) detected. Core dumps are usually written to disk when a program crashes. Certain modifications enable container escaping through the kernel core_pattern feature.",
+ Properties: map[string]interface{}{
+ "Severity": 3,
+ "Category": "privilege-escalation",
+ "Technique": "Escape to Host",
+ "Kubernetes_Technique": "",
+ "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
+ "external_id": "T1611",
+ },
+ }, nil
 }
 
 func (sig *CorePatternModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

diff --git a/signatures/golang/default_loader_modification.go b/signatures/golang/default_loader_modification.go
@@ -16,22 +16,6 @@ type DefaultLoaderModification struct {
  compiledRegex *regexp.Regexp
 }
 
-var defaultLoaderModificationMetadata = detect.SignatureMetadata{
- ID: "TRC-1012",
- Version: "1",
- Name: "Default dynamic loader modification detected",
- EventName: "default_loader_mod",
- Description: "The default dynamic loader has been modified. The dynamic loader is an executable file loaded to process memory and run before the executable to load dynamic libraries to the process. An attacker might use this technique to hijack the execution context of each new process and bypass defenses.",
- Properties: map[string]interface{}{
- "Severity": 3,
- "Category": "defense-evasion",
- "Technique": "Hijack Execution Flow",
- "Kubernetes_Technique": "",
- "id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
- "external_id": "T1574",
- },
-}
-
 func (sig *DefaultLoaderModification) Init(ctx detect.SignatureContext) error {
  var err error
  sig.cb = ctx.Callback
@@ -41,7 +25,21 @@ func (sig *DefaultLoaderModification) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *DefaultLoaderModification) GetMetadata() (detect.SignatureMetadata, error) {
- return defaultLoaderModificationMetadata, nil
+ return detect.SignatureMetadata{
+ ID: "TRC-1012",
+ Version: "1",
+ Name: "Default dynamic loader modification detected",
+ EventName: "default_loader_mod",
+ Description: "The default dynamic loader has been modified. The dynamic loader is an executable file loaded to process memory and run before the executable to load dynamic libraries to the process. An attacker might use this technique to hijack the execution context of each new process and bypass defenses.",
+ Properties: map[string]interface{}{
+ "Severity": 3,
+ "Category": "defense-evasion",
+ "Technique": "Hijack Execution Flow",
+ "Kubernetes_Technique": "",
+ "id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
+ "external_id": "T1574",
+ },
+ }, nil
 }
 
 func (sig *DefaultLoaderModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

diff --git a/signatures/golang/disk_mount.go b/signatures/golang/disk_mount.go
@@ -15,30 +15,28 @@ type DiskMount struct {
  devDir string
 }
 
-var diskMountMetadata = detect.SignatureMetadata{
- ID: "TRC-1014",
- Version: "1",
- Name: "Container device mount detected",
- EventName: "disk_mount",
- Description: "Container device filesystem mount detected. A mount of a host device filesystem can be exploited by adversaries to perform container escape.",
- Properties: map[string]interface{}{
- "Severity": 3,
- "Category": "privilege-escalation",
- "Technique": "Escape to Host",
- "Kubernetes_Technique": "",
- "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
- "external_id": "T1611",
- },
-}
-
 func (sig *DiskMount) Init(ctx detect.SignatureContext) error {
  sig.cb = ctx.Callback
  sig.devDir = "/dev/"
  return nil
 }
 
 func (sig *DiskMount) GetMetadata() (detect.SignatureMetadata, error) {
- return diskMountMetadata, nil
+ return detect.SignatureMetadata{
+ ID: "TRC-1014",
+ Version: "1",
+ Name: "Container device mount detected",
+ EventName: "disk_mount",
+ Description: "Container device filesystem mount detected. A mount of a host device filesystem can be exploited by adversaries to perform container escape.",
+ Properties: map[string]interface{}{
+ "Severity": 3,
+ "Category": "privilege-escalation",
+ "Technique": "Escape to Host",
+ "Kubernetes_Technique": "",
+ "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
+ "external_id": "T1611",
+ },
+ }, nil
 }
 
 func (sig *DiskMount) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

diff --git a/signatures/golang/docker_abuse.go b/signatures/golang/docker_abuse.go
@@ -15,30 +15,28 @@ type DockerAbuse struct {
  dockerSock string
 }
 
-var dockerAbuseMetadata = detect.SignatureMetadata{
- ID: "TRC-1019",
- Version: "1",
- Name: "Docker socket abuse detected",
- EventName: "docker_abuse",
- Description: "An attempt to abuse the Docker UNIX socket inside a container was detected. docker.sock is the UNIX socket that Docker uses as the entry point to the Docker API. Adversaries may attempt to abuse this socket to compromise the system.",
- Properties: map[string]interface{}{
- "Severity": 2,
- "Category": "privilege-escalation",
- "Technique": "Exploitation for Privilege Escalation",
- "Kubernetes_Technique": "",
- "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839",
- "external_id": "T1068",
- },
-}
-
 func (sig *DockerAbuse) Init(ctx detect.SignatureContext) error {
  sig.cb = ctx.Callback
  sig.dockerSock = "docker.sock"
  return nil
 }
 
 func (sig *DockerAbuse) GetMetadata() (detect.SignatureMetadata, error) {
- return dockerAbuseMetadata, nil
+ return detect.SignatureMetadata{
+ ID: "TRC-1019",
+ Version: "1",
+ Name: "Docker socket abuse detected",
+ EventName: "docker_abuse",
+ Description: "An attempt to abuse the Docker UNIX socket inside a container was detected. docker.sock is the UNIX socket that Docker uses as the entry point to the Docker API. Adversaries may attempt to abuse this socket to compromise the system.",
+ Properties: map[string]interface{}{
+ "Severity": 2,
+ "Category": "privilege-escalation",
+ "Technique": "Exploitation for Privilege Escalation",
+ "Kubernetes_Technique": "",
+ "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839",
+ "external_id": "T1068",
+ },
+ }, nil
 }
 
 func (sig *DockerAbuse) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {