From f3d5ac1244703aaccc7e7b59a5c741dbec6c7ff5 Mon Sep 17 00:00:00 2001 From: Raphael Campos Date: Mon, 23 Sep 2024 11:23:50 -0300 Subject: [PATCH] Revert "chore: static sig metadata declaration" This reverts commit 7bb2d5944cb4dfa7b7f3e9ba28e2afeb709f4db9. commit: ed8304d (main), cherry-pick --- signatures/golang/anti_debugging_ptraceme.go | 32 +++++++++---------- signatures/golang/aslr_inspection.go | 32 +++++++++---------- .../cgroup_notify_on_release_modification.go | 32 +++++++++---------- .../cgroup_release_agent_modification.go | 32 +++++++++---------- .../golang/core_pattern_modification.go | 32 +++++++++---------- .../golang/default_loader_modification.go | 32 +++++++++---------- signatures/golang/disk_mount.go | 32 +++++++++---------- signatures/golang/docker_abuse.go | 32 +++++++++---------- signatures/golang/dropped_executable.go | 32 +++++++++---------- signatures/golang/dynamic_code_loading.go | 32 +++++++++---------- signatures/golang/fileless_execution.go | 32 +++++++++---------- signatures/golang/hidden_file_created.go | 32 +++++++++---------- signatures/golang/illegitimate_shell.go | 32 +++++++++---------- .../golang/k8s_service_account_token.go | 32 +++++++++---------- signatures/golang/kernel_module_loading.go | 32 +++++++++---------- .../golang/kubernetes_api_connection.go | 26 +++++++-------- .../kubernetes_certificate_theft_attempt.go | 32 +++++++++---------- signatures/golang/ld_preload.go | 32 +++++++++---------- signatures/golang/proc_fops_hooking.go | 32 +++++++++---------- signatures/golang/proc_kcore_read.go | 32 +++++++++---------- signatures/golang/proc_mem_access.go | 32 +++++++++---------- signatures/golang/proc_mem_code_injection.go | 32 +++++++++---------- .../golang/process_vm_write_code_injection.go | 32 +++++++++---------- signatures/golang/ptrace_code_injection.go | 32 +++++++++---------- signatures/golang/rcd_modification.go | 32 +++++++++---------- signatures/golang/sched_debug_recon.go | 32 +++++++++---------- .../golang/scheduled_task_modification.go | 32 +++++++++---------- signatures/golang/stdio_over_socket.go | 32 +++++++++---------- signatures/golang/sudoers_modification.go | 32 +++++++++---------- signatures/golang/syscall_table_hooking.go | 32 +++++++++---------- .../system_request_key_config_modification.go | 32 +++++++++---------- 31 files changed, 462 insertions(+), 524 deletions(-) diff --git a/signatures/golang/anti_debugging_ptraceme.go b/signatures/golang/anti_debugging_ptraceme.go index 46f07129dd05..9b2fb22afda8 100644 --- a/signatures/golang/anti_debugging_ptraceme.go +++ b/signatures/golang/anti_debugging_ptraceme.go @@ -14,22 +14,6 @@ type AntiDebuggingPtraceme struct { ptraceTraceMe string } -var antiDebuggingPtracemeMetada = detect.SignatureMetadata{ - ID: "TRC-102", - Version: "1", - Name: "Anti-Debugging detected", - EventName: "anti_debugging", - Description: "A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.", - Properties: map[string]interface{}{ - "Severity": 1, - "Category": "defense-evasion", - "Technique": "Debugger Evasion", - "Kubernetes_Technique": "", - "id": "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391", - "external_id": "T1622", - }, -} - func (sig *AntiDebuggingPtraceme) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.ptraceTraceMe = "PTRACE_TRACEME" @@ -37,7 +21,21 @@ func (sig *AntiDebuggingPtraceme) Init(ctx detect.SignatureContext) error { } func (sig *AntiDebuggingPtraceme) GetMetadata() (detect.SignatureMetadata, error) { - return antiDebuggingPtracemeMetada, nil + return detect.SignatureMetadata{ + ID: "TRC-102", + Version: "1", + Name: "Anti-Debugging detected", + EventName: "anti_debugging", + Description: "A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.", + Properties: map[string]interface{}{ + "Severity": 1, + "Category": "defense-evasion", + "Technique": "Debugger Evasion", + "Kubernetes_Technique": "", + "id": "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391", + "external_id": "T1622", + }, + }, nil } func (sig *AntiDebuggingPtraceme) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/aslr_inspection.go b/signatures/golang/aslr_inspection.go index 09339d5ae416..e16855f980a8 100644 --- a/signatures/golang/aslr_inspection.go +++ b/signatures/golang/aslr_inspection.go @@ -14,22 +14,6 @@ type AslrInspection struct { aslrPath string } -var aslrInspectionMetadata = detect.SignatureMetadata{ - ID: "TRC-109", - Version: "1", - Name: "ASLR inspection detected", - EventName: "aslr_inspection", - Description: "The ASLR (address space layout randomization) configuration was inspected. ASLR is used by Linux to prevent memory vulnerabilities. An adversary may want to inspect and change the ASLR configuration in order to avoid detection.", - Properties: map[string]interface{}{ - "Severity": 0, - "Category": "privilege-escalation", - "Technique": "Exploitation for Privilege Escalation", - "Kubernetes_Technique": "", - "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", - "external_id": "T1068", - }, -} - func (sig *AslrInspection) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.aslrPath = "/proc/sys/kernel/randomize_va_space" @@ -37,7 +21,21 @@ func (sig *AslrInspection) Init(ctx detect.SignatureContext) error { } func (sig *AslrInspection) GetMetadata() (detect.SignatureMetadata, error) { - return aslrInspectionMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-109", + Version: "1", + Name: "ASLR inspection detected", + EventName: "aslr_inspection", + Description: "The ASLR (address space layout randomization) configuration was inspected. ASLR is used by Linux to prevent memory vulnerabilities. An adversary may want to inspect and change the ASLR configuration in order to avoid detection.", + Properties: map[string]interface{}{ + "Severity": 0, + "Category": "privilege-escalation", + "Technique": "Exploitation for Privilege Escalation", + "Kubernetes_Technique": "", + "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", + "external_id": "T1068", + }, + }, nil } func (sig *AslrInspection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/cgroup_notify_on_release_modification.go b/signatures/golang/cgroup_notify_on_release_modification.go index ad209b44b0f3..1f018e0cdd28 100644 --- a/signatures/golang/cgroup_notify_on_release_modification.go +++ b/signatures/golang/cgroup_notify_on_release_modification.go @@ -15,22 +15,6 @@ type CgroupNotifyOnReleaseModification struct { notifyFileName string } -var cgroupNotifyOnReleaseModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-106", - Version: "1", - Name: "Cgroups notify_on_release file modification", - EventName: "cgroup_notify_on_release", - Description: "An attempt to modify Cgroup notify_on_release file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "privilege-escalation", - "Technique": "Escape to Host", - "Kubernetes_Technique": "", - "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", - "external_id": "T1611", - }, -} - func (sig *CgroupNotifyOnReleaseModification) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.notifyFileName = "notify_on_release" @@ -38,7 +22,21 @@ func (sig *CgroupNotifyOnReleaseModification) Init(ctx detect.SignatureContext) } func (sig *CgroupNotifyOnReleaseModification) GetMetadata() (detect.SignatureMetadata, error) { - return cgroupNotifyOnReleaseModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-106", + Version: "1", + Name: "Cgroups notify_on_release file modification", + EventName: "cgroup_notify_on_release", + Description: "An attempt to modify Cgroup notify_on_release file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "privilege-escalation", + "Technique": "Escape to Host", + "Kubernetes_Technique": "", + "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", + "external_id": "T1611", + }, + }, nil } func (sig *CgroupNotifyOnReleaseModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/cgroup_release_agent_modification.go b/signatures/golang/cgroup_release_agent_modification.go index 655ab30ceed4..87685fcf2cad 100644 --- a/signatures/golang/cgroup_release_agent_modification.go +++ b/signatures/golang/cgroup_release_agent_modification.go @@ -15,22 +15,6 @@ type CgroupReleaseAgentModification struct { releaseAgentName string } -var cgroupReleaseAgentModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-1010", - Version: "1", - Name: "Cgroups release agent file modification", - EventName: "cgroup_release_agent", - Description: "An attempt to modify Cgroup release agent file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "privilege-escalation", - "Technique": "Escape to Host", - "Kubernetes_Technique": "", - "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", - "external_id": "T1611", - }, -} - func (sig *CgroupReleaseAgentModification) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.releaseAgentName = "release_agent" @@ -38,7 +22,21 @@ func (sig *CgroupReleaseAgentModification) Init(ctx detect.SignatureContext) err } func (sig *CgroupReleaseAgentModification) GetMetadata() (detect.SignatureMetadata, error) { - return cgroupReleaseAgentModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1010", + Version: "1", + Name: "Cgroups release agent file modification", + EventName: "cgroup_release_agent", + Description: "An attempt to modify Cgroup release agent file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "privilege-escalation", + "Technique": "Escape to Host", + "Kubernetes_Technique": "", + "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", + "external_id": "T1611", + }, + }, nil } func (sig *CgroupReleaseAgentModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/core_pattern_modification.go b/signatures/golang/core_pattern_modification.go index a4d4e40908bc..5672a56c5629 100644 --- a/signatures/golang/core_pattern_modification.go +++ b/signatures/golang/core_pattern_modification.go @@ -15,22 +15,6 @@ type CorePatternModification struct { corePattern string } -var corePatternModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-1011", - Version: "1", - Name: "Core dumps configuration file modification detected", - EventName: "core_pattern_modification", - Description: "Modification of the core dump configuration file (core_pattern) detected. Core dumps are usually written to disk when a program crashes. Certain modifications enable container escaping through the kernel core_pattern feature.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "privilege-escalation", - "Technique": "Escape to Host", - "Kubernetes_Technique": "", - "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", - "external_id": "T1611", - }, -} - func (sig *CorePatternModification) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.corePattern = "/proc/sys/kernel/core_pattern" @@ -38,7 +22,21 @@ func (sig *CorePatternModification) Init(ctx detect.SignatureContext) error { } func (sig *CorePatternModification) GetMetadata() (detect.SignatureMetadata, error) { - return corePatternModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1011", + Version: "1", + Name: "Core dumps configuration file modification detected", + EventName: "core_pattern_modification", + Description: "Modification of the core dump configuration file (core_pattern) detected. Core dumps are usually written to disk when a program crashes. Certain modifications enable container escaping through the kernel core_pattern feature.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "privilege-escalation", + "Technique": "Escape to Host", + "Kubernetes_Technique": "", + "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", + "external_id": "T1611", + }, + }, nil } func (sig *CorePatternModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/default_loader_modification.go b/signatures/golang/default_loader_modification.go index dd1d054b006c..d2a2df58c1e0 100644 --- a/signatures/golang/default_loader_modification.go +++ b/signatures/golang/default_loader_modification.go @@ -16,22 +16,6 @@ type DefaultLoaderModification struct { compiledRegex *regexp.Regexp } -var defaultLoaderModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-1012", - Version: "1", - Name: "Default dynamic loader modification detected", - EventName: "default_loader_mod", - Description: "The default dynamic loader has been modified. The dynamic loader is an executable file loaded to process memory and run before the executable to load dynamic libraries to the process. An attacker might use this technique to hijack the execution context of each new process and bypass defenses.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "defense-evasion", - "Technique": "Hijack Execution Flow", - "Kubernetes_Technique": "", - "id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", - "external_id": "T1574", - }, -} - func (sig *DefaultLoaderModification) Init(ctx detect.SignatureContext) error { var err error sig.cb = ctx.Callback @@ -41,7 +25,21 @@ func (sig *DefaultLoaderModification) Init(ctx detect.SignatureContext) error { } func (sig *DefaultLoaderModification) GetMetadata() (detect.SignatureMetadata, error) { - return defaultLoaderModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1012", + Version: "1", + Name: "Default dynamic loader modification detected", + EventName: "default_loader_mod", + Description: "The default dynamic loader has been modified. The dynamic loader is an executable file loaded to process memory and run before the executable to load dynamic libraries to the process. An attacker might use this technique to hijack the execution context of each new process and bypass defenses.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "defense-evasion", + "Technique": "Hijack Execution Flow", + "Kubernetes_Technique": "", + "id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "external_id": "T1574", + }, + }, nil } func (sig *DefaultLoaderModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/disk_mount.go b/signatures/golang/disk_mount.go index f5ddf9f29ac9..60e0f70ecc52 100644 --- a/signatures/golang/disk_mount.go +++ b/signatures/golang/disk_mount.go @@ -15,22 +15,6 @@ type DiskMount struct { devDir string } -var diskMountMetadata = detect.SignatureMetadata{ - ID: "TRC-1014", - Version: "1", - Name: "Container device mount detected", - EventName: "disk_mount", - Description: "Container device filesystem mount detected. A mount of a host device filesystem can be exploited by adversaries to perform container escape.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "privilege-escalation", - "Technique": "Escape to Host", - "Kubernetes_Technique": "", - "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", - "external_id": "T1611", - }, -} - func (sig *DiskMount) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.devDir = "/dev/" @@ -38,7 +22,21 @@ func (sig *DiskMount) Init(ctx detect.SignatureContext) error { } func (sig *DiskMount) GetMetadata() (detect.SignatureMetadata, error) { - return diskMountMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1014", + Version: "1", + Name: "Container device mount detected", + EventName: "disk_mount", + Description: "Container device filesystem mount detected. A mount of a host device filesystem can be exploited by adversaries to perform container escape.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "privilege-escalation", + "Technique": "Escape to Host", + "Kubernetes_Technique": "", + "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", + "external_id": "T1611", + }, + }, nil } func (sig *DiskMount) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/docker_abuse.go b/signatures/golang/docker_abuse.go index d1e82d0d78f8..9671f763c56c 100644 --- a/signatures/golang/docker_abuse.go +++ b/signatures/golang/docker_abuse.go @@ -15,22 +15,6 @@ type DockerAbuse struct { dockerSock string } -var dockerAbuseMetadata = detect.SignatureMetadata{ - ID: "TRC-1019", - Version: "1", - Name: "Docker socket abuse detected", - EventName: "docker_abuse", - Description: "An attempt to abuse the Docker UNIX socket inside a container was detected. docker.sock is the UNIX socket that Docker uses as the entry point to the Docker API. Adversaries may attempt to abuse this socket to compromise the system.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "privilege-escalation", - "Technique": "Exploitation for Privilege Escalation", - "Kubernetes_Technique": "", - "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", - "external_id": "T1068", - }, -} - func (sig *DockerAbuse) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.dockerSock = "docker.sock" @@ -38,7 +22,21 @@ func (sig *DockerAbuse) Init(ctx detect.SignatureContext) error { } func (sig *DockerAbuse) GetMetadata() (detect.SignatureMetadata, error) { - return dockerAbuseMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1019", + Version: "1", + Name: "Docker socket abuse detected", + EventName: "docker_abuse", + Description: "An attempt to abuse the Docker UNIX socket inside a container was detected. docker.sock is the UNIX socket that Docker uses as the entry point to the Docker API. Adversaries may attempt to abuse this socket to compromise the system.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "privilege-escalation", + "Technique": "Exploitation for Privilege Escalation", + "Kubernetes_Technique": "", + "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", + "external_id": "T1068", + }, + }, nil } func (sig *DockerAbuse) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/dropped_executable.go b/signatures/golang/dropped_executable.go index dfe2756a9866..9650379b8d29 100644 --- a/signatures/golang/dropped_executable.go +++ b/signatures/golang/dropped_executable.go @@ -13,29 +13,27 @@ type DroppedExecutable struct { cb detect.SignatureHandler } -var droppedExecutableMetadata = detect.SignatureMetadata{ - ID: "TRC-1022", - Version: "1", - Name: "New executable dropped", - EventName: "dropped_executable", - Description: "An Executable file was dropped in the system during runtime. Container images are usually built with all binaries needed inside. A dropped binary may indicate that an adversary infiltrated your container.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "defense-evasion", - "Technique": "Masquerading", - "Kubernetes_Technique": "", - "id": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0", - "external_id": "T1036", - }, -} - func (sig *DroppedExecutable) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *DroppedExecutable) GetMetadata() (detect.SignatureMetadata, error) { - return droppedExecutableMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1022", + Version: "1", + Name: "New executable dropped", + EventName: "dropped_executable", + Description: "An Executable file was dropped in the system during runtime. Container images are usually built with all binaries needed inside. A dropped binary may indicate that an adversary infiltrated your container.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "defense-evasion", + "Technique": "Masquerading", + "Kubernetes_Technique": "", + "id": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0", + "external_id": "T1036", + }, + }, nil } func (sig *DroppedExecutable) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/dynamic_code_loading.go b/signatures/golang/dynamic_code_loading.go index 81c7728161e4..be148f9b5484 100644 --- a/signatures/golang/dynamic_code_loading.go +++ b/signatures/golang/dynamic_code_loading.go @@ -14,22 +14,6 @@ type DynamicCodeLoading struct { alertText string } -var dynamicCodeLoadingMetadata = detect.SignatureMetadata{ - ID: "TRC-104", - Version: "1", - Name: "Dynamic code loading detected", - EventName: "dynamic_code_loading", - Description: "Possible dynamic code loading was detected as the binary's memory is both writable and executable. Writing to an executable allocated memory region could be a technique used by adversaries to run code undetected and without dropping executables.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "defense-evasion", - "Technique": "Software Packing", - "Kubernetes_Technique": "", - "id": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", - "external_id": "T1027.002", - }, -} - func (sig *DynamicCodeLoading) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.alertText = "Protection changed from W to E!" @@ -37,7 +21,21 @@ func (sig *DynamicCodeLoading) Init(ctx detect.SignatureContext) error { } func (sig *DynamicCodeLoading) GetMetadata() (detect.SignatureMetadata, error) { - return dynamicCodeLoadingMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-104", + Version: "1", + Name: "Dynamic code loading detected", + EventName: "dynamic_code_loading", + Description: "Possible dynamic code loading was detected as the binary's memory is both writable and executable. Writing to an executable allocated memory region could be a technique used by adversaries to run code undetected and without dropping executables.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "defense-evasion", + "Technique": "Software Packing", + "Kubernetes_Technique": "", + "id": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", + "external_id": "T1027.002", + }, + }, nil } func (sig *DynamicCodeLoading) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/fileless_execution.go b/signatures/golang/fileless_execution.go index 1728476b192a..8fdc54636978 100644 --- a/signatures/golang/fileless_execution.go +++ b/signatures/golang/fileless_execution.go @@ -13,29 +13,27 @@ type FilelessExecution struct { cb detect.SignatureHandler } -var filelessExecutionMetadata = detect.SignatureMetadata{ - ID: "TRC-105", - Version: "1", - Name: "Fileless execution detected", - EventName: "fileless_execution", - Description: "Fileless execution was detected. Executing a process from memory instead from a file in the filesystem may indicate that an adversary is trying to avoid execution detection.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "defense-evasion", - "Technique": "Reflective Code Loading", - "Kubernetes_Technique": "", - "id": "attack-pattern--4933e63b-9b77-476e-ab29-761bc5b7d15a", - "external_id": "T1620", - }, -} - func (sig *FilelessExecution) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *FilelessExecution) GetMetadata() (detect.SignatureMetadata, error) { - return filelessExecutionMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-105", + Version: "1", + Name: "Fileless execution detected", + EventName: "fileless_execution", + Description: "Fileless execution was detected. Executing a process from memory instead from a file in the filesystem may indicate that an adversary is trying to avoid execution detection.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "defense-evasion", + "Technique": "Reflective Code Loading", + "Kubernetes_Technique": "", + "id": "attack-pattern--4933e63b-9b77-476e-ab29-761bc5b7d15a", + "external_id": "T1620", + }, + }, nil } func (sig *FilelessExecution) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/hidden_file_created.go b/signatures/golang/hidden_file_created.go index 69a5a68ec9fa..c0d957ab9fbb 100644 --- a/signatures/golang/hidden_file_created.go +++ b/signatures/golang/hidden_file_created.go @@ -15,22 +15,6 @@ type HiddenFileCreated struct { hiddenPathPattern string } -var hiddenFileCreatedMetadata = detect.SignatureMetadata{ - ID: "TRC-1015", - Version: "1", - Name: "Hidden executable creation detected", - EventName: "hidden_file_created", - Description: "A hidden executable (ELF file) was created on disk. This activity could be legitimate; however, it could indicate that an adversary is trying to avoid detection by hiding their programs.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "defense-evasion", - "Technique": "Hidden Files and Directories", - "Kubernetes_Technique": "", - "id": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d", - "external_id": "T1564.001", - }, -} - func (sig *HiddenFileCreated) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.hiddenPathPattern = "/." @@ -38,7 +22,21 @@ func (sig *HiddenFileCreated) Init(ctx detect.SignatureContext) error { } func (sig *HiddenFileCreated) GetMetadata() (detect.SignatureMetadata, error) { - return hiddenFileCreatedMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1015", + Version: "1", + Name: "Hidden executable creation detected", + EventName: "hidden_file_created", + Description: "A hidden executable (ELF file) was created on disk. This activity could be legitimate; however, it could indicate that an adversary is trying to avoid detection by hiding their programs.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "defense-evasion", + "Technique": "Hidden Files and Directories", + "Kubernetes_Technique": "", + "id": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "external_id": "T1564.001", + }, + }, nil } func (sig *HiddenFileCreated) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/illegitimate_shell.go b/signatures/golang/illegitimate_shell.go index d9234df0f285..c607742a2340 100644 --- a/signatures/golang/illegitimate_shell.go +++ b/signatures/golang/illegitimate_shell.go @@ -16,22 +16,6 @@ type IllegitimateShell struct { webServersProcessNames []string } -var illegitimateShellMetadata = detect.SignatureMetadata{ - ID: "TRC-1016", - Version: "1", - Name: "Web server spawned a shell", - EventName: "illegitimate_shell", - Description: "A web-server program on your server spawned a shell program. Shell is the linux command-line program, web servers usually don't run shell programs, so this alert might indicate an adversary is exploiting a web server program to gain command execution on the server.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "initial-access", - "Technique": "Exploit Public-Facing Application", - "Kubernetes_Technique": "", - "id": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", - "external_id": "T1190", - }, -} - func (sig *IllegitimateShell) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.shellNames = []string{"/ash", "/bash", "/csh", "/ksh", "/sh", "/tcsh", "/zsh", "/dash"} @@ -40,7 +24,21 @@ func (sig *IllegitimateShell) Init(ctx detect.SignatureContext) error { } func (sig *IllegitimateShell) GetMetadata() (detect.SignatureMetadata, error) { - return illegitimateShellMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1016", + Version: "1", + Name: "Web server spawned a shell", + EventName: "illegitimate_shell", + Description: "A web-server program on your server spawned a shell program. Shell is the linux command-line program, web servers usually don't run shell programs, so this alert might indicate an adversary is exploiting a web server program to gain command execution on the server.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "initial-access", + "Technique": "Exploit Public-Facing Application", + "Kubernetes_Technique": "", + "id": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", + "external_id": "T1190", + }, + }, nil } func (sig *IllegitimateShell) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/k8s_service_account_token.go b/signatures/golang/k8s_service_account_token.go index 4f9bc02a087d..d721b3ac83c7 100644 --- a/signatures/golang/k8s_service_account_token.go +++ b/signatures/golang/k8s_service_account_token.go @@ -17,22 +17,6 @@ type K8SServiceAccountToken struct { compiledRegex *regexp.Regexp } -var k8SServiceAccountTokenMetadata = detect.SignatureMetadata{ - ID: "TRC-108", - Version: "1", - Name: "K8s service account token file read", - EventName: "k8s_service_account_token", - Description: "The Kubernetes service account token file was read on your container. This token is used to communicate with the Kubernetes API Server. Adversaries may try to communicate with the API Server to steal information and/or credentials, or even run more containers and laterally extend their grip on the systems.", - Properties: map[string]interface{}{ - "Severity": 0, - "Category": "credential-access", - "Technique": "Exploitation for Credential Access", - "Kubernetes_Technique": "Container service account", - "id": "attack-pattern--9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", - "external_id": "T1212", - }, -} - func (sig *K8SServiceAccountToken) Init(ctx detect.SignatureContext) error { var err error sig.cb = ctx.Callback @@ -43,7 +27,21 @@ func (sig *K8SServiceAccountToken) Init(ctx detect.SignatureContext) error { } func (sig *K8SServiceAccountToken) GetMetadata() (detect.SignatureMetadata, error) { - return k8SServiceAccountTokenMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-108", + Version: "1", + Name: "K8s service account token file read", + EventName: "k8s_service_account_token", + Description: "The Kubernetes service account token file was read on your container. This token is used to communicate with the Kubernetes API Server. Adversaries may try to communicate with the API Server to steal information and/or credentials, or even run more containers and laterally extend their grip on the systems.", + Properties: map[string]interface{}{ + "Severity": 0, + "Category": "credential-access", + "Technique": "Exploitation for Credential Access", + "Kubernetes_Technique": "Container service account", + "id": "attack-pattern--9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "external_id": "T1212", + }, + }, nil } func (sig *K8SServiceAccountToken) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/kernel_module_loading.go b/signatures/golang/kernel_module_loading.go index 22b207ab793e..37fd1f8a716e 100644 --- a/signatures/golang/kernel_module_loading.go +++ b/signatures/golang/kernel_module_loading.go @@ -13,29 +13,27 @@ type KernelModuleLoading struct { cb detect.SignatureHandler } -var kernelModuleLoadingMetadata = detect.SignatureMetadata{ - ID: "TRC-1017", - Version: "1", - Name: "Kernel module loading detected", - EventName: "kernel_module_loading", - Description: "Loading of a kernel module was detected. Kernel modules are binaries meant to run in the kernel. Adversaries may try and load kernel modules to extend their capabilities and avoid detection by running in the kernel and not user space.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "persistence", - "Technique": "Kernel Modules and Extensions", - "Kubernetes_Technique": "", - "id": "attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6", - "external_id": "T1547.006", - }, -} - func (sig *KernelModuleLoading) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *KernelModuleLoading) GetMetadata() (detect.SignatureMetadata, error) { - return kernelModuleLoadingMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1017", + Version: "1", + Name: "Kernel module loading detected", + EventName: "kernel_module_loading", + Description: "Loading of a kernel module was detected. Kernel modules are binaries meant to run in the kernel. Adversaries may try and load kernel modules to extend their capabilities and avoid detection by running in the kernel and not user space.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "persistence", + "Technique": "Kernel Modules and Extensions", + "Kubernetes_Technique": "", + "id": "attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6", + "external_id": "T1547.006", + }, + }, nil } func (sig *KernelModuleLoading) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/kubernetes_api_connection.go b/signatures/golang/kubernetes_api_connection.go index e26f79b053ce..4b1838dc6dc1 100644 --- a/signatures/golang/kubernetes_api_connection.go +++ b/signatures/golang/kubernetes_api_connection.go @@ -15,19 +15,6 @@ type K8sApiConnection struct { apiAddressContainerId map[string]string } -var k8sApiConnectionMetadata = detect.SignatureMetadata{ - ID: "TRC-1013", - Version: "0.1.0", - Name: "Kubernetes API server connection detected", - EventName: "k8s_api_connection", - Description: "A connection to the kubernetes API server was detected. The K8S API server is the brain of your K8S cluster, adversaries may try and communicate with the K8S API server to gather information/credentials, or even run more containers and laterally expand their grip on your systems.", - Tags: []string{"container"}, - Properties: map[string]interface{}{ - "Severity": 1, - "MITRE ATT&CK": "Discovery: Cloud Service Discovery", - }, -} - func (sig *K8sApiConnection) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.apiAddressContainerId = make(map[string]string) @@ -36,7 +23,18 @@ func (sig *K8sApiConnection) Init(ctx detect.SignatureContext) error { } func (sig *K8sApiConnection) GetMetadata() (detect.SignatureMetadata, error) { - return k8sApiConnectionMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1013", + Version: "0.1.0", + Name: "Kubernetes API server connection detected", + EventName: "k8s_api_connection", + Description: "A connection to the kubernetes API server was detected. The K8S API server is the brain of your K8S cluster, adversaries may try and communicate with the K8S API server to gather information/credentials, or even run more containers and laterally expand their grip on your systems.", + Tags: []string{"container"}, + Properties: map[string]interface{}{ + "Severity": 1, + "MITRE ATT&CK": "Discovery: Cloud Service Discovery", + }, + }, nil } func (sig *K8sApiConnection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/kubernetes_certificate_theft_attempt.go b/signatures/golang/kubernetes_certificate_theft_attempt.go index 62032dc6e7ad..847b5b388c0f 100644 --- a/signatures/golang/kubernetes_certificate_theft_attempt.go +++ b/signatures/golang/kubernetes_certificate_theft_attempt.go @@ -16,22 +16,6 @@ type KubernetesCertificateTheftAttempt struct { k8sCertificatesDir string } -var kubernetesCertificateTheftAttemptMetadata = detect.SignatureMetadata{ - ID: "TRC-1018", - Version: "1", - Name: "K8s TLS certificate theft detected", - EventName: "k8s_cert_theft", - Description: "Theft of Kubernetes TLS certificates was detected. TLS certificates are used to establish trust between systems. The Kubernetes certificate is used to to enable secure communication between Kubernetes components, such as kubelet scheduler controller and API Server. An adversary may steal a Kubernetes certificate on a compromised system to impersonate Kubernetes components within the cluster.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "credential-access", - "Technique": "Steal Application Access Token", - "Kubernetes_Technique": "", - "id": "attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a", - "external_id": "T1528", - }, -} - func (sig *KubernetesCertificateTheftAttempt) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.legitProcs = []string{"kube-apiserver", "kubelet", "kube-controller", "etcd"} @@ -40,7 +24,21 @@ func (sig *KubernetesCertificateTheftAttempt) Init(ctx detect.SignatureContext) } func (sig *KubernetesCertificateTheftAttempt) GetMetadata() (detect.SignatureMetadata, error) { - return kubernetesCertificateTheftAttemptMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1018", + Version: "1", + Name: "K8s TLS certificate theft detected", + EventName: "k8s_cert_theft", + Description: "Theft of Kubernetes TLS certificates was detected. TLS certificates are used to establish trust between systems. The Kubernetes certificate is used to to enable secure communication between Kubernetes components, such as kubelet scheduler controller and API Server. An adversary may steal a Kubernetes certificate on a compromised system to impersonate Kubernetes components within the cluster.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "credential-access", + "Technique": "Steal Application Access Token", + "Kubernetes_Technique": "", + "id": "attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a", + "external_id": "T1528", + }, + }, nil } func (sig *KubernetesCertificateTheftAttempt) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/ld_preload.go b/signatures/golang/ld_preload.go index fc508f652773..181e6ab27dbe 100644 --- a/signatures/golang/ld_preload.go +++ b/signatures/golang/ld_preload.go @@ -16,22 +16,6 @@ type LdPreload struct { preloadPath string } -var ldPreloadMetadata = detect.SignatureMetadata{ - ID: "TRC-107", - Version: "1", - Name: "LD_PRELOAD code injection detected", - EventName: "ld_preload", - Description: "LD_PRELOAD usage was detected. LD_PRELOAD lets you load your library before any other library, allowing you to hook functions in a process. Adversaries may use this technique to change your applications' behavior or load their own programs.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "persistence", - "Technique": "Hijack Execution Flow", - "Kubernetes_Technique": "", - "id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", - "external_id": "T1574", - }, -} - func (sig *LdPreload) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.preloadEnvs = []string{"LD_PRELOAD", "LD_LIBRARY_PATH"} @@ -40,7 +24,21 @@ func (sig *LdPreload) Init(ctx detect.SignatureContext) error { } func (sig *LdPreload) GetMetadata() (detect.SignatureMetadata, error) { - return ldPreloadMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-107", + Version: "1", + Name: "LD_PRELOAD code injection detected", + EventName: "ld_preload", + Description: "LD_PRELOAD usage was detected. LD_PRELOAD lets you load your library before any other library, allowing you to hook functions in a process. Adversaries may use this technique to change your applications' behavior or load their own programs.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "persistence", + "Technique": "Hijack Execution Flow", + "Kubernetes_Technique": "", + "id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "external_id": "T1574", + }, + }, nil } func (sig *LdPreload) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/proc_fops_hooking.go b/signatures/golang/proc_fops_hooking.go index 5af0ecf686ae..4aae431787a6 100644 --- a/signatures/golang/proc_fops_hooking.go +++ b/signatures/golang/proc_fops_hooking.go @@ -13,29 +13,27 @@ type ProcFopsHooking struct { cb detect.SignatureHandler } -var procFopsHookingMetadata = detect.SignatureMetadata{ - ID: "TRC-1020", - Version: "1", - Name: "File operations hooking on proc filesystem detected", - EventName: "proc_fops_hooking", - Description: "File operations hooking on proc filesystem detected. The proc filesystem is an interface for the running processes as files. This allows programs like `ps` and `top` to check what are the running processes. File operations are the functions defined on a file or directory. File operations hooking includes replacing the default function used to perform a basic task on files and directories like enumerating files. By hooking the file operations of /proc an adversary gains control on certain system function, such as file listing or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it's own code. File operation hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host's kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "defense-evasion", - "Technique": "Rootkit", - "Kubernetes_Technique": "", - "id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", - "external_id": "T1014", - }, -} - func (sig *ProcFopsHooking) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *ProcFopsHooking) GetMetadata() (detect.SignatureMetadata, error) { - return procFopsHookingMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1020", + Version: "1", + Name: "File operations hooking on proc filesystem detected", + EventName: "proc_fops_hooking", + Description: "File operations hooking on proc filesystem detected. The proc filesystem is an interface for the running processes as files. This allows programs like `ps` and `top` to check what are the running processes. File operations are the functions defined on a file or directory. File operations hooking includes replacing the default function used to perform a basic task on files and directories like enumerating files. By hooking the file operations of /proc an adversary gains control on certain system function, such as file listing or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it's own code. File operation hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host's kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "defense-evasion", + "Technique": "Rootkit", + "Kubernetes_Technique": "", + "id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "external_id": "T1014", + }, + }, nil } func (sig *ProcFopsHooking) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/proc_kcore_read.go b/signatures/golang/proc_kcore_read.go index e505f0dfd90c..7a39d91f0573 100644 --- a/signatures/golang/proc_kcore_read.go +++ b/signatures/golang/proc_kcore_read.go @@ -15,22 +15,6 @@ type ProcKcoreRead struct { kcorePath string } -var procKcoreReadMetadata = detect.SignatureMetadata{ - ID: "TRC-1021", - Version: "1", - Name: "Kcore memory file read", - EventName: "proc_kcore_read", - Description: "An attempt to read /proc/kcore file was detected. KCore provides a full dump of the physical memory of the system in the core file format. Adversaries may read this file to get all of the host memory and use this information for container escape.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "privilege-escalation", - "Technique": "Escape to Host", - "Kubernetes_Technique": "", - "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", - "external_id": "T1611", - }, -} - func (sig *ProcKcoreRead) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.kcorePath = "/proc/kcore" @@ -38,7 +22,21 @@ func (sig *ProcKcoreRead) Init(ctx detect.SignatureContext) error { } func (sig *ProcKcoreRead) GetMetadata() (detect.SignatureMetadata, error) { - return procKcoreReadMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1021", + Version: "1", + Name: "Kcore memory file read", + EventName: "proc_kcore_read", + Description: "An attempt to read /proc/kcore file was detected. KCore provides a full dump of the physical memory of the system in the core file format. Adversaries may read this file to get all of the host memory and use this information for container escape.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "privilege-escalation", + "Technique": "Escape to Host", + "Kubernetes_Technique": "", + "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", + "external_id": "T1611", + }, + }, nil } func (sig *ProcKcoreRead) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/proc_mem_access.go b/signatures/golang/proc_mem_access.go index 7d171b253949..e1f80b911067 100644 --- a/signatures/golang/proc_mem_access.go +++ b/signatures/golang/proc_mem_access.go @@ -16,22 +16,6 @@ type ProcMemAccess struct { compiledRegex *regexp.Regexp } -var procMemAccessMetadata = detect.SignatureMetadata{ - ID: "TRC-1023", - Version: "1", - Name: "Process memory access detected", - EventName: "proc_mem_access", - Description: "Process memory access detected. Adversaries may access other processes memory to steal credentials and secrets.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "credential-access", - "Technique": "Proc Filesystem", - "Kubernetes_Technique": "", - "id": "attack-pattern--3120b9fa-23b8-4500-ae73-09494f607b7d", - "external_id": "T1003.007", - }, -} - func (sig *ProcMemAccess) Init(ctx detect.SignatureContext) error { var err error sig.cb = ctx.Callback @@ -41,7 +25,21 @@ func (sig *ProcMemAccess) Init(ctx detect.SignatureContext) error { } func (sig *ProcMemAccess) GetMetadata() (detect.SignatureMetadata, error) { - return procMemAccessMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1023", + Version: "1", + Name: "Process memory access detected", + EventName: "proc_mem_access", + Description: "Process memory access detected. Adversaries may access other processes memory to steal credentials and secrets.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "credential-access", + "Technique": "Proc Filesystem", + "Kubernetes_Technique": "", + "id": "attack-pattern--3120b9fa-23b8-4500-ae73-09494f607b7d", + "external_id": "T1003.007", + }, + }, nil } func (sig *ProcMemAccess) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/proc_mem_code_injection.go b/signatures/golang/proc_mem_code_injection.go index f5ae29b21676..6dc7d84bfb17 100644 --- a/signatures/golang/proc_mem_code_injection.go +++ b/signatures/golang/proc_mem_code_injection.go @@ -16,22 +16,6 @@ type ProcMemCodeInjection struct { compiledRegex *regexp.Regexp } -var procMemCodeInjectionMetadata = detect.SignatureMetadata{ - ID: "TRC-1024", - Version: "1", - Name: "Code injection detected through /proc//mem file", - EventName: "proc_mem_code_injection", - Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "defense-evasion", - "Technique": "Proc Memory", - "Kubernetes_Technique": "", - "id": "attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591", - "external_id": "T1055.009", - }, -} - func (sig *ProcMemCodeInjection) Init(ctx detect.SignatureContext) error { var err error sig.cb = ctx.Callback @@ -41,7 +25,21 @@ func (sig *ProcMemCodeInjection) Init(ctx detect.SignatureContext) error { } func (sig *ProcMemCodeInjection) GetMetadata() (detect.SignatureMetadata, error) { - return procMemCodeInjectionMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1024", + Version: "1", + Name: "Code injection detected through /proc//mem file", + EventName: "proc_mem_code_injection", + Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "defense-evasion", + "Technique": "Proc Memory", + "Kubernetes_Technique": "", + "id": "attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "external_id": "T1055.009", + }, + }, nil } func (sig *ProcMemCodeInjection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/process_vm_write_code_injection.go b/signatures/golang/process_vm_write_code_injection.go index d742260b5aa1..da1ed26582ca 100644 --- a/signatures/golang/process_vm_write_code_injection.go +++ b/signatures/golang/process_vm_write_code_injection.go @@ -13,22 +13,6 @@ type ProcessVmWriteCodeInjection struct { cb detect.SignatureHandler } -var processVmWriteCodeInjectionMetadata = detect.SignatureMetadata{ - ID: "TRC-1025", - Version: "1", - Name: "Code injection detected using process_vm_writev syscall", - EventName: "process_vm_write_inject", - Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "defense-evasion", - "Technique": "Process Injection", - "Kubernetes_Technique": "", - "id": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "external_id": "T1055", - }, -} - func (sig *ProcessVmWriteCodeInjection) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback @@ -36,7 +20,21 @@ func (sig *ProcessVmWriteCodeInjection) Init(ctx detect.SignatureContext) error } func (sig *ProcessVmWriteCodeInjection) GetMetadata() (detect.SignatureMetadata, error) { - return processVmWriteCodeInjectionMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1025", + Version: "1", + Name: "Code injection detected using process_vm_writev syscall", + EventName: "process_vm_write_inject", + Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "defense-evasion", + "Technique": "Process Injection", + "Kubernetes_Technique": "", + "id": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "external_id": "T1055", + }, + }, nil } func (sig *ProcessVmWriteCodeInjection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/ptrace_code_injection.go b/signatures/golang/ptrace_code_injection.go index 233060e5b54b..593701d4903b 100644 --- a/signatures/golang/ptrace_code_injection.go +++ b/signatures/golang/ptrace_code_injection.go @@ -15,22 +15,6 @@ type PtraceCodeInjection struct { ptracePokeData string } -var ptraceCodeInjectionMetadata = detect.SignatureMetadata{ - ID: "TRC-103", - Version: "1", - Name: "Code injection detected using ptrace", - EventName: "ptrace_code_injection", - Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "defense-evasion", - "Technique": "Ptrace System Calls", - "Kubernetes_Technique": "", - "id": "attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f", - "external_id": "T1055.008", - }, -} - func (sig *PtraceCodeInjection) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.ptracePokeText = "PTRACE_POKETEXT" @@ -39,7 +23,21 @@ func (sig *PtraceCodeInjection) Init(ctx detect.SignatureContext) error { } func (sig *PtraceCodeInjection) GetMetadata() (detect.SignatureMetadata, error) { - return ptraceCodeInjectionMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-103", + Version: "1", + Name: "Code injection detected using ptrace", + EventName: "ptrace_code_injection", + Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "defense-evasion", + "Technique": "Ptrace System Calls", + "Kubernetes_Technique": "", + "id": "attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f", + "external_id": "T1055.008", + }, + }, nil } func (sig *PtraceCodeInjection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/rcd_modification.go b/signatures/golang/rcd_modification.go index 3a01b2857a87..fa4e0cdba68a 100644 --- a/signatures/golang/rcd_modification.go +++ b/signatures/golang/rcd_modification.go @@ -18,22 +18,6 @@ type RcdModification struct { rcdCommand string } -var rcdModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-1026", - Version: "1", - Name: "Rcd modification detected", - EventName: "rcd_modification", - Description: "The rcd files were modified. rcd files are scripts executed on boot and runlevel switch. Those scripts are responsible for service control in runlevel switch. Adversaries may add or modify rcd files in order to persist a reboot, thus maintaining malicious execution on the affected host.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "persistence", - "Technique": "RC Scripts", - "Kubernetes_Technique": "", - "id": "attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211", - "external_id": "T1037.004", - }, -} - func (sig *RcdModification) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.rcdFiles = []string{"/etc/rc.local", "/etc/init.d/rc.local"} @@ -43,7 +27,21 @@ func (sig *RcdModification) Init(ctx detect.SignatureContext) error { } func (sig *RcdModification) GetMetadata() (detect.SignatureMetadata, error) { - return rcdModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1026", + Version: "1", + Name: "Rcd modification detected", + EventName: "rcd_modification", + Description: "The rcd files were modified. rcd files are scripts executed on boot and runlevel switch. Those scripts are responsible for service control in runlevel switch. Adversaries may add or modify rcd files in order to persist a reboot, thus maintaining malicious execution on the affected host.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "persistence", + "Technique": "RC Scripts", + "Kubernetes_Technique": "", + "id": "attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211", + "external_id": "T1037.004", + }, + }, nil } func (sig *RcdModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/sched_debug_recon.go b/signatures/golang/sched_debug_recon.go index 02ea12f067ec..6c10283fbb44 100644 --- a/signatures/golang/sched_debug_recon.go +++ b/signatures/golang/sched_debug_recon.go @@ -14,22 +14,6 @@ type SchedDebugRecon struct { schedDebugPaths []string } -var schedDebugReconMetadata = detect.SignatureMetadata{ - ID: "TRC-1029", - Version: "1", - Name: "sched_debug CPU file was read", - EventName: "sched_debug_recon", - Description: "The sched_debug file was read. This file contains information about your CPU and processes. Adversaries may read this file in order to gather that information for their use.", - Properties: map[string]interface{}{ - "Severity": 1, - "Category": "discovery", - "Technique": "Container and Resource Discovery", - "Kubernetes_Technique": "", - "id": "attack-pattern--0470e792-32f8-46b0-a351-652bc35e9336", - "external_id": "T1613", - }, -} - func (sig *SchedDebugRecon) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.schedDebugPaths = []string{"/proc/sched_debug", "/sys/kernel/debug/sched/debug"} @@ -37,7 +21,21 @@ func (sig *SchedDebugRecon) Init(ctx detect.SignatureContext) error { } func (sig *SchedDebugRecon) GetMetadata() (detect.SignatureMetadata, error) { - return schedDebugReconMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1029", + Version: "1", + Name: "sched_debug CPU file was read", + EventName: "sched_debug_recon", + Description: "The sched_debug file was read. This file contains information about your CPU and processes. Adversaries may read this file in order to gather that information for their use.", + Properties: map[string]interface{}{ + "Severity": 1, + "Category": "discovery", + "Technique": "Container and Resource Discovery", + "Kubernetes_Technique": "", + "id": "attack-pattern--0470e792-32f8-46b0-a351-652bc35e9336", + "external_id": "T1613", + }, + }, nil } func (sig *SchedDebugRecon) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/scheduled_task_modification.go b/signatures/golang/scheduled_task_modification.go index 2586ef7482a9..a7564e78bd04 100644 --- a/signatures/golang/scheduled_task_modification.go +++ b/signatures/golang/scheduled_task_modification.go @@ -18,22 +18,6 @@ type ScheduledTaskModification struct { cronCommands []string } -var scheduledTaskModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-1027", - Version: "1", - Name: "Scheduled tasks modification detected", - EventName: "scheduled_task_mod", - Description: "The task scheduling functionality or files were modified. Crontab schedules task execution or enables task execution at boot time. Adversaries may add or modify scheduled tasks in order to persist a reboot, thus maintaining malicious execution on the affected host.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "persistence", - "Technique": "Cron", - "Kubernetes_Technique": "", - "id": "attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c", - "external_id": "T1053.003", - }, -} - func (sig *ScheduledTaskModification) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.cronFiles = []string{"/etc/crontab", "/etc/anacrontab", "/etc/cron.deny", "/etc/cron.allow"} @@ -43,7 +27,21 @@ func (sig *ScheduledTaskModification) Init(ctx detect.SignatureContext) error { } func (sig *ScheduledTaskModification) GetMetadata() (detect.SignatureMetadata, error) { - return scheduledTaskModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1027", + Version: "1", + Name: "Scheduled tasks modification detected", + EventName: "scheduled_task_mod", + Description: "The task scheduling functionality or files were modified. Crontab schedules task execution or enables task execution at boot time. Adversaries may add or modify scheduled tasks in order to persist a reboot, thus maintaining malicious execution on the affected host.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "persistence", + "Technique": "Cron", + "Kubernetes_Technique": "", + "id": "attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c", + "external_id": "T1053.003", + }, + }, nil } func (sig *ScheduledTaskModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/stdio_over_socket.go b/signatures/golang/stdio_over_socket.go index d2e89f4d57d6..3f58d25f044f 100644 --- a/signatures/golang/stdio_over_socket.go +++ b/signatures/golang/stdio_over_socket.go @@ -14,22 +14,6 @@ type StdioOverSocket struct { legitPorts []string } -var stdioOverSocketMetadata = detect.SignatureMetadata{ - ID: "TRC-101", - Version: "2", - Name: "Process standard input/output over socket detected", - EventName: "stdio_over_socket", - Description: "A process has its standard input/output redirected to a socket. This behavior is the base of a Reverse Shell attack, which is when an interactive shell being invoked from a target machine back to the attacker's machine, giving it interactive control over the target. Adversaries may use a Reverse Shell to retain control over a compromised target while bypassing security measures like network firewalls.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "execution", - "Technique": "Unix Shell", - "Kubernetes_Technique": "", - "id": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56", - "external_id": "T1059.004", - }, -} - func (sig *StdioOverSocket) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.legitPorts = []string{"", "0"} @@ -37,7 +21,21 @@ func (sig *StdioOverSocket) Init(ctx detect.SignatureContext) error { } func (sig *StdioOverSocket) GetMetadata() (detect.SignatureMetadata, error) { - return stdioOverSocketMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-101", + Version: "2", + Name: "Process standard input/output over socket detected", + EventName: "stdio_over_socket", + Description: "A process has its standard input/output redirected to a socket. This behavior is the base of a Reverse Shell attack, which is when an interactive shell being invoked from a target machine back to the attacker's machine, giving it interactive control over the target. Adversaries may use a Reverse Shell to retain control over a compromised target while bypassing security measures like network firewalls.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "execution", + "Technique": "Unix Shell", + "Kubernetes_Technique": "", + "id": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56", + "external_id": "T1059.004", + }, + }, nil } func (sig *StdioOverSocket) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/sudoers_modification.go b/signatures/golang/sudoers_modification.go index 8c2645b510a2..74973699e87b 100644 --- a/signatures/golang/sudoers_modification.go +++ b/signatures/golang/sudoers_modification.go @@ -16,22 +16,6 @@ type SudoersModification struct { sudoersDirs []string } -var sudoersModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-1028", - Version: "1", - Name: "Sudoers file modification detected", - EventName: "sudoers_modification", - Description: "The sudoers file was modified. The sudoers file is a configuration file which controls the permissions and options of the sudo feature. Adversaries may alter the sudoers file to elevate privileges, execute commands as other users or spawn processes with higher privileges.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "privilege-escalation", - "Technique": "Sudo and Sudo Caching", - "Kubernetes_Technique": "", - "id": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0", - "external_id": "T1548.003", - }, -} - func (sig *SudoersModification) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.sudoersFiles = []string{"/etc/sudoers", "/private/etc/sudoers"} @@ -40,7 +24,21 @@ func (sig *SudoersModification) Init(ctx detect.SignatureContext) error { } func (sig *SudoersModification) GetMetadata() (detect.SignatureMetadata, error) { - return sudoersModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1028", + Version: "1", + Name: "Sudoers file modification detected", + EventName: "sudoers_modification", + Description: "The sudoers file was modified. The sudoers file is a configuration file which controls the permissions and options of the sudo feature. Adversaries may alter the sudoers file to elevate privileges, execute commands as other users or spawn processes with higher privileges.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "privilege-escalation", + "Technique": "Sudo and Sudo Caching", + "Kubernetes_Technique": "", + "id": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0", + "external_id": "T1548.003", + }, + }, nil } func (sig *SudoersModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/syscall_table_hooking.go b/signatures/golang/syscall_table_hooking.go index 9749c67ad90c..9cae0948cfa3 100644 --- a/signatures/golang/syscall_table_hooking.go +++ b/signatures/golang/syscall_table_hooking.go @@ -12,29 +12,27 @@ type SyscallTableHooking struct { cb detect.SignatureHandler } -var syscallTableHookingMetadata = detect.SignatureMetadata{ - ID: "TRC-1030", - Version: "1", - Name: "Syscall table hooking detected", - EventName: "syscall_hooking", - Description: "Syscall table hooking detected. Syscalls (system calls) are the interface between user applications and the kernel. By hooking the syscall table an adversary gains control on certain system function, such as file writing and reading or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it's own code. Syscall table hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host's kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "defense-evasion", - "Technique": "Rootkit", - "Kubernetes_Technique": "", - "id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", - "external_id": "T1014", - }, -} - func (sig *SyscallTableHooking) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *SyscallTableHooking) GetMetadata() (detect.SignatureMetadata, error) { - return syscallTableHookingMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1030", + Version: "1", + Name: "Syscall table hooking detected", + EventName: "syscall_hooking", + Description: "Syscall table hooking detected. Syscalls (system calls) are the interface between user applications and the kernel. By hooking the syscall table an adversary gains control on certain system function, such as file writing and reading or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it's own code. Syscall table hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host's kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "defense-evasion", + "Technique": "Rootkit", + "Kubernetes_Technique": "", + "id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "external_id": "T1014", + }, + }, nil } func (sig *SyscallTableHooking) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/system_request_key_config_modification.go b/signatures/golang/system_request_key_config_modification.go index bb80aa12832a..05d8c531fd03 100644 --- a/signatures/golang/system_request_key_config_modification.go +++ b/signatures/golang/system_request_key_config_modification.go @@ -14,22 +14,6 @@ type SystemRequestKeyConfigModification struct { sysrqPaths []string } -var systemRequestKeyConfigModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-1031", - Version: "1", - Name: "System request key configuration modification", - EventName: "system_request_key_mod", - Description: "An attempt to modify and activate the System Request Key configuration file was detected. The system request key allows immediate input to the kernel through simple key combinations. Adversaries may use this feature to immediately shut down or restart a system. With read access to kernel logs, host related information such as listing tasks and CPU registers may be disclosed and could be used for container escape.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "privilege-escalation", - "Technique": "Escape to Host", - "Kubernetes_Technique": "", - "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", - "external_id": "T1611", - }, -} - func (sig *SystemRequestKeyConfigModification) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.sysrqPaths = []string{"/proc/sys/kernel/sysrq", "/proc/sysrq-trigger"} @@ -37,7 +21,21 @@ func (sig *SystemRequestKeyConfigModification) Init(ctx detect.SignatureContext) } func (sig *SystemRequestKeyConfigModification) GetMetadata() (detect.SignatureMetadata, error) { - return systemRequestKeyConfigModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1031", + Version: "1", + Name: "System request key configuration modification", + EventName: "system_request_key_mod", + Description: "An attempt to modify and activate the System Request Key configuration file was detected. The system request key allows immediate input to the kernel through simple key combinations. Adversaries may use this feature to immediately shut down or restart a system. With read access to kernel logs, host related information such as listing tasks and CPU registers may be disclosed and could be used for container escape.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "privilege-escalation", + "Technique": "Escape to Host", + "Kubernetes_Technique": "", + "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", + "external_id": "T1611", + }, + }, nil } func (sig *SystemRequestKeyConfigModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {