rules
rules copied to clipboard
falcosecurity
Improving rule: Netcat Remote Code Execution in Container
Motivation
When using Falco and testing various variations of certain techniques It became apparent that the rule Netcat Remote Code Execution in Containers does not trigger when the nc binary has been linked with ln or ln -s. In these cases the proc.cmdline variable may not contain nc or ncat. I would like to ask if you also think that using proc_exepath=/usr/bin/nc.traditional and checking for contains nc and in addition to proc.cmdline would be beneficial.
Old Rule:
rule: Netcat Remote Code Execution in Container
desc: >
Netcat Program runs inside container that allows remote code execution and may be utilized
as a part of a variety of reverse shell payload https://github.com/swisskyrepo/PayloadsAllTheThings/.
These programs are of higher relevance as they are commonly installed on UNIX-like operating systems.
Can fire in combination with the "Redirect STDOUT/STDIN to Network Connection in Container"
rule as it utilizes a different evt.type.
condition: >
spawned_process
and container
and ((proc.name = "nc" and (proc.cmdline contains " -e" or
proc.cmdline contains " -c")) or
(proc.name = "ncat" and (proc.args contains "--sh-exec" or
proc.args contains "--exec" or proc.args contains "-e " or
proc.args contains "-c " or proc.args contains "--lua-exec"))
)
output: Netcat runs inside container that allows remote code execution (evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
priority: WARNING
tags: [maturity_stable, container, network, process, mitre_execution, T1059]
Feature
Proposal:
((proc.name = "nc" or proc.exepath contains "/nc" ) and (proc.cmdline contains " -e" or
proc.cmdline contains " -c")or
(proc.name = "ncat" or proc.exepath contains "/ncat" (proc.args contains "--sh-exec" or
proc.args contains "--exec" or proc.args contains "-e " or
proc.args contains "-c " or proc.args contains "--lua-exec"))
)
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Provide feedback via https://github.com/falcosecurity/community. /close
@poiana: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with
/reopen.Mark the issue as fresh with
/remove-lifecycle rotten.Provide feedback via https://github.com/falcosecurity/community. /close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.