From a14ecff1f7c71f2b3e1b0c81c2f2d6a59821cfcf Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Wed, 26 Jul 2023 16:08:30 +0200 Subject: [PATCH] new(ci): added github pages around rules overview file. Signed-off-by: Federico Di Pierro --- .github/workflows/pages.yaml | 41 +++++ mkdocs.yml | 6 + requirements.txt | 2 + rules_inventory/rules_overview.md | 259 ------------------------------ 4 files changed, 49 insertions(+), 259 deletions(-) create mode 100644 .github/workflows/pages.yaml create mode 100644 mkdocs.yml create mode 100644 requirements.txt delete mode 100644 rules_inventory/rules_overview.md diff --git a/.github/workflows/pages.yaml b/.github/workflows/pages.yaml new file mode 100644 index 000000000..be7185b43 --- /dev/null +++ b/.github/workflows/pages.yaml @@ -0,0 +1,41 @@ +name: Deploy Github Pages +on: + push: + branches: [main] + +permissions: + contents: read + pages: write + id-token: write + +concurrency: + group: "pages" + cancel-in-progress: true + +jobs: + deploy-pages: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - uses: actions/setup-python@v2 + with: + python-version: 3.x + + - name: Generate inventory + run: | + python rules_inventory/scripts/rules_overview_generator.py --rules_file=rules/falco_rules.yaml > docs/overview.md + + - run: pip install -r requirements.txt + + - run: mkdocs build + + - uses: actions/upload-pages-artifact@v1 + with: + path: 'site' + + - id: deployment + uses: actions/deploy-pages@v1 diff --git a/mkdocs.yml b/mkdocs.yml new file mode 100644 index 000000000..47a2311e7 --- /dev/null +++ b/mkdocs.yml @@ -0,0 +1,6 @@ +site_name: Falcosecurity Rules +site_url: https://github.com/falcosecurity/rules +nav: + - Home: overview.md + +theme: material diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 000000000..9a8a4ca47 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,2 @@ +mkdocs +mkdocs-material diff --git a/rules_inventory/rules_overview.md b/rules_inventory/rules_overview.md deleted file mode 100644 index 39b0207f1..000000000 --- a/rules_inventory/rules_overview.md +++ /dev/null @@ -1,259 +0,0 @@ - - - -# Falco Rules - Summary Stats - - - - - - -This document is auto-generated. Last Updated: 2023-06-13. - - -The Falco project ships with [80 default rules](https://github.com/falcosecurity/rules/blob/main/rules/falco_rules.yaml) around Linux syscalls and container events that were contributed by the community. - - -The intended outcome of this document is to provide a comprehensive overview of the default rules, provide additional resources and help drive future improvements. - - - - - -Falco default rules per workload type: - - - -| workload | rule_count | percentage | -|:----------------|-------------:|:-------------| -| container | 28 | 35.0% | -| container, host | 51 | 63.75% | -| host | 1 | 1.25% | - - - -Falco default rules per [Falco tag](https://falco.org/docs/rules/#tags): - - - -| extra_tag | rule_count | percentage | -|:--------------|-------------:|:-------------| -| aws | 2 | 1.92% | -| cis | 5 | 4.81% | -| database | 1 | 0.96% | -| filesystem | 30 | 28.85% | -| k8s | 2 | 1.92% | -| network | 22 | 21.15% | -| process | 29 | 27.88% | -| shell | 2 | 1.92% | -| software_mgmt | 3 | 2.88% | -| users | 8 | 7.69% | - - - -Falco default rules per [Mitre Attack](https://attack.mitre.org/) phase: - - - -| mitre_phase | rules | percentage | -|:---------------------------|:-----------------------------------------------------------------------|:-------------| -| mitre_command_and_control | Disallowed SSH Connection | 7.5% | -| | Launch Ingress Remote File Copy Tools in Container | | -| | Outbound Connection to C2 Servers | | -| | Program run with disallowed http proxy env | | -| | Unexpected inbound connection source | | -| | Unexpected outbound connection destination | | -| mitre_credential_access | Create Hardlink Over Sensitive Files | 10.0% | -| | Create Symlink Over Sensitive Files | | -| | Directory traversal monitored file read | | -| | Find AWS Credentials | | -| | Read environment variable from /proc files | | -| | Read sensitive file trusted after startup | | -| | Read sensitive file untrusted | | -| | Search Private Keys or Passwords | | -| mitre_defense_evasion | Clear Log Activities | 7.5% | -| | Delete Bash History | | -| | Delete or rename shell history | | -| | Execution from /dev/shm | | -| | PTRACE anti-debug attempt | | -| | Unprivileged Delegation of Page Faults Handling to a Userspace Process | | -| mitre_discovery | Contact EC2 Instance Metadata Service From Container | 17.5% | -| | Contact K8S API Server From Container | | -| | Contact cloud metadata service from container | | -| | Directory traversal monitored file read | | -| | Launch Suspicious Network Tool in Container | | -| | Launch Suspicious Network Tool on Host | | -| | Network Connection outside Local Subnet | | -| | Outbound or Inbound Traffic not to Authorized Server Process and Port | | -| | Packet socket created in container | | -| | Read Shell Configuration File | | -| | Read environment variable from /proc files | | -| | Read sensitive file untrusted | | -| | Read ssh information | | -| | Redirect STDOUT/STDIN to Network Connection in Container | | -| mitre_execution | Container Drift Detected (chmod) | 20.0% | -| | Container Drift Detected (open+create) | | -| | Container Run as Root User | | -| | DB program spawned process | | -| | Debugfs Launched in Privileged Container | | -| | Detect crypto miners using the Stratum protocol | | -| | Detect outbound connections to common miner pool ports | | -| | Execution from /dev/shm | | -| | Linux Kernel Module Injection Detected | | -| | Netcat Remote Code Execution in Container | | -| | PTRACE attached to process | | -| | Redirect STDOUT/STDIN to Network Connection in Container | | -| | Run shell untrusted | | -| | System user interactive | | -| | Terminal shell in container | | -| | The docker client is executed in a container | | -| mitre_exfiltration | Create Hardlink Over Sensitive Files | 12.5% | -| | Create Symlink Over Sensitive Files | | -| | Directory traversal monitored file read | | -| | Interpreted procs inbound network activity | | -| | Interpreted procs outbound network activity | | -| | Launch Remote File Copy Tools in Container | | -| | Launch Suspicious Network Tool in Container | | -| | Launch Suspicious Network Tool on Host | | -| | System procs network activity | | -| | Unexpected UDP Traffic | | -| mitre_initial_access | Java Process Class File Download | 2.5% | -| | Modify Container Entrypoint | | -| mitre_lateral_movement | Change thread namespace | 12.5% | -| | Debugfs Launched in Privileged Container | | -| | Detect release_agent File Container Escapes | | -| | Disallowed SSH Connection | | -| | Launch Disallowed Container | | -| | Launch Excessively Capable Container | | -| | Launch Privileged Container | | -| | Launch Remote File Copy Tools in Container | | -| | Launch Sensitive Mount Container | | -| | Mount Launched in Privileged Container | | -| mitre_persistence | Create Hidden Files or Directories | 23.75% | -| | Create files below dev | | -| | Drop and execute new binary in container | | -| | Launch Package Management Process in Container | | -| | Linux Kernel Module Injection Detected | | -| | Mkdir binary dirs | | -| | Modify Shell Configuration File | | -| | Modify binary dirs | | -| | Remove Bulk Data from Disk | | -| | Schedule Cron Jobs | | -| | Set Setuid or Setgid bit | | -| | Unexpected K8s NodePort Connection | | -| | Update Package Repository | | -| | User mgmt binaries | | -| | Write below binary dir | | -| | Write below etc | | -| | Write below monitored dir | | -| | Write below root | | -| | Write below rpm database | | -| mitre_privilege_escalation | Change thread namespace | 10.0% | -| | Detect release_agent File Container Escapes | | -| | Launch Excessively Capable Container | | -| | Launch Privileged Container | | -| | Non sudo setuid | | -| | PTRACE attached to process | | -| | Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) | | -| | Sudo Potential Privilege Escalation | | - - - -# Falco Rules - Detailed Overview - - - - - -56 Falco rules (70.00% of rules) are enabled by default: - - -| rule | desc | workload | mitre_phase | mitre_ttp | extra_tags | -|:-----------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------|:-------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------| -| Contact K8S API Server From Container | Detect attempts to contact the K8S API Server from a container | container | mitre_discovery | [T1565](https://attack.mitre.org/techniques/T1565) | network, k8s | -| Debugfs Launched in Privileged Container | Detect file system debugger debugfs launched inside a privileged container which might lead to container escape. | container | mitre_execution, mitre_lateral_movement | [T1611](https://attack.mitre.org/techniques/T1611) | cis, process | -| Detect release_agent File Container Escapes | This rule detect an attempt to exploit a container escape using release_agent file. By running a container with certains capabilities, a privileged user can modify release_agent file and escape from the container | container | mitre_lateral_movement, mitre_privilege_escalation | [T1611](https://attack.mitre.org/techniques/T1611) | process | -| Drop and execute new binary in container | Detect if an executable not belonging to the base image of a container is being executed. The drop and execute pattern can be observed very often after an attacker gained an initial foothold. is_exe_upper_layer filter field only applies for container runtimes that use overlayfs as union mount filesystem. | container | mitre_persistence | [TA0003](https://attack.mitre.org/tactics/TA0003) | | -| Launch Disallowed Container | Detect the initial process started by a container that is not in a list of allowed containers. | container | mitre_lateral_movement | [T1610](https://attack.mitre.org/techniques/T1610) | | -| Launch Excessively Capable Container | Detect container started with a powerful set of capabilities. Exceptions are made for known trusted images. | container | mitre_lateral_movement, mitre_privilege_escalation | [T1610](https://attack.mitre.org/techniques/T1610) | cis | -| Launch Ingress Remote File Copy Tools in Container | Detect ingress remote file copy tools launched in container | container | mitre_command_and_control | [TA0011](https://attack.mitre.org/tactics/TA0011) | network, process | -| Launch Package Management Process in Container | Package management process ran inside container | container | mitre_persistence | [T1505](https://attack.mitre.org/techniques/T1505) | process, software_mgmt | -| Launch Privileged Container | Detect the initial process started in a privileged container. Exceptions are made for known trusted images. | container | mitre_lateral_movement, mitre_privilege_escalation | [T1610](https://attack.mitre.org/techniques/T1610) | cis | -| Launch Remote File Copy Tools in Container | Detect remote file copy tools launched in container | container | mitre_exfiltration, mitre_lateral_movement | [T1020](https://attack.mitre.org/techniques/T1020), [T1210](https://attack.mitre.org/techniques/T1210) | network, process | -| Launch Sensitive Mount Container | Detect the initial process started by a container that has a mount from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images. | container | mitre_lateral_movement | [T1610](https://attack.mitre.org/techniques/T1610) | cis | -| Launch Suspicious Network Tool in Container | Detect network tools launched inside container | container | mitre_discovery, mitre_exfiltration | [T1046](https://attack.mitre.org/techniques/T1046), [T1595](https://attack.mitre.org/techniques/T1595) | network, process | -| Mount Launched in Privileged Container | Detect file system mount happened inside a privileged container which might lead to container escape. | container | mitre_lateral_movement | [T1611](https://attack.mitre.org/techniques/T1611) | cis, filesystem | -| Netcat Remote Code Execution in Container | Netcat Program runs inside container that allows remote code execution | container | mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | network, process | -| Packet socket created in container | Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used for ARP Spoofing and privilege escalation(CVE-2020-14386) by attacker. | container | mitre_discovery | [T1046](https://attack.mitre.org/techniques/T1046) | network | -| Read environment variable from /proc files | An attempt to read process environment variables from /proc files | container | mitre_credential_access, mitre_discovery | [T1083](https://attack.mitre.org/techniques/T1083) | filesystem, process | -| Redirect STDOUT/STDIN to Network Connection in Container | Detect redirecting stdout/stdin to network connection in container (potential reverse shell). | container | mitre_discovery, mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | network, process | -| Terminal shell in container | A shell was used as the entrypoint/exec point into a container with an attached terminal. | container | mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | shell | -| The docker client is executed in a container | Detect a k8s client tool executed inside a container | container | mitre_execution | [T1610](https://attack.mitre.org/techniques/T1610) | | -| Unexpected K8s NodePort Connection | Detect attempts to use K8s NodePorts from a container | container | mitre_persistence | [T1205.001](https://attack.mitre.org/techniques/T1205/001) | network, k8s | -| Clear Log Activities | Detect clearing of critical log files | container, host | mitre_defense_evasion | [T1070](https://attack.mitre.org/techniques/T1070) | filesystem | -| Create Hardlink Over Sensitive Files | Detect hardlink created over sensitive files | container, host | mitre_credential_access, mitre_exfiltration | [T1020](https://attack.mitre.org/techniques/T1020), [T1083](https://attack.mitre.org/techniques/T1083), [T1212](https://attack.mitre.org/techniques/T1212), [T1552](https://attack.mitre.org/techniques/T1552), [T1555](https://attack.mitre.org/techniques/T1555) | filesystem | -| Create Symlink Over Sensitive Files | Detect symlink created over sensitive files | container, host | mitre_credential_access, mitre_exfiltration | [T1020](https://attack.mitre.org/techniques/T1020), [T1083](https://attack.mitre.org/techniques/T1083), [T1212](https://attack.mitre.org/techniques/T1212), [T1552](https://attack.mitre.org/techniques/T1552), [T1555](https://attack.mitre.org/techniques/T1555) | filesystem | -| Create files below dev | creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev. | container, host | mitre_persistence | [T1083](https://attack.mitre.org/techniques/T1083), [T1543](https://attack.mitre.org/techniques/T1543) | filesystem | -| DB program spawned process | a database-server related program spawned a new process other than itself. This shouldn\'t occur and is a follow on from some SQL injection attacks. | container, host | mitre_execution | [T1190](https://attack.mitre.org/techniques/T1190) | process, database | -| Delete Bash History | Detect bash history deletion | container, host | mitre_defense_evasion | [T1070](https://attack.mitre.org/techniques/T1070) | process, filesystem | -| Delete or rename shell history | Detect shell history deletion | container, host | mitre_defense_evasion | [T1070](https://attack.mitre.org/techniques/T1070) | process, filesystem | -| Detect crypto miners using the Stratum protocol | Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp' | container, host | mitre_execution | [T1496](https://attack.mitre.org/techniques/T1496) | process | -| Directory traversal monitored file read | Web applications can be vulnerable to directory traversal attacks that allow accessing files outside of the web app's root directory (e.g. Arbitrary File Read bugs). System directories like /etc are typically accessed via absolute paths. Access patterns outside of this (here path traversal) can be regarded as suspicious. This rule includes failed file open attempts. | container, host | mitre_credential_access, mitre_discovery, mitre_exfiltration | [T1020](https://attack.mitre.org/techniques/T1020), [T1083](https://attack.mitre.org/techniques/T1083), [T1212](https://attack.mitre.org/techniques/T1212), [T1552](https://attack.mitre.org/techniques/T1552), [T1555](https://attack.mitre.org/techniques/T1555) | filesystem | -| Execution from /dev/shm | This rule detects file execution from the /dev/shm directory, a common tactic for threat actors to stash their readable+writable+(sometimes)executable files. | container, host | mitre_defense_evasion, mitre_execution | [T1036.005](https://attack.mitre.org/techniques/T1036/005), [T1059.004](https://attack.mitre.org/techniques/T1059/004) | | -| Find AWS Credentials | Find or grep AWS credentials | container, host | mitre_credential_access | [T1552](https://attack.mitre.org/techniques/T1552) | process, aws | -| Linux Kernel Module Injection Detected | Detect kernel module was injected (from container). | container, host | mitre_execution, mitre_persistence | [TA0002](https://attack.mitre.org/tactics/TA0002) | process | -| Mkdir binary dirs | an attempt to create a directory below a set of binary directories. | container, host | mitre_persistence | [T1222.002](https://attack.mitre.org/techniques/T1222/002) | filesystem | -| Modify Shell Configuration File | Detect attempt to modify shell configuration files | container, host | mitre_persistence | [T1546.004](https://attack.mitre.org/techniques/T1546/004) | filesystem | -| Modify binary dirs | an attempt to modify any file below a set of binary directories. | container, host | mitre_persistence | [T1222.002](https://attack.mitre.org/techniques/T1222/002) | filesystem | -| Non sudo setuid | an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody" suing to itself are also excluded, as setuid calls typically involve dropping privileges. | container, host | mitre_privilege_escalation | [T1548.001](https://attack.mitre.org/techniques/T1548/001) | users | -| PTRACE anti-debug attempt | Detect usage of the PTRACE system call with the PTRACE_TRACEME argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity. | container, host | mitre_defense_evasion | [T1622](https://attack.mitre.org/techniques/T1622) | process | -| PTRACE attached to process | This rule detects an attempt to inject code into a process using PTRACE. | container, host | mitre_execution, mitre_privilege_escalation | [T1055.008](https://attack.mitre.org/techniques/T1055/008) | process | -| Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) | This rule detects an attempt to exploit a privilege escalation vulnerability in Polkit's pkexec. By running specially crafted code, a local user can leverage this flaw to gain root privileges on a compromised system | container, host | mitre_privilege_escalation | [TA0004](https://attack.mitre.org/tactics/TA0004) | process, users | -| Read sensitive file trusted after startup | an attempt to read any sensitive file (e.g. files containing user/password/authentication information) by a trusted program after startup. Trusted programs might read these files at startup to load initial state, but not afterwards. | container, host | mitre_credential_access | [T1020](https://attack.mitre.org/techniques/T1020), [T1083](https://attack.mitre.org/techniques/T1083), [T1212](https://attack.mitre.org/techniques/T1212), [T1552](https://attack.mitre.org/techniques/T1552), [T1555](https://attack.mitre.org/techniques/T1555) | filesystem | -| Read sensitive file untrusted | an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs. | container, host | mitre_credential_access, mitre_discovery | [T1020](https://attack.mitre.org/techniques/T1020), [T1083](https://attack.mitre.org/techniques/T1083), [T1212](https://attack.mitre.org/techniques/T1212), [T1552](https://attack.mitre.org/techniques/T1552), [T1555](https://attack.mitre.org/techniques/T1555) | filesystem | -| Remove Bulk Data from Disk | Detect process running to clear bulk data from disk | container, host | mitre_persistence | [T1485](https://attack.mitre.org/techniques/T1485) | process, filesystem | -| Run shell untrusted | an attempt to spawn a shell below a non-shell application. Specific applications are monitored. | container, host | mitre_execution | [T1059.004](https://attack.mitre.org/techniques/T1059/004) | process, shell | -| Search Private Keys or Passwords | Detect grep private keys or passwords activity. | container, host | mitre_credential_access | [T1552.001](https://attack.mitre.org/techniques/T1552/001) | process, filesystem | -| Sudo Potential Privilege Escalation | Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root. | container, host | mitre_privilege_escalation | [T1548.003](https://attack.mitre.org/techniques/T1548/003) | filesystem, users | -| System procs network activity | any network activity performed by system binaries that are not expected to send or receive any network traffic | container, host | mitre_exfiltration | [T1059](https://attack.mitre.org/techniques/T1059), [TA0011](https://attack.mitre.org/tactics/TA0011) | network | -| System user interactive | an attempt to run interactive commands by a system (i.e. non-login) user | container, host | mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | users | -| Unprivileged Delegation of Page Faults Handling to a Userspace Process | Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs | container, host | mitre_defense_evasion | [TA0005](https://attack.mitre.org/tactics/TA0005) | process | -| Update Package Repository | Detect package repositories get updated | container, host | mitre_persistence | [T1072](https://attack.mitre.org/techniques/T1072) | filesystem | -| User mgmt binaries | activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. Activity in containers is also excluded--some containers create custom users on top of a base linux distribution at startup. Some innocuous command lines that don't actually change anything are excluded. | container, host | mitre_persistence | [T1098](https://attack.mitre.org/techniques/T1098), [T1543](https://attack.mitre.org/techniques/T1543) | users, software_mgmt | -| Write below binary dir | an attempt to write to any file below a set of binary directories | container, host | mitre_persistence | [T1543](https://attack.mitre.org/techniques/T1543) | filesystem | -| Write below etc | an attempt to write to any file below /etc | container, host | mitre_persistence | [T1098](https://attack.mitre.org/techniques/T1098) | filesystem | -| Write below monitored dir | an attempt to write to any file below a set of monitored directories | container, host | mitre_persistence | [T1543](https://attack.mitre.org/techniques/T1543) | filesystem | -| Write below root | an attempt to write to any file directly below / or /root | container, host | mitre_persistence | [TA0003](https://attack.mitre.org/tactics/TA0003) | filesystem | -| Write below rpm database | an attempt to write to the rpm database by any non-rpm related program | container, host | mitre_persistence | [T1072](https://attack.mitre.org/techniques/T1072) | filesystem, software_mgmt | -| Launch Suspicious Network Tool on Host | Detect network tools launched on the host | host | mitre_discovery, mitre_exfiltration | [T1046](https://attack.mitre.org/techniques/T1046), [T1595](https://attack.mitre.org/techniques/T1595) | network, process | - - -24 Falco rules (30.00% of rules) are *not* enabled by default: - - -| rule | desc | workload | mitre_phase | mitre_ttp | extra_tags | -|:----------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------|:---------------------------------------------------|:-------------------------------------------------------------------------------------------------------|:--------------------| -| Contact EC2 Instance Metadata Service From Container | Detect attempts to contact the EC2 Instance Metadata Service from a container | container | mitre_discovery | [T1565](https://attack.mitre.org/techniques/T1565) | network, aws | -| Contact cloud metadata service from container | Detect attempts to contact the Cloud Instance Metadata Service from a container | container | mitre_discovery | [T1565](https://attack.mitre.org/techniques/T1565) | network | -| Container Drift Detected (chmod) | New executable created in a container due to chmod | container | mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | process, filesystem | -| Container Drift Detected (open+create) | New executable created in a container due to open+create | container | mitre_execution | [T1059](https://attack.mitre.org/techniques/T1059) | process, filesystem | -| Container Run as Root User | Detected container running as root user | container | mitre_execution | [T1610](https://attack.mitre.org/techniques/T1610) | process, users | -| Modify Container Entrypoint | This rule detect an attempt to write on container entrypoint symlink (/proc/self/exe). Possible CVE-2019-5736 Container Breakout exploitation attempt. | container | mitre_initial_access | [T1611](https://attack.mitre.org/techniques/T1611) | filesystem | -| Network Connection outside Local Subnet | Detect traffic to image outside local subnet. | container | mitre_discovery | [T1046](https://attack.mitre.org/techniques/T1046) | network | -| Outbound or Inbound Traffic not to Authorized Server Process and Port | Detect traffic that is not to authorized server process and port. | container | mitre_discovery | [TA0011](https://attack.mitre.org/tactics/TA0011) | network | -| Change thread namespace | an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns. | container, host | mitre_lateral_movement, mitre_privilege_escalation | [T1611](https://attack.mitre.org/techniques/T1611) | process | -| Create Hidden Files or Directories | Detect hidden files or directories created | container, host | mitre_persistence | [T1564.001](https://attack.mitre.org/techniques/T1564/001) | filesystem | -| Detect outbound connections to common miner pool ports | Miners typically connect to miner pools on common ports. | container, host | mitre_execution | [T1496](https://attack.mitre.org/techniques/T1496) | network | -| Disallowed SSH Connection | Detect any new ssh connection to a host other than those in an allowed group of hosts | container, host | mitre_command_and_control, mitre_lateral_movement | [T1021.004](https://attack.mitre.org/techniques/T1021/004) | network | -| Interpreted procs inbound network activity | Any inbound network activity performed by any interpreted program (perl, python, ruby, etc.) | container, host | mitre_exfiltration | [TA0011](https://attack.mitre.org/tactics/TA0011) | network | -| Interpreted procs outbound network activity | Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.) | container, host | mitre_exfiltration | [TA0011](https://attack.mitre.org/tactics/TA0011) | network | -| Java Process Class File Download | Detected Java process downloading a class file which could indicate a successful exploit of the log4shell Log4j vulnerability (CVE-2021-44228) | container, host | mitre_initial_access | [T1190](https://attack.mitre.org/techniques/T1190) | process | -| Outbound Connection to C2 Servers | Detect outbound connection to command & control servers thanks to a list of IP addresses & a list of FQDN. | container, host | mitre_command_and_control | [TA0011](https://attack.mitre.org/tactics/TA0011) | network | -| Program run with disallowed http proxy env | An attempt to run a program with a disallowed HTTP_PROXY environment variable | container, host | mitre_command_and_control | [T1090](https://attack.mitre.org/techniques/T1090), [T1204](https://attack.mitre.org/techniques/T1204) | users | -| Read Shell Configuration File | Detect attempts to read shell configuration files by non-shell programs | container, host | mitre_discovery | [T1546.004](https://attack.mitre.org/techniques/T1546/004) | filesystem | -| Read ssh information | Any attempt to read files below ssh directories by non-ssh programs | container, host | mitre_discovery | [T1005](https://attack.mitre.org/techniques/T1005) | filesystem | -| Schedule Cron Jobs | Detect cron jobs scheduled | container, host | mitre_persistence | [T1053.003](https://attack.mitre.org/techniques/T1053/003) | filesystem | -| Set Setuid or Setgid bit | When the setuid or setgid bits are set for an application, this means that the application will run with the privileges of the owning user or group respectively. Detect setuid or setgid bits set via chmod | container, host | mitre_persistence | [T1548.001](https://attack.mitre.org/techniques/T1548/001) | process, users | -| Unexpected UDP Traffic | UDP traffic not on port 53 (DNS) or other commonly used ports | container, host | mitre_exfiltration | [TA0011](https://attack.mitre.org/tactics/TA0011) | network | -| Unexpected inbound connection source | Detect any inbound connection from a source outside of an allowed set of ips, networks, or domain names | container, host | mitre_command_and_control | [TA0011](https://attack.mitre.org/tactics/TA0011) | network | -| Unexpected outbound connection destination | Detect any outbound connection to a destination outside of an allowed set of ips, networks, or domain names | container, host | mitre_command_and_control | [TA0011](https://attack.mitre.org/tactics/TA0011) | network |