Add XPAV-derived detection rules for cryptominer, webshell, and container escape#343
Open
JNC4 wants to merge 1 commit intofalcosecurity:mainfrom
Open
Add XPAV-derived detection rules for cryptominer, webshell, and container escape#343JNC4 wants to merge 1 commit intofalcosecurity:mainfrom
JNC4 wants to merge 1 commit intofalcosecurity:mainfrom
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: JNC4 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Welcome @JNC4! It looks like this is your first PR to falcosecurity/rules 🎉 |
…iner escape This PR adds 6 new detection rules derived from the XPAV project (https://github.com/JNC4/xpav), focusing on threat vectors not covered by existing Falco rules: **Cryptominer Detection:** - Known Cryptominer Process Executed: Detects common miner binaries (xmrig, ethminer, etc.) - complements existing stratum protocol rule **Web Server Abuse (Webshell Detection):** - Web Server Spawned Shell: Detects shells spawned from nginx/apache/php-fpm - Web Server Spawned Suspicious Child: Detects curl/wget/nc from web servers - Reverse Shell from Web Server: Detects common reverse shell patterns **Container Escape:** - Privileged Container Device Access: Detects raw block device access - Container Access to Host Sensitive Paths: Detects /host /rootfs access All rules include: - MITRE ATT&CK technique mapping - Tuning macros (user_known_*) for customization - Detailed descriptions with anti-pattern guidance - Appropriate priority levels These rules address the gap in web server/webshell detection which is a common attack vector not currently covered by Falco's ruleset. Signed-off-by: Julius C <jnc4mail@gmail.com>
JNC4
force-pushed
the
xpav-detection-rules
branch
from
a1d4e33 to
207de51
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds 6 new sandbox-level detection rules derived from the XPAV project, a behavioral threat detection daemon for Linux. These rules focus on threat vectors not currently covered by existing Falco rules.
New Rules
Cryptominer Detection:
Known Cryptominer Process Executed- Detects execution of common miner binaries (xmrig, ethminer, cgminer, etc.) by matching process names. Complements the existing stratum protocol detection rule.Web Server Abuse (Webshell Detection):
Web Server Spawned Shell- Detects shells (bash, sh, etc.) spawned from web server processes (nginx, apache, php-fpm). Strong indicator of webshell exploitation.Web Server Spawned Suspicious Child Process- Detects suspicious children (curl, wget, netcat, python, perl) from web servers. Indicates web application exploitation.Reverse Shell from Web Server- Detects common reverse shell patterns (/dev/tcp, nc -e, python socket imports) spawned from web servers.Container Escape:
Privileged Container Device Access- Detects container processes accessing raw block devices (/dev/sda, /dev/nvme, /dev/mem), which can be used to escape container isolation.Container Access to Host Sensitive Paths- Detects container access to /host, /rootfs, /hostfs paths indicating exposed host filesystem.Why These Rules?
The web server abuse rules address a significant gap in Falco's current ruleset. Webshells are one of the most common persistence mechanisms used by attackers after compromising web applications (MITRE T1505.003), yet Falco doesn't have specific detection for web server processes spawning shells or suspicious children.
Design Decisions
maturity_sandboxas appropriate for new contributionsuser_known_*macros for environment-specific tuningTesting
Rules have been validated for:
Related