Rule: detecting executions looking for AWS credentials

Signed-off-by: Alberto Pellitteri <albertopellitteri96@gmail.com> Co-authored-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
falcosecurity · Dec 16, 2022 · 68b87a6 · 68b87a6
1 parent e5f3b72
commit 68b87a6
Showing 1 changed file with 22 additions and 4 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -3262,10 +3262,6 @@
   priority: WARNING
   tags: [container, filesystem, mitre_initial_access, T1611]
 
-# Application rules have moved to application_rules.yaml. Please look
-# there if you want to enable them by adding to
-# falco_rules.local.yaml.
-
 - list: known_binaries_to_read_environment_variables_from_proc_files
   items: [scsi_id, argoexec]
 
@@ -3292,3 +3288,25 @@
   output: Detected ptrace PTRACE_ATTACH attempt (proc.cmdline=%proc.cmdline container=%container.info evt.type=%evt.type evt.arg.request=%evt.arg.request proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginuid=%user.loginuid user.loginname=%user.loginname user.name=%user.name group.gid=%group.gid group.name=%group.name container.id=%container.id container.name=%container.name image=%container.image.repository)
   priority: WARNING
   tags: [process]
+
+- macro: private_aws_credentials
+  condition: >
+    (proc.args icontains "aws_access_key_id" or
+    proc.args icontains "aws_secret_access_key" or
+    proc.args icontains "aws_session_token" or
+    proc.args icontains "accesskeyid" or
+    proc.args icontains "secretaccesskey")
+
+- rule: Find AWS Credentials
+  desc: Find or grep AWS credentials
+  condition: >
+    spawned_process and
+    ((grep_commands and private_aws_credentials) or
+    (proc.name = "find" and proc.args endswith ".aws/credentials"))
+  output: Detected AWS credentials search activity (user.name=%user.name user.loginuid=%user.loginuid proc.cmdline=%proc.cmdline container.id=%container.id container_name=%container.name evt.type=%evt.type evt.res=%evt.res proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginname=%user.loginname group.gid=%group.gid group.name=%group.name container.name=%container.name image=%container.image.repository:%container.image.tag)
+  priority: WARNING
+  tags: [mitre_credential_access, process, aws]
+
+# Application rules have moved to application_rules.yaml. Please look
+# there if you want to enable them by adding to
+# falco_rules.local.yaml.