new(rules): detect security tool impairment in containers (T1562.001)#367
new(rules): detect security tool impairment in containers (T1562.001)#367JayKnowSo wants to merge 3 commits into
Conversation
Signed-off-by: DevNow <worklife0524@gmail.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: JayKnowSo The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
leogr
left a comment
There was a problem hiding this comment.
Hey @JayKnowSo
Thanks for tackling this!
The bulk of my feedback is around substring-matching precision and a couple of output-template alignments, see inline 👇
Otherwise, SGMT.
🙏
| (proc.name = systemctl and proc.args contains "stop" and | ||
| (proc.args contains "falco" or proc.args contains "auditd" or | ||
| proc.args contains "sysdig" or proc.args contains "osquery")) | ||
| or | ||
| (proc.name = service and proc.args contains "stop" and | ||
| (proc.args contains "falco" or proc.args contains "auditd")) |
There was a problem hiding this comment.
| (proc.name = systemctl and proc.args contains "stop" and | |
| (proc.args contains "falco" or proc.args contains "auditd" or | |
| proc.args contains "sysdig" or proc.args contains "osquery")) | |
| or | |
| (proc.name = service and proc.args contains "stop" and | |
| (proc.args contains "falco" or proc.args contains "auditd")) | |
| (proc.name = systemctl and | |
| (proc.args startswith "stop " or proc.args contains " stop ") and | |
| (proc.args contains " falco" or proc.args contains " auditd" or | |
| proc.args contains " sysdig" or proc.args contains " osquery")) | |
| or | |
| (proc.name = service and | |
| (proc.args startswith "falco " or proc.args startswith "auditd ") and | |
| (proc.args endswith " stop" or proc.args contains " stop ")) |
The current proc.args contains "stop" and (proc.args contains "falco" or ...) is an unanchored substring search on the full joined args. Both substrings just have to appear anywhere in the string, so the rule can fire on:
systemctl status mystop.service(if"falco"happens to appear elsewhere, e.g., in an env var path the args carry)systemctl reload falco-helper-stopwatch.service(verb isreload, but bothstopandfalcosubstrings match)
Our convention for short-token matching is whitespace anchoring, see the netcat rule at falco_rules.yaml:849-851 (proc.args contains "-e ", etc.). The suggestion above anchors both the verb and the daemon name with leading/trailing whitespace, matching realistic usage like systemctl stop falco, systemctl --no-block stop falco, service falco stop while rejecting the substring-noise cases.
| (proc.name in (iptables, ip6tables) and | ||
| (proc.args contains "-F" or proc.args contains "--flush" or | ||
| proc.args contains "-X" or proc.args contains "--delete-chain")) |
There was a problem hiding this comment.
| (proc.name in (iptables, ip6tables) and | |
| (proc.args contains "-F" or proc.args contains "--flush" or | |
| proc.args contains "-X" or proc.args contains "--delete-chain")) | |
| (proc.name in (iptables, ip6tables) and | |
| (proc.args startswith "-F" or proc.args startswith "--flush" or | |
| proc.args startswith "-X" or proc.args startswith "--delete-chain" or | |
| proc.args contains " -F" or proc.args contains " --flush" or | |
| proc.args contains " -X" or proc.args contains " --delete-chain")) |
Same precision concern as the systemctl block. proc.args contains "-F" matches the substring -F anywhere in the args, including inside chain names or comment text. Combining startswith for first-position flags with contains " -F" (leading space) for later positions covers both placements while staying anchored to whitespace boundaries - same pattern as falco_rules.yaml:849-851 and falco-incubating_rules.yaml:1162-1165.
Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: JayKnowSo <self_realized_god@proton.me>
Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Signed-off-by: JayKnowSo <self_realized_god@proton.me>
|
Addressed the yamllint The remaining CI failures are pre-existing violations in |
Summary
Adds a detection rule for MITRE ATT&CK T1562.001 (Impair Defenses: Disable or Modify Tools) scoped to container workloads.
What this detects
iptables/ip6tablesflush or delete-chain commands inside a containersystemctl stoptargeting security daemons (falco, auditd, sysdig, osquery)service stoptargeting falco or auditdWhy this matters
T1562 was the most prevalent defense evasion technique in malware campaigns in 2025. After achieving initial execution in a container (T1059), adversaries commonly disable runtime security tooling before lateral movement. No existing rule in stable, incubating, or sandbox tiers covers this technique for container workloads.
MITRE ATT&CK
https://attack.mitre.org/techniques/T1562/001/
False positives
Tunable via
user_known_security_tool_disable_activitiesmacro. Legitimate iptables usage in containers is rare and should be explicitly allowlisted.Testing
Rule fires on:
iptables -F,systemctl stop falco,service stop auditdexecuted inside a running container.