1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
package tracee.TRC_3
import data.tracee.helpers
__rego_metadoc__ := {
"id": "TRC-3",
"version": "0.1.0",
"name": "Code injection",
"eventName": "code_injection",
"description": "Possible code injection into another process",
"tags": ["linux", "container"],
"properties": {
"Severity": 3,
"MITRE ATT&CK": "Defense Evasion: Process Injection",
},
}
eventSelectors := [
{
"source": "tracee",
"name": "ptrace",
},
{
"source": "tracee",
"name": "security_file_open",
},
{
"source": "tracee",
"name": "process_vm_writev",
},
]
tracee_selected_events[eventSelector] {
eventSelector := eventSelectors[_]
}
tracee_match {
input.eventName == "ptrace"
arg_value = helpers.get_tracee_argument("request")
arg_value == "PTRACE_POKETEXT"
}
tracee_match = res {
input.eventName == "security_file_open"
flags = helpers.get_tracee_argument("flags")
helpers.is_file_write(flags)
pathname := helpers.get_tracee_argument("pathname")
regex.match(`/proc/(?:\d.+|self)/mem`, pathname)
res := {
"file flags": flags,
"file path": pathname,
}
}
tracee_match {
input.eventName == "process_vm_writev"
dst_pid = helpers.get_tracee_argument("pid")
dst_pid != input.processId
}
|