diff --git a/deploy/helm/tracee/Chart.yaml b/deploy/helm/tracee/Chart.yaml index e97a3876e266..9d419f0dcb1a 100644 --- a/deploy/helm/tracee/Chart.yaml +++ b/deploy/helm/tracee/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: tracee description: Linux Runtime Security and Forensics using eBPF -home: https://aquasecurity.github.io/tracee/v0.22.1/ +home: https://aquasecurity.github.io/tracee/v0.22.2/ sources: - https://github.com/aquasecurity/tracee @@ -18,10 +18,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "0.22.1" +version: "0.22.2" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.22.1" +appVersion: "0.22.2" diff --git a/deploy/kubernetes/tracee/tracee.yaml b/deploy/kubernetes/tracee/tracee.yaml index 55b40cef7ea4..4ea18728ed60 100644 --- a/deploy/kubernetes/tracee/tracee.yaml +++ b/deploy/kubernetes/tracee/tracee.yaml @@ -5,10 +5,10 @@ kind: ServiceAccount metadata: name: tracee labels: - helm.sh/chart: tracee-0.22.1 + helm.sh/chart: tracee-0.22.2 app.kubernetes.io/name: tracee app.kubernetes.io/instance: tracee - app.kubernetes.io/version: "0.22.1" + app.kubernetes.io/version: "0.22.2" app.kubernetes.io/managed-by: Helm --- # Source: tracee/templates/serviceaccount.yaml @@ -17,10 +17,10 @@ kind: ServiceAccount metadata: name: tracee-operator labels: - helm.sh/chart: tracee-0.22.1 + helm.sh/chart: tracee-0.22.2 app.kubernetes.io/name: tracee app.kubernetes.io/instance: tracee - app.kubernetes.io/version: "0.22.1" + app.kubernetes.io/version: "0.22.2" app.kubernetes.io/managed-by: Helm --- # Source: tracee/templates/tracee-config.yaml @@ -29,10 +29,10 @@ kind: ConfigMap metadata: name: tracee-config labels: - helm.sh/chart: tracee-0.22.1 + helm.sh/chart: tracee-0.22.2 app.kubernetes.io/name: tracee app.kubernetes.io/instance: tracee - app.kubernetes.io/version: "0.22.1" + app.kubernetes.io/version: "0.22.2" app.kubernetes.io/managed-by: Helm data: config.yaml: |- @@ -118,10 +118,10 @@ kind: DaemonSet metadata: name: tracee labels: - helm.sh/chart: tracee-0.22.1 + helm.sh/chart: tracee-0.22.2 app.kubernetes.io/name: tracee app.kubernetes.io/instance: tracee - app.kubernetes.io/version: "0.22.1" + app.kubernetes.io/version: "0.22.2" app.kubernetes.io/managed-by: Helm spec: selector: @@ -140,7 +140,7 @@ spec: {} containers: - name: tracee - image: "docker.io/aquasec/tracee:0.22.1" + image: "docker.io/aquasec/tracee:0.22.2" imagePullPolicy: IfNotPresent command: - /tracee/tracee @@ -218,10 +218,10 @@ kind: Deployment metadata: name: tracee-operator labels: - helm.sh/chart: tracee-0.22.1 + helm.sh/chart: tracee-0.22.2 app.kubernetes.io/name: tracee app.kubernetes.io/instance: tracee - app.kubernetes.io/version: "0.22.1" + app.kubernetes.io/version: "0.22.2" app.kubernetes.io/managed-by: Helm spec: replicas: 1 @@ -238,7 +238,7 @@ spec: {} containers: - name: tracee-operator - image: "docker.io/aquasec/tracee:0.22.1" + image: "docker.io/aquasec/tracee:0.22.2" imagePullPolicy: IfNotPresent command: - /tracee/tracee-operator diff --git a/pkg/signatures/benchmark/benchmark_test.go b/pkg/signatures/benchmark/benchmark_test.go index 506c908bf5d7..43b11aa685c7 100644 --- a/pkg/signatures/benchmark/benchmark_test.go +++ b/pkg/signatures/benchmark/benchmark_test.go @@ -9,7 +9,6 @@ import ( "github.com/stretchr/testify/require" - "github.com/aquasecurity/tracee/pkg/events" "github.com/aquasecurity/tracee/pkg/signatures/benchmark/signature/golang" "github.com/aquasecurity/tracee/pkg/signatures/benchmark/signature/rego" "github.com/aquasecurity/tracee/pkg/signatures/engine" @@ -231,58 +230,6 @@ func BenchmarkEngineWithNSignatures(b *testing.B) { } } -func BenchmarkEngineMultipleMethodsGetMetadata(b *testing.B) { - benches := []struct { - name string - sigFuncs []func() (detect.Signature, error) - Enabled bool - }{ - { - name: "Performance sig GetMetadata() - static", - sigFuncs: []func() (detect.Signature, error){golang.NewPerformanceStatic}, - }, - } - - for _, bc := range benches { - b.Run(bc.name, func(b *testing.B) { - var sigs []detect.Signature - for _, sig := range bc.sigFuncs { - s, _ := sig() - sigs = append(sigs, s) - } - - for i := 0; i < b.N; i++ { - // Produce events without timing it - b.StopTimer() - inputs := ProduceEventsInMemory(inputEventsCount) - output := make(chan *detect.Finding, inputEventsCount*len(sigs)) - - config := engine.Config{ - Signatures: sigs, - Enabled: true, - SigNameToEventID: allocateEventIdsForSigs(events.StartSignatureID, sigs), - ShouldDispatchEvent: func(int32) bool { return true }, - } - - e, err := engine.NewEngine(config, inputs, output) - require.NoError(b, err, "constructing engine") - - err = e.Init() - require.NoError(b, err, "initializing engine") - b.StartTimer() - - // Start signatures engine and wait until all events are processed - e.Start(waitForEventsProcessed(inputs.Tracee)) - - b.StopTimer() - - // Set engine to nil to help with garbage collection - e = nil - runtime.GC() - } - }) - } -} func waitForEventsProcessed(eventsCh chan protocol.Event) context.Context { ctx, cancel := context.WithCancel(context.Background()) go func() { diff --git a/pkg/signatures/benchmark/helpers_test.go b/pkg/signatures/benchmark/helpers_test.go index 0afb9705b848..2f2c81cc8d36 100644 --- a/pkg/signatures/benchmark/helpers_test.go +++ b/pkg/signatures/benchmark/helpers_test.go @@ -4,10 +4,7 @@ import ( _ "embed" "math/rand" - "github.com/aquasecurity/tracee/pkg/events" - "github.com/aquasecurity/tracee/pkg/logger" "github.com/aquasecurity/tracee/pkg/signatures/engine" - "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/protocol" "github.com/aquasecurity/tracee/types/trace" ) @@ -174,20 +171,3 @@ func ProduceEventsInMemoryRandom(n int, seed ...trace.Event) engine.EventSources Tracee: eventsCh, } } - -func allocateEventIdsForSigs(startId events.ID, sigs []detect.Signature) map[string]int32 { - namesToIds := make(map[string]int32) - newEventDefID := startId - // First allocate event IDs to all signatures - for _, s := range sigs { - m, err := s.GetMetadata() - if err != nil { - logger.Warnw("Failed to allocate id for signature", "error", err) - continue - } - - namesToIds[m.EventName] = int32(newEventDefID) - newEventDefID++ - } - return namesToIds -} diff --git a/pkg/signatures/benchmark/signature/golang/performance_static.go b/pkg/signatures/benchmark/signature/golang/performance_static.go deleted file mode 100644 index 6554d416f7e5..000000000000 --- a/pkg/signatures/benchmark/signature/golang/performance_static.go +++ /dev/null @@ -1,123 +0,0 @@ -package golang - -import ( - "fmt" - "regexp" - - "github.com/aquasecurity/tracee/signatures/helpers" - "github.com/aquasecurity/tracee/types/detect" - "github.com/aquasecurity/tracee/types/protocol" - "github.com/aquasecurity/tracee/types/trace" -) - -type performanceStatic struct { - processMemFileRegexp *regexp.Regexp - cb detect.SignatureHandler -} - -var performanceStaticRegexp = regexp.MustCompile(`^/proc/(?:\d+|self)/mem$`) - -var performanceStaticMetadata = detect.SignatureMetadata{ - Name: "Code injection", - EventName: "test_event_name", - Description: "Possible process injection detected during runtime", - Tags: []string{"linux", "container"}, - Properties: map[string]interface{}{ - "Severity": 3, - "MITRE ATT&CK": "Defense Evasion: Process Injection", - }, -} - -func NewPerformanceStatic() (detect.Signature, error) { - return &performanceStatic{ - processMemFileRegexp: performanceStaticRegexp, - }, nil -} - -func (sig *performanceStatic) Init(ctx detect.SignatureContext) error { - sig.cb = ctx.Callback - - return nil -} - -func (sig *performanceStatic) GetMetadata() (detect.SignatureMetadata, error) { - return performanceStaticMetadata, nil -} - -func (sig *performanceStatic) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { - return []detect.SignatureEventSelector{ - {Source: "tracee", Name: "ptrace"}, - {Source: "tracee", Name: "open"}, - {Source: "tracee", Name: "openat"}, - {Source: "tracee", Name: "execve"}, - }, nil -} - -func (sig *performanceStatic) OnEvent(event protocol.Event) error { - // event example: - // { "eventName": "ptrace", "args": [{"name": "request", "value": "PTRACE_POKETEXT" }]} - // { "eventName": "open", "args": [{"name": "flags", "value": "o_wronly" }, {"name": "pathname", "value": "/proc/self/mem" }]} - // { "eventName": "execve" args": [{"name": "envp", "value": ["FOO=BAR", "LD_PRELOAD=/something"] }, {"name": "argv", "value": ["ls"] }]} - ee, ok := event.Payload.(trace.Event) - - if !ok { - return fmt.Errorf("failed to cast event's payload") - } - switch ee.EventName { - case "open", "openat": - flags, err := helpers.GetTraceeArgumentByName(ee, "flags", helpers.GetArgOps{DefaultArgs: false}) - if err != nil { - return fmt.Errorf("%v %#v", err, ee) - } - if helpers.IsFileWrite(flags.Value.(string)) { - pathname, err := helpers.GetTraceeArgumentByName(ee, "pathname", helpers.GetArgOps{DefaultArgs: false}) - if err != nil { - return err - } - if sig.processMemFileRegexp.MatchString(pathname.Value.(string)) { - metadata, err := sig.GetMetadata() - if err != nil { - return err - } - sig.cb(&detect.Finding{ - SigMetadata: metadata, - Event: event, - Data: map[string]interface{}{ - "file flags": flags, - "file path": pathname.Value.(string), - }, - }) - } - } - case "ptrace": - request, err := helpers.GetTraceeArgumentByName(ee, "request", helpers.GetArgOps{DefaultArgs: false}) - if err != nil { - return err - } - - requestString, ok := request.Value.(string) - if !ok { - return fmt.Errorf("failed to cast request's value") - } - - if requestString == "PTRACE_POKETEXT" || requestString == "PTRACE_POKEDATA" { - metadata, err := sig.GetMetadata() - if err != nil { - return err - } - sig.cb(&detect.Finding{ - SigMetadata: metadata, - Event: event, - Data: map[string]interface{}{ - "ptrace request": requestString, - }, - }) - } - } - return nil -} - -func (sig *performanceStatic) OnSignal(s detect.Signal) error { - return nil -} -func (sig *performanceStatic) Close() {} diff --git a/signatures/golang/anti_debugging_ptraceme.go b/signatures/golang/anti_debugging_ptraceme.go index 46f07129dd05..9b2fb22afda8 100644 --- a/signatures/golang/anti_debugging_ptraceme.go +++ b/signatures/golang/anti_debugging_ptraceme.go @@ -14,22 +14,6 @@ type AntiDebuggingPtraceme struct { ptraceTraceMe string } -var antiDebuggingPtracemeMetada = detect.SignatureMetadata{ - ID: "TRC-102", - Version: "1", - Name: "Anti-Debugging detected", - EventName: "anti_debugging", - Description: "A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.", - Properties: map[string]interface{}{ - "Severity": 1, - "Category": "defense-evasion", - "Technique": "Debugger Evasion", - "Kubernetes_Technique": "", - "id": "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391", - "external_id": "T1622", - }, -} - func (sig *AntiDebuggingPtraceme) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.ptraceTraceMe = "PTRACE_TRACEME" @@ -37,7 +21,21 @@ func (sig *AntiDebuggingPtraceme) Init(ctx detect.SignatureContext) error { } func (sig *AntiDebuggingPtraceme) GetMetadata() (detect.SignatureMetadata, error) { - return antiDebuggingPtracemeMetada, nil + return detect.SignatureMetadata{ + ID: "TRC-102", + Version: "1", + Name: "Anti-Debugging detected", + EventName: "anti_debugging", + Description: "A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.", + Properties: map[string]interface{}{ + "Severity": 1, + "Category": "defense-evasion", + "Technique": "Debugger Evasion", + "Kubernetes_Technique": "", + "id": "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391", + "external_id": "T1622", + }, + }, nil } func (sig *AntiDebuggingPtraceme) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/aslr_inspection.go b/signatures/golang/aslr_inspection.go index 09339d5ae416..e16855f980a8 100644 --- a/signatures/golang/aslr_inspection.go +++ b/signatures/golang/aslr_inspection.go @@ -14,22 +14,6 @@ type AslrInspection struct { aslrPath string } -var aslrInspectionMetadata = detect.SignatureMetadata{ - ID: "TRC-109", - Version: "1", - Name: "ASLR inspection detected", - EventName: "aslr_inspection", - Description: "The ASLR (address space layout randomization) configuration was inspected. ASLR is used by Linux to prevent memory vulnerabilities. An adversary may want to inspect and change the ASLR configuration in order to avoid detection.", - Properties: map[string]interface{}{ - "Severity": 0, - "Category": "privilege-escalation", - "Technique": "Exploitation for Privilege Escalation", - "Kubernetes_Technique": "", - "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", - "external_id": "T1068", - }, -} - func (sig *AslrInspection) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.aslrPath = "/proc/sys/kernel/randomize_va_space" @@ -37,7 +21,21 @@ func (sig *AslrInspection) Init(ctx detect.SignatureContext) error { } func (sig *AslrInspection) GetMetadata() (detect.SignatureMetadata, error) { - return aslrInspectionMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-109", + Version: "1", + Name: "ASLR inspection detected", + EventName: "aslr_inspection", + Description: "The ASLR (address space layout randomization) configuration was inspected. ASLR is used by Linux to prevent memory vulnerabilities. An adversary may want to inspect and change the ASLR configuration in order to avoid detection.", + Properties: map[string]interface{}{ + "Severity": 0, + "Category": "privilege-escalation", + "Technique": "Exploitation for Privilege Escalation", + "Kubernetes_Technique": "", + "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", + "external_id": "T1068", + }, + }, nil } func (sig *AslrInspection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/cgroup_notify_on_release_modification.go b/signatures/golang/cgroup_notify_on_release_modification.go index ad209b44b0f3..1f018e0cdd28 100644 --- a/signatures/golang/cgroup_notify_on_release_modification.go +++ b/signatures/golang/cgroup_notify_on_release_modification.go @@ -15,22 +15,6 @@ type CgroupNotifyOnReleaseModification struct { notifyFileName string } -var cgroupNotifyOnReleaseModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-106", - Version: "1", - Name: "Cgroups notify_on_release file modification", - EventName: "cgroup_notify_on_release", - Description: "An attempt to modify Cgroup notify_on_release file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "privilege-escalation", - "Technique": "Escape to Host", - "Kubernetes_Technique": "", - "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", - "external_id": "T1611", - }, -} - func (sig *CgroupNotifyOnReleaseModification) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.notifyFileName = "notify_on_release" @@ -38,7 +22,21 @@ func (sig *CgroupNotifyOnReleaseModification) Init(ctx detect.SignatureContext) } func (sig *CgroupNotifyOnReleaseModification) GetMetadata() (detect.SignatureMetadata, error) { - return cgroupNotifyOnReleaseModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-106", + Version: "1", + Name: "Cgroups notify_on_release file modification", + EventName: "cgroup_notify_on_release", + Description: "An attempt to modify Cgroup notify_on_release file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "privilege-escalation", + "Technique": "Escape to Host", + "Kubernetes_Technique": "", + "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", + "external_id": "T1611", + }, + }, nil } func (sig *CgroupNotifyOnReleaseModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/cgroup_release_agent_modification.go b/signatures/golang/cgroup_release_agent_modification.go index 655ab30ceed4..87685fcf2cad 100644 --- a/signatures/golang/cgroup_release_agent_modification.go +++ b/signatures/golang/cgroup_release_agent_modification.go @@ -15,22 +15,6 @@ type CgroupReleaseAgentModification struct { releaseAgentName string } -var cgroupReleaseAgentModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-1010", - Version: "1", - Name: "Cgroups release agent file modification", - EventName: "cgroup_release_agent", - Description: "An attempt to modify Cgroup release agent file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "privilege-escalation", - "Technique": "Escape to Host", - "Kubernetes_Technique": "", - "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", - "external_id": "T1611", - }, -} - func (sig *CgroupReleaseAgentModification) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.releaseAgentName = "release_agent" @@ -38,7 +22,21 @@ func (sig *CgroupReleaseAgentModification) Init(ctx detect.SignatureContext) err } func (sig *CgroupReleaseAgentModification) GetMetadata() (detect.SignatureMetadata, error) { - return cgroupReleaseAgentModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1010", + Version: "1", + Name: "Cgroups release agent file modification", + EventName: "cgroup_release_agent", + Description: "An attempt to modify Cgroup release agent file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "privilege-escalation", + "Technique": "Escape to Host", + "Kubernetes_Technique": "", + "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", + "external_id": "T1611", + }, + }, nil } func (sig *CgroupReleaseAgentModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/core_pattern_modification.go b/signatures/golang/core_pattern_modification.go index a4d4e40908bc..5672a56c5629 100644 --- a/signatures/golang/core_pattern_modification.go +++ b/signatures/golang/core_pattern_modification.go @@ -15,22 +15,6 @@ type CorePatternModification struct { corePattern string } -var corePatternModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-1011", - Version: "1", - Name: "Core dumps configuration file modification detected", - EventName: "core_pattern_modification", - Description: "Modification of the core dump configuration file (core_pattern) detected. Core dumps are usually written to disk when a program crashes. Certain modifications enable container escaping through the kernel core_pattern feature.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "privilege-escalation", - "Technique": "Escape to Host", - "Kubernetes_Technique": "", - "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", - "external_id": "T1611", - }, -} - func (sig *CorePatternModification) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.corePattern = "/proc/sys/kernel/core_pattern" @@ -38,7 +22,21 @@ func (sig *CorePatternModification) Init(ctx detect.SignatureContext) error { } func (sig *CorePatternModification) GetMetadata() (detect.SignatureMetadata, error) { - return corePatternModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1011", + Version: "1", + Name: "Core dumps configuration file modification detected", + EventName: "core_pattern_modification", + Description: "Modification of the core dump configuration file (core_pattern) detected. Core dumps are usually written to disk when a program crashes. Certain modifications enable container escaping through the kernel core_pattern feature.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "privilege-escalation", + "Technique": "Escape to Host", + "Kubernetes_Technique": "", + "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", + "external_id": "T1611", + }, + }, nil } func (sig *CorePatternModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/default_loader_modification.go b/signatures/golang/default_loader_modification.go index dd1d054b006c..d2a2df58c1e0 100644 --- a/signatures/golang/default_loader_modification.go +++ b/signatures/golang/default_loader_modification.go @@ -16,22 +16,6 @@ type DefaultLoaderModification struct { compiledRegex *regexp.Regexp } -var defaultLoaderModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-1012", - Version: "1", - Name: "Default dynamic loader modification detected", - EventName: "default_loader_mod", - Description: "The default dynamic loader has been modified. The dynamic loader is an executable file loaded to process memory and run before the executable to load dynamic libraries to the process. An attacker might use this technique to hijack the execution context of each new process and bypass defenses.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "defense-evasion", - "Technique": "Hijack Execution Flow", - "Kubernetes_Technique": "", - "id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", - "external_id": "T1574", - }, -} - func (sig *DefaultLoaderModification) Init(ctx detect.SignatureContext) error { var err error sig.cb = ctx.Callback @@ -41,7 +25,21 @@ func (sig *DefaultLoaderModification) Init(ctx detect.SignatureContext) error { } func (sig *DefaultLoaderModification) GetMetadata() (detect.SignatureMetadata, error) { - return defaultLoaderModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1012", + Version: "1", + Name: "Default dynamic loader modification detected", + EventName: "default_loader_mod", + Description: "The default dynamic loader has been modified. The dynamic loader is an executable file loaded to process memory and run before the executable to load dynamic libraries to the process. An attacker might use this technique to hijack the execution context of each new process and bypass defenses.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "defense-evasion", + "Technique": "Hijack Execution Flow", + "Kubernetes_Technique": "", + "id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "external_id": "T1574", + }, + }, nil } func (sig *DefaultLoaderModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/disk_mount.go b/signatures/golang/disk_mount.go index f5ddf9f29ac9..60e0f70ecc52 100644 --- a/signatures/golang/disk_mount.go +++ b/signatures/golang/disk_mount.go @@ -15,22 +15,6 @@ type DiskMount struct { devDir string } -var diskMountMetadata = detect.SignatureMetadata{ - ID: "TRC-1014", - Version: "1", - Name: "Container device mount detected", - EventName: "disk_mount", - Description: "Container device filesystem mount detected. A mount of a host device filesystem can be exploited by adversaries to perform container escape.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "privilege-escalation", - "Technique": "Escape to Host", - "Kubernetes_Technique": "", - "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", - "external_id": "T1611", - }, -} - func (sig *DiskMount) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.devDir = "/dev/" @@ -38,7 +22,21 @@ func (sig *DiskMount) Init(ctx detect.SignatureContext) error { } func (sig *DiskMount) GetMetadata() (detect.SignatureMetadata, error) { - return diskMountMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1014", + Version: "1", + Name: "Container device mount detected", + EventName: "disk_mount", + Description: "Container device filesystem mount detected. A mount of a host device filesystem can be exploited by adversaries to perform container escape.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "privilege-escalation", + "Technique": "Escape to Host", + "Kubernetes_Technique": "", + "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", + "external_id": "T1611", + }, + }, nil } func (sig *DiskMount) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/docker_abuse.go b/signatures/golang/docker_abuse.go index d1e82d0d78f8..9671f763c56c 100644 --- a/signatures/golang/docker_abuse.go +++ b/signatures/golang/docker_abuse.go @@ -15,22 +15,6 @@ type DockerAbuse struct { dockerSock string } -var dockerAbuseMetadata = detect.SignatureMetadata{ - ID: "TRC-1019", - Version: "1", - Name: "Docker socket abuse detected", - EventName: "docker_abuse", - Description: "An attempt to abuse the Docker UNIX socket inside a container was detected. docker.sock is the UNIX socket that Docker uses as the entry point to the Docker API. Adversaries may attempt to abuse this socket to compromise the system.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "privilege-escalation", - "Technique": "Exploitation for Privilege Escalation", - "Kubernetes_Technique": "", - "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", - "external_id": "T1068", - }, -} - func (sig *DockerAbuse) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.dockerSock = "docker.sock" @@ -38,7 +22,21 @@ func (sig *DockerAbuse) Init(ctx detect.SignatureContext) error { } func (sig *DockerAbuse) GetMetadata() (detect.SignatureMetadata, error) { - return dockerAbuseMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1019", + Version: "1", + Name: "Docker socket abuse detected", + EventName: "docker_abuse", + Description: "An attempt to abuse the Docker UNIX socket inside a container was detected. docker.sock is the UNIX socket that Docker uses as the entry point to the Docker API. Adversaries may attempt to abuse this socket to compromise the system.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "privilege-escalation", + "Technique": "Exploitation for Privilege Escalation", + "Kubernetes_Technique": "", + "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", + "external_id": "T1068", + }, + }, nil } func (sig *DockerAbuse) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/dropped_executable.go b/signatures/golang/dropped_executable.go index dfe2756a9866..9650379b8d29 100644 --- a/signatures/golang/dropped_executable.go +++ b/signatures/golang/dropped_executable.go @@ -13,29 +13,27 @@ type DroppedExecutable struct { cb detect.SignatureHandler } -var droppedExecutableMetadata = detect.SignatureMetadata{ - ID: "TRC-1022", - Version: "1", - Name: "New executable dropped", - EventName: "dropped_executable", - Description: "An Executable file was dropped in the system during runtime. Container images are usually built with all binaries needed inside. A dropped binary may indicate that an adversary infiltrated your container.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "defense-evasion", - "Technique": "Masquerading", - "Kubernetes_Technique": "", - "id": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0", - "external_id": "T1036", - }, -} - func (sig *DroppedExecutable) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *DroppedExecutable) GetMetadata() (detect.SignatureMetadata, error) { - return droppedExecutableMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1022", + Version: "1", + Name: "New executable dropped", + EventName: "dropped_executable", + Description: "An Executable file was dropped in the system during runtime. Container images are usually built with all binaries needed inside. A dropped binary may indicate that an adversary infiltrated your container.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "defense-evasion", + "Technique": "Masquerading", + "Kubernetes_Technique": "", + "id": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0", + "external_id": "T1036", + }, + }, nil } func (sig *DroppedExecutable) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/dynamic_code_loading.go b/signatures/golang/dynamic_code_loading.go index 81c7728161e4..be148f9b5484 100644 --- a/signatures/golang/dynamic_code_loading.go +++ b/signatures/golang/dynamic_code_loading.go @@ -14,22 +14,6 @@ type DynamicCodeLoading struct { alertText string } -var dynamicCodeLoadingMetadata = detect.SignatureMetadata{ - ID: "TRC-104", - Version: "1", - Name: "Dynamic code loading detected", - EventName: "dynamic_code_loading", - Description: "Possible dynamic code loading was detected as the binary's memory is both writable and executable. Writing to an executable allocated memory region could be a technique used by adversaries to run code undetected and without dropping executables.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "defense-evasion", - "Technique": "Software Packing", - "Kubernetes_Technique": "", - "id": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", - "external_id": "T1027.002", - }, -} - func (sig *DynamicCodeLoading) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.alertText = "Protection changed from W to E!" @@ -37,7 +21,21 @@ func (sig *DynamicCodeLoading) Init(ctx detect.SignatureContext) error { } func (sig *DynamicCodeLoading) GetMetadata() (detect.SignatureMetadata, error) { - return dynamicCodeLoadingMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-104", + Version: "1", + Name: "Dynamic code loading detected", + EventName: "dynamic_code_loading", + Description: "Possible dynamic code loading was detected as the binary's memory is both writable and executable. Writing to an executable allocated memory region could be a technique used by adversaries to run code undetected and without dropping executables.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "defense-evasion", + "Technique": "Software Packing", + "Kubernetes_Technique": "", + "id": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", + "external_id": "T1027.002", + }, + }, nil } func (sig *DynamicCodeLoading) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/fileless_execution.go b/signatures/golang/fileless_execution.go index 1728476b192a..8fdc54636978 100644 --- a/signatures/golang/fileless_execution.go +++ b/signatures/golang/fileless_execution.go @@ -13,29 +13,27 @@ type FilelessExecution struct { cb detect.SignatureHandler } -var filelessExecutionMetadata = detect.SignatureMetadata{ - ID: "TRC-105", - Version: "1", - Name: "Fileless execution detected", - EventName: "fileless_execution", - Description: "Fileless execution was detected. Executing a process from memory instead from a file in the filesystem may indicate that an adversary is trying to avoid execution detection.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "defense-evasion", - "Technique": "Reflective Code Loading", - "Kubernetes_Technique": "", - "id": "attack-pattern--4933e63b-9b77-476e-ab29-761bc5b7d15a", - "external_id": "T1620", - }, -} - func (sig *FilelessExecution) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *FilelessExecution) GetMetadata() (detect.SignatureMetadata, error) { - return filelessExecutionMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-105", + Version: "1", + Name: "Fileless execution detected", + EventName: "fileless_execution", + Description: "Fileless execution was detected. Executing a process from memory instead from a file in the filesystem may indicate that an adversary is trying to avoid execution detection.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "defense-evasion", + "Technique": "Reflective Code Loading", + "Kubernetes_Technique": "", + "id": "attack-pattern--4933e63b-9b77-476e-ab29-761bc5b7d15a", + "external_id": "T1620", + }, + }, nil } func (sig *FilelessExecution) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/hidden_file_created.go b/signatures/golang/hidden_file_created.go index 69a5a68ec9fa..c0d957ab9fbb 100644 --- a/signatures/golang/hidden_file_created.go +++ b/signatures/golang/hidden_file_created.go @@ -15,22 +15,6 @@ type HiddenFileCreated struct { hiddenPathPattern string } -var hiddenFileCreatedMetadata = detect.SignatureMetadata{ - ID: "TRC-1015", - Version: "1", - Name: "Hidden executable creation detected", - EventName: "hidden_file_created", - Description: "A hidden executable (ELF file) was created on disk. This activity could be legitimate; however, it could indicate that an adversary is trying to avoid detection by hiding their programs.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "defense-evasion", - "Technique": "Hidden Files and Directories", - "Kubernetes_Technique": "", - "id": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d", - "external_id": "T1564.001", - }, -} - func (sig *HiddenFileCreated) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.hiddenPathPattern = "/." @@ -38,7 +22,21 @@ func (sig *HiddenFileCreated) Init(ctx detect.SignatureContext) error { } func (sig *HiddenFileCreated) GetMetadata() (detect.SignatureMetadata, error) { - return hiddenFileCreatedMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1015", + Version: "1", + Name: "Hidden executable creation detected", + EventName: "hidden_file_created", + Description: "A hidden executable (ELF file) was created on disk. This activity could be legitimate; however, it could indicate that an adversary is trying to avoid detection by hiding their programs.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "defense-evasion", + "Technique": "Hidden Files and Directories", + "Kubernetes_Technique": "", + "id": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "external_id": "T1564.001", + }, + }, nil } func (sig *HiddenFileCreated) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/illegitimate_shell.go b/signatures/golang/illegitimate_shell.go index d9234df0f285..c607742a2340 100644 --- a/signatures/golang/illegitimate_shell.go +++ b/signatures/golang/illegitimate_shell.go @@ -16,22 +16,6 @@ type IllegitimateShell struct { webServersProcessNames []string } -var illegitimateShellMetadata = detect.SignatureMetadata{ - ID: "TRC-1016", - Version: "1", - Name: "Web server spawned a shell", - EventName: "illegitimate_shell", - Description: "A web-server program on your server spawned a shell program. Shell is the linux command-line program, web servers usually don't run shell programs, so this alert might indicate an adversary is exploiting a web server program to gain command execution on the server.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "initial-access", - "Technique": "Exploit Public-Facing Application", - "Kubernetes_Technique": "", - "id": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", - "external_id": "T1190", - }, -} - func (sig *IllegitimateShell) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.shellNames = []string{"/ash", "/bash", "/csh", "/ksh", "/sh", "/tcsh", "/zsh", "/dash"} @@ -40,7 +24,21 @@ func (sig *IllegitimateShell) Init(ctx detect.SignatureContext) error { } func (sig *IllegitimateShell) GetMetadata() (detect.SignatureMetadata, error) { - return illegitimateShellMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1016", + Version: "1", + Name: "Web server spawned a shell", + EventName: "illegitimate_shell", + Description: "A web-server program on your server spawned a shell program. Shell is the linux command-line program, web servers usually don't run shell programs, so this alert might indicate an adversary is exploiting a web server program to gain command execution on the server.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "initial-access", + "Technique": "Exploit Public-Facing Application", + "Kubernetes_Technique": "", + "id": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", + "external_id": "T1190", + }, + }, nil } func (sig *IllegitimateShell) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/k8s_service_account_token.go b/signatures/golang/k8s_service_account_token.go index 4f9bc02a087d..d721b3ac83c7 100644 --- a/signatures/golang/k8s_service_account_token.go +++ b/signatures/golang/k8s_service_account_token.go @@ -17,22 +17,6 @@ type K8SServiceAccountToken struct { compiledRegex *regexp.Regexp } -var k8SServiceAccountTokenMetadata = detect.SignatureMetadata{ - ID: "TRC-108", - Version: "1", - Name: "K8s service account token file read", - EventName: "k8s_service_account_token", - Description: "The Kubernetes service account token file was read on your container. This token is used to communicate with the Kubernetes API Server. Adversaries may try to communicate with the API Server to steal information and/or credentials, or even run more containers and laterally extend their grip on the systems.", - Properties: map[string]interface{}{ - "Severity": 0, - "Category": "credential-access", - "Technique": "Exploitation for Credential Access", - "Kubernetes_Technique": "Container service account", - "id": "attack-pattern--9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", - "external_id": "T1212", - }, -} - func (sig *K8SServiceAccountToken) Init(ctx detect.SignatureContext) error { var err error sig.cb = ctx.Callback @@ -43,7 +27,21 @@ func (sig *K8SServiceAccountToken) Init(ctx detect.SignatureContext) error { } func (sig *K8SServiceAccountToken) GetMetadata() (detect.SignatureMetadata, error) { - return k8SServiceAccountTokenMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-108", + Version: "1", + Name: "K8s service account token file read", + EventName: "k8s_service_account_token", + Description: "The Kubernetes service account token file was read on your container. This token is used to communicate with the Kubernetes API Server. Adversaries may try to communicate with the API Server to steal information and/or credentials, or even run more containers and laterally extend their grip on the systems.", + Properties: map[string]interface{}{ + "Severity": 0, + "Category": "credential-access", + "Technique": "Exploitation for Credential Access", + "Kubernetes_Technique": "Container service account", + "id": "attack-pattern--9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "external_id": "T1212", + }, + }, nil } func (sig *K8SServiceAccountToken) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/kernel_module_loading.go b/signatures/golang/kernel_module_loading.go index 22b207ab793e..37fd1f8a716e 100644 --- a/signatures/golang/kernel_module_loading.go +++ b/signatures/golang/kernel_module_loading.go @@ -13,29 +13,27 @@ type KernelModuleLoading struct { cb detect.SignatureHandler } -var kernelModuleLoadingMetadata = detect.SignatureMetadata{ - ID: "TRC-1017", - Version: "1", - Name: "Kernel module loading detected", - EventName: "kernel_module_loading", - Description: "Loading of a kernel module was detected. Kernel modules are binaries meant to run in the kernel. Adversaries may try and load kernel modules to extend their capabilities and avoid detection by running in the kernel and not user space.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "persistence", - "Technique": "Kernel Modules and Extensions", - "Kubernetes_Technique": "", - "id": "attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6", - "external_id": "T1547.006", - }, -} - func (sig *KernelModuleLoading) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *KernelModuleLoading) GetMetadata() (detect.SignatureMetadata, error) { - return kernelModuleLoadingMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1017", + Version: "1", + Name: "Kernel module loading detected", + EventName: "kernel_module_loading", + Description: "Loading of a kernel module was detected. Kernel modules are binaries meant to run in the kernel. Adversaries may try and load kernel modules to extend their capabilities and avoid detection by running in the kernel and not user space.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "persistence", + "Technique": "Kernel Modules and Extensions", + "Kubernetes_Technique": "", + "id": "attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6", + "external_id": "T1547.006", + }, + }, nil } func (sig *KernelModuleLoading) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/kubernetes_api_connection.go b/signatures/golang/kubernetes_api_connection.go index e26f79b053ce..4b1838dc6dc1 100644 --- a/signatures/golang/kubernetes_api_connection.go +++ b/signatures/golang/kubernetes_api_connection.go @@ -15,19 +15,6 @@ type K8sApiConnection struct { apiAddressContainerId map[string]string } -var k8sApiConnectionMetadata = detect.SignatureMetadata{ - ID: "TRC-1013", - Version: "0.1.0", - Name: "Kubernetes API server connection detected", - EventName: "k8s_api_connection", - Description: "A connection to the kubernetes API server was detected. The K8S API server is the brain of your K8S cluster, adversaries may try and communicate with the K8S API server to gather information/credentials, or even run more containers and laterally expand their grip on your systems.", - Tags: []string{"container"}, - Properties: map[string]interface{}{ - "Severity": 1, - "MITRE ATT&CK": "Discovery: Cloud Service Discovery", - }, -} - func (sig *K8sApiConnection) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.apiAddressContainerId = make(map[string]string) @@ -36,7 +23,18 @@ func (sig *K8sApiConnection) Init(ctx detect.SignatureContext) error { } func (sig *K8sApiConnection) GetMetadata() (detect.SignatureMetadata, error) { - return k8sApiConnectionMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1013", + Version: "0.1.0", + Name: "Kubernetes API server connection detected", + EventName: "k8s_api_connection", + Description: "A connection to the kubernetes API server was detected. The K8S API server is the brain of your K8S cluster, adversaries may try and communicate with the K8S API server to gather information/credentials, or even run more containers and laterally expand their grip on your systems.", + Tags: []string{"container"}, + Properties: map[string]interface{}{ + "Severity": 1, + "MITRE ATT&CK": "Discovery: Cloud Service Discovery", + }, + }, nil } func (sig *K8sApiConnection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/kubernetes_certificate_theft_attempt.go b/signatures/golang/kubernetes_certificate_theft_attempt.go index 62032dc6e7ad..847b5b388c0f 100644 --- a/signatures/golang/kubernetes_certificate_theft_attempt.go +++ b/signatures/golang/kubernetes_certificate_theft_attempt.go @@ -16,22 +16,6 @@ type KubernetesCertificateTheftAttempt struct { k8sCertificatesDir string } -var kubernetesCertificateTheftAttemptMetadata = detect.SignatureMetadata{ - ID: "TRC-1018", - Version: "1", - Name: "K8s TLS certificate theft detected", - EventName: "k8s_cert_theft", - Description: "Theft of Kubernetes TLS certificates was detected. TLS certificates are used to establish trust between systems. The Kubernetes certificate is used to to enable secure communication between Kubernetes components, such as kubelet scheduler controller and API Server. An adversary may steal a Kubernetes certificate on a compromised system to impersonate Kubernetes components within the cluster.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "credential-access", - "Technique": "Steal Application Access Token", - "Kubernetes_Technique": "", - "id": "attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a", - "external_id": "T1528", - }, -} - func (sig *KubernetesCertificateTheftAttempt) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.legitProcs = []string{"kube-apiserver", "kubelet", "kube-controller", "etcd"} @@ -40,7 +24,21 @@ func (sig *KubernetesCertificateTheftAttempt) Init(ctx detect.SignatureContext) } func (sig *KubernetesCertificateTheftAttempt) GetMetadata() (detect.SignatureMetadata, error) { - return kubernetesCertificateTheftAttemptMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1018", + Version: "1", + Name: "K8s TLS certificate theft detected", + EventName: "k8s_cert_theft", + Description: "Theft of Kubernetes TLS certificates was detected. TLS certificates are used to establish trust between systems. The Kubernetes certificate is used to to enable secure communication between Kubernetes components, such as kubelet scheduler controller and API Server. An adversary may steal a Kubernetes certificate on a compromised system to impersonate Kubernetes components within the cluster.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "credential-access", + "Technique": "Steal Application Access Token", + "Kubernetes_Technique": "", + "id": "attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a", + "external_id": "T1528", + }, + }, nil } func (sig *KubernetesCertificateTheftAttempt) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/ld_preload.go b/signatures/golang/ld_preload.go index fc508f652773..181e6ab27dbe 100644 --- a/signatures/golang/ld_preload.go +++ b/signatures/golang/ld_preload.go @@ -16,22 +16,6 @@ type LdPreload struct { preloadPath string } -var ldPreloadMetadata = detect.SignatureMetadata{ - ID: "TRC-107", - Version: "1", - Name: "LD_PRELOAD code injection detected", - EventName: "ld_preload", - Description: "LD_PRELOAD usage was detected. LD_PRELOAD lets you load your library before any other library, allowing you to hook functions in a process. Adversaries may use this technique to change your applications' behavior or load their own programs.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "persistence", - "Technique": "Hijack Execution Flow", - "Kubernetes_Technique": "", - "id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", - "external_id": "T1574", - }, -} - func (sig *LdPreload) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.preloadEnvs = []string{"LD_PRELOAD", "LD_LIBRARY_PATH"} @@ -40,7 +24,21 @@ func (sig *LdPreload) Init(ctx detect.SignatureContext) error { } func (sig *LdPreload) GetMetadata() (detect.SignatureMetadata, error) { - return ldPreloadMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-107", + Version: "1", + Name: "LD_PRELOAD code injection detected", + EventName: "ld_preload", + Description: "LD_PRELOAD usage was detected. LD_PRELOAD lets you load your library before any other library, allowing you to hook functions in a process. Adversaries may use this technique to change your applications' behavior or load their own programs.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "persistence", + "Technique": "Hijack Execution Flow", + "Kubernetes_Technique": "", + "id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "external_id": "T1574", + }, + }, nil } func (sig *LdPreload) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/proc_fops_hooking.go b/signatures/golang/proc_fops_hooking.go index 5af0ecf686ae..4aae431787a6 100644 --- a/signatures/golang/proc_fops_hooking.go +++ b/signatures/golang/proc_fops_hooking.go @@ -13,29 +13,27 @@ type ProcFopsHooking struct { cb detect.SignatureHandler } -var procFopsHookingMetadata = detect.SignatureMetadata{ - ID: "TRC-1020", - Version: "1", - Name: "File operations hooking on proc filesystem detected", - EventName: "proc_fops_hooking", - Description: "File operations hooking on proc filesystem detected. The proc filesystem is an interface for the running processes as files. This allows programs like `ps` and `top` to check what are the running processes. File operations are the functions defined on a file or directory. File operations hooking includes replacing the default function used to perform a basic task on files and directories like enumerating files. By hooking the file operations of /proc an adversary gains control on certain system function, such as file listing or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it's own code. File operation hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host's kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "defense-evasion", - "Technique": "Rootkit", - "Kubernetes_Technique": "", - "id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", - "external_id": "T1014", - }, -} - func (sig *ProcFopsHooking) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *ProcFopsHooking) GetMetadata() (detect.SignatureMetadata, error) { - return procFopsHookingMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1020", + Version: "1", + Name: "File operations hooking on proc filesystem detected", + EventName: "proc_fops_hooking", + Description: "File operations hooking on proc filesystem detected. The proc filesystem is an interface for the running processes as files. This allows programs like `ps` and `top` to check what are the running processes. File operations are the functions defined on a file or directory. File operations hooking includes replacing the default function used to perform a basic task on files and directories like enumerating files. By hooking the file operations of /proc an adversary gains control on certain system function, such as file listing or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it's own code. File operation hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host's kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "defense-evasion", + "Technique": "Rootkit", + "Kubernetes_Technique": "", + "id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "external_id": "T1014", + }, + }, nil } func (sig *ProcFopsHooking) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/proc_kcore_read.go b/signatures/golang/proc_kcore_read.go index e505f0dfd90c..7a39d91f0573 100644 --- a/signatures/golang/proc_kcore_read.go +++ b/signatures/golang/proc_kcore_read.go @@ -15,22 +15,6 @@ type ProcKcoreRead struct { kcorePath string } -var procKcoreReadMetadata = detect.SignatureMetadata{ - ID: "TRC-1021", - Version: "1", - Name: "Kcore memory file read", - EventName: "proc_kcore_read", - Description: "An attempt to read /proc/kcore file was detected. KCore provides a full dump of the physical memory of the system in the core file format. Adversaries may read this file to get all of the host memory and use this information for container escape.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "privilege-escalation", - "Technique": "Escape to Host", - "Kubernetes_Technique": "", - "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", - "external_id": "T1611", - }, -} - func (sig *ProcKcoreRead) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.kcorePath = "/proc/kcore" @@ -38,7 +22,21 @@ func (sig *ProcKcoreRead) Init(ctx detect.SignatureContext) error { } func (sig *ProcKcoreRead) GetMetadata() (detect.SignatureMetadata, error) { - return procKcoreReadMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1021", + Version: "1", + Name: "Kcore memory file read", + EventName: "proc_kcore_read", + Description: "An attempt to read /proc/kcore file was detected. KCore provides a full dump of the physical memory of the system in the core file format. Adversaries may read this file to get all of the host memory and use this information for container escape.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "privilege-escalation", + "Technique": "Escape to Host", + "Kubernetes_Technique": "", + "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", + "external_id": "T1611", + }, + }, nil } func (sig *ProcKcoreRead) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/proc_mem_access.go b/signatures/golang/proc_mem_access.go index 7d171b253949..e1f80b911067 100644 --- a/signatures/golang/proc_mem_access.go +++ b/signatures/golang/proc_mem_access.go @@ -16,22 +16,6 @@ type ProcMemAccess struct { compiledRegex *regexp.Regexp } -var procMemAccessMetadata = detect.SignatureMetadata{ - ID: "TRC-1023", - Version: "1", - Name: "Process memory access detected", - EventName: "proc_mem_access", - Description: "Process memory access detected. Adversaries may access other processes memory to steal credentials and secrets.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "credential-access", - "Technique": "Proc Filesystem", - "Kubernetes_Technique": "", - "id": "attack-pattern--3120b9fa-23b8-4500-ae73-09494f607b7d", - "external_id": "T1003.007", - }, -} - func (sig *ProcMemAccess) Init(ctx detect.SignatureContext) error { var err error sig.cb = ctx.Callback @@ -41,7 +25,21 @@ func (sig *ProcMemAccess) Init(ctx detect.SignatureContext) error { } func (sig *ProcMemAccess) GetMetadata() (detect.SignatureMetadata, error) { - return procMemAccessMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1023", + Version: "1", + Name: "Process memory access detected", + EventName: "proc_mem_access", + Description: "Process memory access detected. Adversaries may access other processes memory to steal credentials and secrets.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "credential-access", + "Technique": "Proc Filesystem", + "Kubernetes_Technique": "", + "id": "attack-pattern--3120b9fa-23b8-4500-ae73-09494f607b7d", + "external_id": "T1003.007", + }, + }, nil } func (sig *ProcMemAccess) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/proc_mem_code_injection.go b/signatures/golang/proc_mem_code_injection.go index f5ae29b21676..6dc7d84bfb17 100644 --- a/signatures/golang/proc_mem_code_injection.go +++ b/signatures/golang/proc_mem_code_injection.go @@ -16,22 +16,6 @@ type ProcMemCodeInjection struct { compiledRegex *regexp.Regexp } -var procMemCodeInjectionMetadata = detect.SignatureMetadata{ - ID: "TRC-1024", - Version: "1", - Name: "Code injection detected through /proc//mem file", - EventName: "proc_mem_code_injection", - Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "defense-evasion", - "Technique": "Proc Memory", - "Kubernetes_Technique": "", - "id": "attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591", - "external_id": "T1055.009", - }, -} - func (sig *ProcMemCodeInjection) Init(ctx detect.SignatureContext) error { var err error sig.cb = ctx.Callback @@ -41,7 +25,21 @@ func (sig *ProcMemCodeInjection) Init(ctx detect.SignatureContext) error { } func (sig *ProcMemCodeInjection) GetMetadata() (detect.SignatureMetadata, error) { - return procMemCodeInjectionMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1024", + Version: "1", + Name: "Code injection detected through /proc//mem file", + EventName: "proc_mem_code_injection", + Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "defense-evasion", + "Technique": "Proc Memory", + "Kubernetes_Technique": "", + "id": "attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "external_id": "T1055.009", + }, + }, nil } func (sig *ProcMemCodeInjection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/process_vm_write_code_injection.go b/signatures/golang/process_vm_write_code_injection.go index d742260b5aa1..da1ed26582ca 100644 --- a/signatures/golang/process_vm_write_code_injection.go +++ b/signatures/golang/process_vm_write_code_injection.go @@ -13,22 +13,6 @@ type ProcessVmWriteCodeInjection struct { cb detect.SignatureHandler } -var processVmWriteCodeInjectionMetadata = detect.SignatureMetadata{ - ID: "TRC-1025", - Version: "1", - Name: "Code injection detected using process_vm_writev syscall", - EventName: "process_vm_write_inject", - Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "defense-evasion", - "Technique": "Process Injection", - "Kubernetes_Technique": "", - "id": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "external_id": "T1055", - }, -} - func (sig *ProcessVmWriteCodeInjection) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback @@ -36,7 +20,21 @@ func (sig *ProcessVmWriteCodeInjection) Init(ctx detect.SignatureContext) error } func (sig *ProcessVmWriteCodeInjection) GetMetadata() (detect.SignatureMetadata, error) { - return processVmWriteCodeInjectionMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1025", + Version: "1", + Name: "Code injection detected using process_vm_writev syscall", + EventName: "process_vm_write_inject", + Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "defense-evasion", + "Technique": "Process Injection", + "Kubernetes_Technique": "", + "id": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "external_id": "T1055", + }, + }, nil } func (sig *ProcessVmWriteCodeInjection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/ptrace_code_injection.go b/signatures/golang/ptrace_code_injection.go index 233060e5b54b..593701d4903b 100644 --- a/signatures/golang/ptrace_code_injection.go +++ b/signatures/golang/ptrace_code_injection.go @@ -15,22 +15,6 @@ type PtraceCodeInjection struct { ptracePokeData string } -var ptraceCodeInjectionMetadata = detect.SignatureMetadata{ - ID: "TRC-103", - Version: "1", - Name: "Code injection detected using ptrace", - EventName: "ptrace_code_injection", - Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "defense-evasion", - "Technique": "Ptrace System Calls", - "Kubernetes_Technique": "", - "id": "attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f", - "external_id": "T1055.008", - }, -} - func (sig *PtraceCodeInjection) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.ptracePokeText = "PTRACE_POKETEXT" @@ -39,7 +23,21 @@ func (sig *PtraceCodeInjection) Init(ctx detect.SignatureContext) error { } func (sig *PtraceCodeInjection) GetMetadata() (detect.SignatureMetadata, error) { - return ptraceCodeInjectionMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-103", + Version: "1", + Name: "Code injection detected using ptrace", + EventName: "ptrace_code_injection", + Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "defense-evasion", + "Technique": "Ptrace System Calls", + "Kubernetes_Technique": "", + "id": "attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f", + "external_id": "T1055.008", + }, + }, nil } func (sig *PtraceCodeInjection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/rcd_modification.go b/signatures/golang/rcd_modification.go index 3a01b2857a87..fa4e0cdba68a 100644 --- a/signatures/golang/rcd_modification.go +++ b/signatures/golang/rcd_modification.go @@ -18,22 +18,6 @@ type RcdModification struct { rcdCommand string } -var rcdModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-1026", - Version: "1", - Name: "Rcd modification detected", - EventName: "rcd_modification", - Description: "The rcd files were modified. rcd files are scripts executed on boot and runlevel switch. Those scripts are responsible for service control in runlevel switch. Adversaries may add or modify rcd files in order to persist a reboot, thus maintaining malicious execution on the affected host.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "persistence", - "Technique": "RC Scripts", - "Kubernetes_Technique": "", - "id": "attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211", - "external_id": "T1037.004", - }, -} - func (sig *RcdModification) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.rcdFiles = []string{"/etc/rc.local", "/etc/init.d/rc.local"} @@ -43,7 +27,21 @@ func (sig *RcdModification) Init(ctx detect.SignatureContext) error { } func (sig *RcdModification) GetMetadata() (detect.SignatureMetadata, error) { - return rcdModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1026", + Version: "1", + Name: "Rcd modification detected", + EventName: "rcd_modification", + Description: "The rcd files were modified. rcd files are scripts executed on boot and runlevel switch. Those scripts are responsible for service control in runlevel switch. Adversaries may add or modify rcd files in order to persist a reboot, thus maintaining malicious execution on the affected host.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "persistence", + "Technique": "RC Scripts", + "Kubernetes_Technique": "", + "id": "attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211", + "external_id": "T1037.004", + }, + }, nil } func (sig *RcdModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/sched_debug_recon.go b/signatures/golang/sched_debug_recon.go index 02ea12f067ec..6c10283fbb44 100644 --- a/signatures/golang/sched_debug_recon.go +++ b/signatures/golang/sched_debug_recon.go @@ -14,22 +14,6 @@ type SchedDebugRecon struct { schedDebugPaths []string } -var schedDebugReconMetadata = detect.SignatureMetadata{ - ID: "TRC-1029", - Version: "1", - Name: "sched_debug CPU file was read", - EventName: "sched_debug_recon", - Description: "The sched_debug file was read. This file contains information about your CPU and processes. Adversaries may read this file in order to gather that information for their use.", - Properties: map[string]interface{}{ - "Severity": 1, - "Category": "discovery", - "Technique": "Container and Resource Discovery", - "Kubernetes_Technique": "", - "id": "attack-pattern--0470e792-32f8-46b0-a351-652bc35e9336", - "external_id": "T1613", - }, -} - func (sig *SchedDebugRecon) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.schedDebugPaths = []string{"/proc/sched_debug", "/sys/kernel/debug/sched/debug"} @@ -37,7 +21,21 @@ func (sig *SchedDebugRecon) Init(ctx detect.SignatureContext) error { } func (sig *SchedDebugRecon) GetMetadata() (detect.SignatureMetadata, error) { - return schedDebugReconMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1029", + Version: "1", + Name: "sched_debug CPU file was read", + EventName: "sched_debug_recon", + Description: "The sched_debug file was read. This file contains information about your CPU and processes. Adversaries may read this file in order to gather that information for their use.", + Properties: map[string]interface{}{ + "Severity": 1, + "Category": "discovery", + "Technique": "Container and Resource Discovery", + "Kubernetes_Technique": "", + "id": "attack-pattern--0470e792-32f8-46b0-a351-652bc35e9336", + "external_id": "T1613", + }, + }, nil } func (sig *SchedDebugRecon) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/scheduled_task_modification.go b/signatures/golang/scheduled_task_modification.go index 2586ef7482a9..a7564e78bd04 100644 --- a/signatures/golang/scheduled_task_modification.go +++ b/signatures/golang/scheduled_task_modification.go @@ -18,22 +18,6 @@ type ScheduledTaskModification struct { cronCommands []string } -var scheduledTaskModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-1027", - Version: "1", - Name: "Scheduled tasks modification detected", - EventName: "scheduled_task_mod", - Description: "The task scheduling functionality or files were modified. Crontab schedules task execution or enables task execution at boot time. Adversaries may add or modify scheduled tasks in order to persist a reboot, thus maintaining malicious execution on the affected host.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "persistence", - "Technique": "Cron", - "Kubernetes_Technique": "", - "id": "attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c", - "external_id": "T1053.003", - }, -} - func (sig *ScheduledTaskModification) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.cronFiles = []string{"/etc/crontab", "/etc/anacrontab", "/etc/cron.deny", "/etc/cron.allow"} @@ -43,7 +27,21 @@ func (sig *ScheduledTaskModification) Init(ctx detect.SignatureContext) error { } func (sig *ScheduledTaskModification) GetMetadata() (detect.SignatureMetadata, error) { - return scheduledTaskModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1027", + Version: "1", + Name: "Scheduled tasks modification detected", + EventName: "scheduled_task_mod", + Description: "The task scheduling functionality or files were modified. Crontab schedules task execution or enables task execution at boot time. Adversaries may add or modify scheduled tasks in order to persist a reboot, thus maintaining malicious execution on the affected host.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "persistence", + "Technique": "Cron", + "Kubernetes_Technique": "", + "id": "attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c", + "external_id": "T1053.003", + }, + }, nil } func (sig *ScheduledTaskModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/stdio_over_socket.go b/signatures/golang/stdio_over_socket.go index d2e89f4d57d6..3f58d25f044f 100644 --- a/signatures/golang/stdio_over_socket.go +++ b/signatures/golang/stdio_over_socket.go @@ -14,22 +14,6 @@ type StdioOverSocket struct { legitPorts []string } -var stdioOverSocketMetadata = detect.SignatureMetadata{ - ID: "TRC-101", - Version: "2", - Name: "Process standard input/output over socket detected", - EventName: "stdio_over_socket", - Description: "A process has its standard input/output redirected to a socket. This behavior is the base of a Reverse Shell attack, which is when an interactive shell being invoked from a target machine back to the attacker's machine, giving it interactive control over the target. Adversaries may use a Reverse Shell to retain control over a compromised target while bypassing security measures like network firewalls.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "execution", - "Technique": "Unix Shell", - "Kubernetes_Technique": "", - "id": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56", - "external_id": "T1059.004", - }, -} - func (sig *StdioOverSocket) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.legitPorts = []string{"", "0"} @@ -37,7 +21,21 @@ func (sig *StdioOverSocket) Init(ctx detect.SignatureContext) error { } func (sig *StdioOverSocket) GetMetadata() (detect.SignatureMetadata, error) { - return stdioOverSocketMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-101", + Version: "2", + Name: "Process standard input/output over socket detected", + EventName: "stdio_over_socket", + Description: "A process has its standard input/output redirected to a socket. This behavior is the base of a Reverse Shell attack, which is when an interactive shell being invoked from a target machine back to the attacker's machine, giving it interactive control over the target. Adversaries may use a Reverse Shell to retain control over a compromised target while bypassing security measures like network firewalls.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "execution", + "Technique": "Unix Shell", + "Kubernetes_Technique": "", + "id": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56", + "external_id": "T1059.004", + }, + }, nil } func (sig *StdioOverSocket) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/sudoers_modification.go b/signatures/golang/sudoers_modification.go index 8c2645b510a2..74973699e87b 100644 --- a/signatures/golang/sudoers_modification.go +++ b/signatures/golang/sudoers_modification.go @@ -16,22 +16,6 @@ type SudoersModification struct { sudoersDirs []string } -var sudoersModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-1028", - Version: "1", - Name: "Sudoers file modification detected", - EventName: "sudoers_modification", - Description: "The sudoers file was modified. The sudoers file is a configuration file which controls the permissions and options of the sudo feature. Adversaries may alter the sudoers file to elevate privileges, execute commands as other users or spawn processes with higher privileges.", - Properties: map[string]interface{}{ - "Severity": 2, - "Category": "privilege-escalation", - "Technique": "Sudo and Sudo Caching", - "Kubernetes_Technique": "", - "id": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0", - "external_id": "T1548.003", - }, -} - func (sig *SudoersModification) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.sudoersFiles = []string{"/etc/sudoers", "/private/etc/sudoers"} @@ -40,7 +24,21 @@ func (sig *SudoersModification) Init(ctx detect.SignatureContext) error { } func (sig *SudoersModification) GetMetadata() (detect.SignatureMetadata, error) { - return sudoersModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1028", + Version: "1", + Name: "Sudoers file modification detected", + EventName: "sudoers_modification", + Description: "The sudoers file was modified. The sudoers file is a configuration file which controls the permissions and options of the sudo feature. Adversaries may alter the sudoers file to elevate privileges, execute commands as other users or spawn processes with higher privileges.", + Properties: map[string]interface{}{ + "Severity": 2, + "Category": "privilege-escalation", + "Technique": "Sudo and Sudo Caching", + "Kubernetes_Technique": "", + "id": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0", + "external_id": "T1548.003", + }, + }, nil } func (sig *SudoersModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/syscall_table_hooking.go b/signatures/golang/syscall_table_hooking.go index 9749c67ad90c..9cae0948cfa3 100644 --- a/signatures/golang/syscall_table_hooking.go +++ b/signatures/golang/syscall_table_hooking.go @@ -12,29 +12,27 @@ type SyscallTableHooking struct { cb detect.SignatureHandler } -var syscallTableHookingMetadata = detect.SignatureMetadata{ - ID: "TRC-1030", - Version: "1", - Name: "Syscall table hooking detected", - EventName: "syscall_hooking", - Description: "Syscall table hooking detected. Syscalls (system calls) are the interface between user applications and the kernel. By hooking the syscall table an adversary gains control on certain system function, such as file writing and reading or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it's own code. Syscall table hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host's kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "defense-evasion", - "Technique": "Rootkit", - "Kubernetes_Technique": "", - "id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", - "external_id": "T1014", - }, -} - func (sig *SyscallTableHooking) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *SyscallTableHooking) GetMetadata() (detect.SignatureMetadata, error) { - return syscallTableHookingMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1030", + Version: "1", + Name: "Syscall table hooking detected", + EventName: "syscall_hooking", + Description: "Syscall table hooking detected. Syscalls (system calls) are the interface between user applications and the kernel. By hooking the syscall table an adversary gains control on certain system function, such as file writing and reading or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it's own code. Syscall table hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host's kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "defense-evasion", + "Technique": "Rootkit", + "Kubernetes_Technique": "", + "id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "external_id": "T1014", + }, + }, nil } func (sig *SyscallTableHooking) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/signatures/golang/system_request_key_config_modification.go b/signatures/golang/system_request_key_config_modification.go index bb80aa12832a..05d8c531fd03 100644 --- a/signatures/golang/system_request_key_config_modification.go +++ b/signatures/golang/system_request_key_config_modification.go @@ -14,22 +14,6 @@ type SystemRequestKeyConfigModification struct { sysrqPaths []string } -var systemRequestKeyConfigModificationMetadata = detect.SignatureMetadata{ - ID: "TRC-1031", - Version: "1", - Name: "System request key configuration modification", - EventName: "system_request_key_mod", - Description: "An attempt to modify and activate the System Request Key configuration file was detected. The system request key allows immediate input to the kernel through simple key combinations. Adversaries may use this feature to immediately shut down or restart a system. With read access to kernel logs, host related information such as listing tasks and CPU registers may be disclosed and could be used for container escape.", - Properties: map[string]interface{}{ - "Severity": 3, - "Category": "privilege-escalation", - "Technique": "Escape to Host", - "Kubernetes_Technique": "", - "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", - "external_id": "T1611", - }, -} - func (sig *SystemRequestKeyConfigModification) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.sysrqPaths = []string{"/proc/sys/kernel/sysrq", "/proc/sysrq-trigger"} @@ -37,7 +21,21 @@ func (sig *SystemRequestKeyConfigModification) Init(ctx detect.SignatureContext) } func (sig *SystemRequestKeyConfigModification) GetMetadata() (detect.SignatureMetadata, error) { - return systemRequestKeyConfigModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "TRC-1031", + Version: "1", + Name: "System request key configuration modification", + EventName: "system_request_key_mod", + Description: "An attempt to modify and activate the System Request Key configuration file was detected. The system request key allows immediate input to the kernel through simple key combinations. Adversaries may use this feature to immediately shut down or restart a system. With read access to kernel logs, host related information such as listing tasks and CPU registers may be disclosed and could be used for container escape.", + Properties: map[string]interface{}{ + "Severity": 3, + "Category": "privilege-escalation", + "Technique": "Escape to Host", + "Kubernetes_Technique": "", + "id": "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665", + "external_id": "T1611", + }, + }, nil } func (sig *SystemRequestKeyConfigModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-inst-signatures/e2e-bpf_attach.go b/tests/e2e-inst-signatures/e2e-bpf_attach.go index 1d21f9f744c8..a803e78fba2d 100644 --- a/tests/e2e-inst-signatures/e2e-bpf_attach.go +++ b/tests/e2e-inst-signatures/e2e-bpf_attach.go @@ -13,22 +13,20 @@ type e2eBpfAttach struct { cb detect.SignatureHandler } -var e2eBpfAttachMetadata = detect.SignatureMetadata{ - ID: "BPF_ATTACH", - EventName: "BPF_ATTACH", - Version: "0.1.0", - Name: "Bpf Attach Test", - Description: "Instrumentation events E2E Tests: Bpf Attach", - Tags: []string{"e2e", "instrumentation"}, -} - func (sig *e2eBpfAttach) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eBpfAttach) GetMetadata() (detect.SignatureMetadata, error) { - return e2eBpfAttachMetadata, nil + return detect.SignatureMetadata{ + ID: "BPF_ATTACH", + EventName: "BPF_ATTACH", + Version: "0.1.0", + Name: "Bpf Attach Test", + Description: "Instrumentation events E2E Tests: Bpf Attach", + Tags: []string{"e2e", "instrumentation"}, + }, nil } func (sig *e2eBpfAttach) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-inst-signatures/e2e-containers_data_source.go b/tests/e2e-inst-signatures/e2e-containers_data_source.go index 5074e3d0085d..8dd73cdeb667 100644 --- a/tests/e2e-inst-signatures/e2e-containers_data_source.go +++ b/tests/e2e-inst-signatures/e2e-containers_data_source.go @@ -14,15 +14,6 @@ type e2eContainersDataSource struct { containersData detect.DataSource } -var e2eContainersDataSourceMetadata = detect.SignatureMetadata{ - ID: "CONTAINERS_DATA_SOURCE", - EventName: "CONTAINERS_DATA_SOURCE", - Version: "0.1.0", - Name: "Containers Data Source Test", - Description: "Instrumentation events E2E Tests: Containers Data Source Test", - Tags: []string{"e2e", "instrumentation"}, -} - func (sig *e2eContainersDataSource) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback containersData, ok := ctx.GetDataSource("tracee", "containers") @@ -37,7 +28,14 @@ func (sig *e2eContainersDataSource) Init(ctx detect.SignatureContext) error { } func (sig *e2eContainersDataSource) GetMetadata() (detect.SignatureMetadata, error) { - return e2eContainersDataSourceMetadata, nil + return detect.SignatureMetadata{ + ID: "CONTAINERS_DATA_SOURCE", + EventName: "CONTAINERS_DATA_SOURCE", + Version: "0.1.0", + Name: "Containers Data Source Test", + Description: "Instrumentation events E2E Tests: Containers Data Source Test", + Tags: []string{"e2e", "instrumentation"}, + }, nil } func (sig *e2eContainersDataSource) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-inst-signatures/e2e-dns_data_source.go b/tests/e2e-inst-signatures/e2e-dns_data_source.go index 078855083be2..17e51cf307ce 100644 --- a/tests/e2e-inst-signatures/e2e-dns_data_source.go +++ b/tests/e2e-inst-signatures/e2e-dns_data_source.go @@ -13,15 +13,6 @@ type e2eDnsDataSource struct { dnsData detect.DataSource } -var e2eDnsDataSourceMetadata = detect.SignatureMetadata{ - ID: "DNS_DATA_SOURCE", - EventName: "DNS_DATA_SOURCE", - Version: "0.1.0", - Name: "DNS Data Source Test", - Description: "Instrumentation events E2E Tests: DNS Data Source Test", - Tags: []string{"e2e", "instrumentation"}, -} - func (sig *e2eDnsDataSource) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback dnsData, ok := ctx.GetDataSource("tracee", "dns") @@ -36,7 +27,14 @@ func (sig *e2eDnsDataSource) Init(ctx detect.SignatureContext) error { } func (sig *e2eDnsDataSource) GetMetadata() (detect.SignatureMetadata, error) { - return e2eDnsDataSourceMetadata, nil + return detect.SignatureMetadata{ + ID: "DNS_DATA_SOURCE", + EventName: "DNS_DATA_SOURCE", + Version: "0.1.0", + Name: "DNS Data Source Test", + Description: "Instrumentation events E2E Tests: DNS Data Source Test", + Tags: []string{"e2e", "instrumentation"}, + }, nil } func (sig *e2eDnsDataSource) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-inst-signatures/e2e-file_modification.go b/tests/e2e-inst-signatures/e2e-file_modification.go index f71ded7e5a00..0894a5a01eb7 100644 --- a/tests/e2e-inst-signatures/e2e-file_modification.go +++ b/tests/e2e-inst-signatures/e2e-file_modification.go @@ -14,22 +14,20 @@ type e2eFileModification struct { cb detect.SignatureHandler } -var e2eFileModificationMetadata = detect.SignatureMetadata{ - ID: "FILE_MODIFICATION", - EventName: "FILE_MODIFICATION", - Version: "0.1.0", - Name: "File Modification Test", - Description: "Instrumentation events E2E Tests: File Modification", - Tags: []string{"e2e", "instrumentation"}, -} - func (sig *e2eFileModification) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eFileModification) GetMetadata() (detect.SignatureMetadata, error) { - return e2eFileModificationMetadata, nil + return detect.SignatureMetadata{ + ID: "FILE_MODIFICATION", + EventName: "FILE_MODIFICATION", + Version: "0.1.0", + Name: "File Modification Test", + Description: "Instrumentation events E2E Tests: File Modification", + Tags: []string{"e2e", "instrumentation"}, + }, nil } func (sig *e2eFileModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-inst-signatures/e2e-ftrace_hook.go b/tests/e2e-inst-signatures/e2e-ftrace_hook.go index 8d1a9d9914c9..43c0d8444031 100644 --- a/tests/e2e-inst-signatures/e2e-ftrace_hook.go +++ b/tests/e2e-inst-signatures/e2e-ftrace_hook.go @@ -13,22 +13,20 @@ type e2eFtraceHook struct { cb detect.SignatureHandler } -var e2eFtraceHookMetadata = detect.SignatureMetadata{ - ID: "FTRACE_HOOK", - EventName: "FTRACE_HOOK", - Version: "0.1.0", - Name: "ftrace_hook Test", - Description: "Instrumentation events E2E Tests: ftrace_hook", - Tags: []string{"e2e", "instrumentation"}, -} - func (sig *e2eFtraceHook) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eFtraceHook) GetMetadata() (detect.SignatureMetadata, error) { - return e2eFtraceHookMetadata, nil + return detect.SignatureMetadata{ + ID: "FTRACE_HOOK", + EventName: "FTRACE_HOOK", + Version: "0.1.0", + Name: "ftrace_hook Test", + Description: "Instrumentation events E2E Tests: ftrace_hook", + Tags: []string{"e2e", "instrumentation"}, + }, nil } func (sig *e2eFtraceHook) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-inst-signatures/e2e-hooked_syscall.go b/tests/e2e-inst-signatures/e2e-hooked_syscall.go index 2950cb8f6ebb..087aba20c5e1 100644 --- a/tests/e2e-inst-signatures/e2e-hooked_syscall.go +++ b/tests/e2e-inst-signatures/e2e-hooked_syscall.go @@ -13,22 +13,20 @@ type e2eHookedSyscall struct { cb detect.SignatureHandler } -var e2eHookedSyscallMetadata = detect.SignatureMetadata{ - ID: "HOOKED_SYSCALL", - EventName: "HOOKED_SYSCALL", - Version: "0.1.0", - Name: "Hooked Syscall Test", - Description: "Instrumentation events E2E Tests: Hooked Syscall", - Tags: []string{"e2e", "instrumentation"}, -} - func (sig *e2eHookedSyscall) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eHookedSyscall) GetMetadata() (detect.SignatureMetadata, error) { - return e2eHookedSyscallMetadata, nil + return detect.SignatureMetadata{ + ID: "HOOKED_SYSCALL", + EventName: "HOOKED_SYSCALL", + Version: "0.1.0", + Name: "Hooked Syscall Test", + Description: "Instrumentation events E2E Tests: Hooked Syscall", + Tags: []string{"e2e", "instrumentation"}, + }, nil } func (sig *e2eHookedSyscall) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-inst-signatures/e2e-process_execute_failed.go b/tests/e2e-inst-signatures/e2e-process_execute_failed.go index 8dee9d89e4b8..1ed86c62e98f 100644 --- a/tests/e2e-inst-signatures/e2e-process_execute_failed.go +++ b/tests/e2e-inst-signatures/e2e-process_execute_failed.go @@ -18,15 +18,6 @@ type e2eProcessExecuteFailed struct { markUnsupportedKernel sync.Once } -var e2eProcessExecuteFailedMetadata = detect.SignatureMetadata{ - ID: "PROCESS_EXECUTE_FAILED", - EventName: "PROCESS_EXECUTE_FAILED", - Version: "0.1.0", - Name: "Process Execute Failed Test", - Description: "Instrumentation events E2E Tests: Process Execute Failed", - Tags: []string{"e2e", "instrumentation"}, -} - func (sig *e2eProcessExecuteFailed) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback var err error @@ -38,7 +29,14 @@ func (sig *e2eProcessExecuteFailed) Init(ctx detect.SignatureContext) error { } func (sig *e2eProcessExecuteFailed) GetMetadata() (detect.SignatureMetadata, error) { - return e2eProcessExecuteFailedMetadata, nil + return detect.SignatureMetadata{ + ID: "PROCESS_EXECUTE_FAILED", + EventName: "PROCESS_EXECUTE_FAILED", + Version: "0.1.0", + Name: "Process Execute Failed Test", + Description: "Instrumentation events E2E Tests: Process Execute Failed", + Tags: []string{"e2e", "instrumentation"}, + }, nil } func (sig *e2eProcessExecuteFailed) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-inst-signatures/e2e-proctree_data_source.go b/tests/e2e-inst-signatures/e2e-proctree_data_source.go index 7f8b4fc4f168..0ef0355a568c 100644 --- a/tests/e2e-inst-signatures/e2e-proctree_data_source.go +++ b/tests/e2e-inst-signatures/e2e-proctree_data_source.go @@ -26,15 +26,6 @@ type e2eProcessTreeDataSource struct { processTreeDS *helpers.ProcessTreeDS } -var e2eProcessTreeDataSourceMetadata = detect.SignatureMetadata{ - ID: "PROCTREE_DATA_SOURCE", - EventName: "PROCTREE_DATA_SOURCE", - Version: "0.1.0", - Name: "Process Tree Data Source Test", - Description: "Instrumentation events E2E Tests: Process Tree Data Source Test", - Tags: []string{"e2e", "instrumentation"}, -} - // Init is called once when the signature is loaded. func (sig *e2eProcessTreeDataSource) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback @@ -50,7 +41,14 @@ func (sig *e2eProcessTreeDataSource) Init(ctx detect.SignatureContext) error { // GetMetadata returns metadata about the signature. func (sig *e2eProcessTreeDataSource) GetMetadata() (detect.SignatureMetadata, error) { - return e2eProcessTreeDataSourceMetadata, nil + return detect.SignatureMetadata{ + ID: "PROCTREE_DATA_SOURCE", + EventName: "PROCTREE_DATA_SOURCE", + Version: "0.1.0", + Name: "Process Tree Data Source Test", + Description: "Instrumentation events E2E Tests: Process Tree Data Source Test", + Tags: []string{"e2e", "instrumentation"}, + }, nil } // GetSelectedEvents returns a list of events that the signature wants to subscribe to. diff --git a/tests/e2e-inst-signatures/e2e-security_inode_rename.go b/tests/e2e-inst-signatures/e2e-security_inode_rename.go index 446aca2ae3a8..4a6814cc1a14 100644 --- a/tests/e2e-inst-signatures/e2e-security_inode_rename.go +++ b/tests/e2e-inst-signatures/e2e-security_inode_rename.go @@ -14,22 +14,20 @@ type e2eSecurityInodeRename struct { cb detect.SignatureHandler } -var e2eSecurityInodeRenameMetadata = detect.SignatureMetadata{ - ID: "SECURITY_INODE_RENAME", - EventName: "SECURITY_INODE_RENAME", - Version: "0.1.0", - Name: "security_inode_rename Test", - Description: "Instrumentation events E2E Tests: security_inode_rename", - Tags: []string{"e2e", "instrumentation"}, -} - func (sig *e2eSecurityInodeRename) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eSecurityInodeRename) GetMetadata() (detect.SignatureMetadata, error) { - return e2eSecurityInodeRenameMetadata, nil + return detect.SignatureMetadata{ + ID: "SECURITY_INODE_RENAME", + EventName: "SECURITY_INODE_RENAME", + Version: "0.1.0", + Name: "security_inode_rename Test", + Description: "Instrumentation events E2E Tests: security_inode_rename", + Tags: []string{"e2e", "instrumentation"}, + }, nil } func (sig *e2eSecurityInodeRename) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-inst-signatures/e2e-security_path_notify.go b/tests/e2e-inst-signatures/e2e-security_path_notify.go index 0dd18391e2fb..5a980ce1fbad 100644 --- a/tests/e2e-inst-signatures/e2e-security_path_notify.go +++ b/tests/e2e-inst-signatures/e2e-security_path_notify.go @@ -17,22 +17,20 @@ type e2eSecurityPathNotify struct { found_fanotify bool } -var e2eSecurityPathNotifyMetadata = detect.SignatureMetadata{ - ID: "SECURITY_PATH_NOTIFY", - EventName: "SECURITY_PATH_NOTIFY", - Version: "0.1.0", - Name: "Security Path Notify Test", - Description: "Instrumentation events E2E Tests: Security Path Notify", - Tags: []string{"e2e", "instrumentation"}, -} - func (sig *e2eSecurityPathNotify) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eSecurityPathNotify) GetMetadata() (detect.SignatureMetadata, error) { - return e2eSecurityPathNotifyMetadata, nil + return detect.SignatureMetadata{ + ID: "SECURITY_PATH_NOTIFY", + EventName: "SECURITY_PATH_NOTIFY", + Version: "0.1.0", + Name: "Security Path Notify Test", + Description: "Instrumentation events E2E Tests: Security Path Notify", + Tags: []string{"e2e", "instrumentation"}, + }, nil } func (sig *e2eSecurityPathNotify) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-inst-signatures/e2e-set_fs_pwd.go b/tests/e2e-inst-signatures/e2e-set_fs_pwd.go index 07a40114cbed..f9cda190b64b 100644 --- a/tests/e2e-inst-signatures/e2e-set_fs_pwd.go +++ b/tests/e2e-inst-signatures/e2e-set_fs_pwd.go @@ -16,15 +16,6 @@ type e2eSetFsPwd struct { hasReadUser bool } -var e2eSetFsPwdMetadata = detect.SignatureMetadata{ - ID: "SET_FS_PWD", - EventName: "SET_FS_PWD", - Version: "0.1.0", - Name: "set_fs_pwd Test", - Description: "Instrumentation events E2E Tests: set_fs_pwd", - Tags: []string{"e2e", "instrumentation"}, -} - func (sig *e2eSetFsPwd) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback @@ -45,7 +36,14 @@ func (sig *e2eSetFsPwd) Init(ctx detect.SignatureContext) error { } func (sig *e2eSetFsPwd) GetMetadata() (detect.SignatureMetadata, error) { - return e2eSetFsPwdMetadata, nil + return detect.SignatureMetadata{ + ID: "SET_FS_PWD", + EventName: "SET_FS_PWD", + Version: "0.1.0", + Name: "set_fs_pwd Test", + Description: "Instrumentation events E2E Tests: set_fs_pwd", + Tags: []string{"e2e", "instrumentation"}, + }, nil } func (sig *e2eSetFsPwd) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-inst-signatures/e2e-signature_derivation.go b/tests/e2e-inst-signatures/e2e-signature_derivation.go index 6056d080971b..658c1d02af32 100644 --- a/tests/e2e-inst-signatures/e2e-signature_derivation.go +++ b/tests/e2e-inst-signatures/e2e-signature_derivation.go @@ -12,22 +12,20 @@ type e2eSignatureDerivation struct { cb detect.SignatureHandler } -var e2eSignatureDerivationMetadata = detect.SignatureMetadata{ - ID: "SIGNATURE_DERIVATION", - EventName: "SIGNATURE_DERIVATION", - Version: "0.1.0", - Name: "Signature Derivation Test", - Description: "Instrumentation events E2E Tests: Signature Derivation", - Tags: []string{"e2e", "instrumentation"}, -} - func (sig *e2eSignatureDerivation) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eSignatureDerivation) GetMetadata() (detect.SignatureMetadata, error) { - return e2eSignatureDerivationMetadata, nil + return detect.SignatureMetadata{ + ID: "SIGNATURE_DERIVATION", + EventName: "SIGNATURE_DERIVATION", + Version: "0.1.0", + Name: "Signature Derivation Test", + Description: "Instrumentation events E2E Tests: Signature Derivation", + Tags: []string{"e2e", "instrumentation"}, + }, nil } func (sig *e2eSignatureDerivation) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-inst-signatures/e2e-vfs_write.go b/tests/e2e-inst-signatures/e2e-vfs_write.go index 8d39c86ec2b9..a9209734d41e 100644 --- a/tests/e2e-inst-signatures/e2e-vfs_write.go +++ b/tests/e2e-inst-signatures/e2e-vfs_write.go @@ -14,22 +14,20 @@ type e2eVfsWrite struct { cb detect.SignatureHandler } -var e2eVfsWriteMetadata = detect.SignatureMetadata{ - ID: "VFS_WRITE", - EventName: "VFS_WRITE", - Version: "0.1.0", - Name: "Vfs Write Test", - Description: "Instrumentation events E2E Tests: Vfs Write", - Tags: []string{"e2e", "instrumentation"}, -} - func (sig *e2eVfsWrite) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eVfsWrite) GetMetadata() (detect.SignatureMetadata, error) { - return e2eVfsWriteMetadata, nil + return detect.SignatureMetadata{ + ID: "VFS_WRITE", + EventName: "VFS_WRITE", + Version: "0.1.0", + Name: "Vfs Write Test", + Description: "Instrumentation events E2E Tests: Vfs Write", + Tags: []string{"e2e", "instrumentation"}, + }, nil } func (sig *e2eVfsWrite) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-inst-signatures/e2e-vfs_writev.go b/tests/e2e-inst-signatures/e2e-vfs_writev.go index 28749f56e265..b0b459efd14f 100644 --- a/tests/e2e-inst-signatures/e2e-vfs_writev.go +++ b/tests/e2e-inst-signatures/e2e-vfs_writev.go @@ -14,22 +14,20 @@ type e2eVfsWritev struct { cb detect.SignatureHandler } -var e2eVfsWritevMetadata = detect.SignatureMetadata{ - ID: "VFS_WRITEV", - EventName: "VFS_WRITEV", - Version: "0.1.0", - Name: "Vfs Writev Test", - Description: "Instrumentation events E2E Tests: Vfs Writev", - Tags: []string{"e2e", "instrumentation"}, -} - func (sig *e2eVfsWritev) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eVfsWritev) GetMetadata() (detect.SignatureMetadata, error) { - return e2eVfsWritevMetadata, nil + return detect.SignatureMetadata{ + ID: "VFS_WRITEV", + EventName: "VFS_WRITEV", + Version: "0.1.0", + Name: "Vfs Writev Test", + Description: "Instrumentation events E2E Tests: Vfs Writev", + Tags: []string{"e2e", "instrumentation"}, + }, nil } func (sig *e2eVfsWritev) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-inst-signatures/e2e-writeable_data_source.go b/tests/e2e-inst-signatures/e2e-writeable_data_source.go index d5739078721a..428c027b27b4 100644 --- a/tests/e2e-inst-signatures/e2e-writeable_data_source.go +++ b/tests/e2e-inst-signatures/e2e-writeable_data_source.go @@ -13,15 +13,6 @@ type e2eWritableDatasourceSig struct { writable detect.DataSource } -var e2eWritableDatasourceSigMetadata = detect.SignatureMetadata{ - ID: "WRITABLE_DATA_SOURCE", - EventName: "WRITABLE_DATA_SOURCE", - Version: "0.1.0", - Name: "Writable Data Source Test", - Description: "Instrumentation events E2E Tests: Writable Data Source Test", - Tags: []string{"e2e", "instrumentation"}, -} - func (sig *e2eWritableDatasourceSig) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback writable, ok := ctx.GetDataSource("e2e_inst", "demo") @@ -36,7 +27,14 @@ func (sig *e2eWritableDatasourceSig) Init(ctx detect.SignatureContext) error { } func (sig *e2eWritableDatasourceSig) GetMetadata() (detect.SignatureMetadata, error) { - return e2eWritableDatasourceSigMetadata, nil + return detect.SignatureMetadata{ + ID: "WRITABLE_DATA_SOURCE", + EventName: "WRITABLE_DATA_SOURCE", + Version: "0.1.0", + Name: "Writable Data Source Test", + Description: "Instrumentation events E2E Tests: Writable Data Source Test", + Tags: []string{"e2e", "instrumentation"}, + }, nil } func (sig *e2eWritableDatasourceSig) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-net-signatures/e2e-dns.go b/tests/e2e-net-signatures/e2e-dns.go index d5ef62118ec7..fb2127d64d38 100644 --- a/tests/e2e-net-signatures/e2e-dns.go +++ b/tests/e2e-net-signatures/e2e-dns.go @@ -25,15 +25,6 @@ type e2eDNS struct { cb detect.SignatureHandler } -var e2eDNSMetadata = detect.SignatureMetadata{ - ID: "DNS", - EventName: "DNS", - Version: "0.1.0", - Name: "Network DNS Test", - Description: "Network E2E Tests: DNS", - Tags: []string{"e2e", "network"}, -} - func (sig *e2eDNS) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback sig.foundMX = false // proforma @@ -43,7 +34,14 @@ func (sig *e2eDNS) Init(ctx detect.SignatureContext) error { } func (sig *e2eDNS) GetMetadata() (detect.SignatureMetadata, error) { - return e2eDNSMetadata, nil + return detect.SignatureMetadata{ + ID: "DNS", + EventName: "DNS", + Version: "0.1.0", + Name: "Network DNS Test", + Description: "Network E2E Tests: DNS", + Tags: []string{"e2e", "network"}, + }, nil } func (sig *e2eDNS) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-net-signatures/e2e-http.go b/tests/e2e-net-signatures/e2e-http.go index dce1033a3971..81c9d4e74148 100644 --- a/tests/e2e-net-signatures/e2e-http.go +++ b/tests/e2e-net-signatures/e2e-http.go @@ -21,22 +21,20 @@ type e2eHTTP struct { cb detect.SignatureHandler } -var e2eHTTPMetadata = detect.SignatureMetadata{ - ID: "HTTP", - EventName: "HTTP", - Version: "0.1.0", - Name: "Network HTTP Test", - Description: "Network E2E Tests: HTTP", - Tags: []string{"e2e", "network"}, -} - func (sig *e2eHTTP) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eHTTP) GetMetadata() (detect.SignatureMetadata, error) { - return e2eHTTPMetadata, nil + return detect.SignatureMetadata{ + ID: "HTTP", + EventName: "HTTP", + Version: "0.1.0", + Name: "Network HTTP Test", + Description: "Network E2E Tests: HTTP", + Tags: []string{"e2e", "network"}, + }, nil } func (sig *e2eHTTP) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-net-signatures/e2e-icmp.go b/tests/e2e-net-signatures/e2e-icmp.go index 44306f2678f8..1b984a8686c9 100644 --- a/tests/e2e-net-signatures/e2e-icmp.go +++ b/tests/e2e-net-signatures/e2e-icmp.go @@ -13,22 +13,20 @@ type e2eICMP struct { cb detect.SignatureHandler } -var e2eICMPMetadata = detect.SignatureMetadata{ - ID: "ICMP", - EventName: "ICMP", - Version: "0.1.0", - Name: "Network ICMP Test", - Description: "Network E2E Tests: ICMP", - Tags: []string{"e2e", "network"}, -} - func (sig *e2eICMP) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eICMP) GetMetadata() (detect.SignatureMetadata, error) { - return e2eICMPMetadata, nil + return detect.SignatureMetadata{ + ID: "ICMP", + EventName: "ICMP", + Version: "0.1.0", + Name: "Network ICMP Test", + Description: "Network E2E Tests: ICMP", + Tags: []string{"e2e", "network"}, + }, nil } func (sig *e2eICMP) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-net-signatures/e2e-icmpv6.go b/tests/e2e-net-signatures/e2e-icmpv6.go index 01d41d0e7170..8eba918c84d7 100644 --- a/tests/e2e-net-signatures/e2e-icmpv6.go +++ b/tests/e2e-net-signatures/e2e-icmpv6.go @@ -13,22 +13,20 @@ type e2eICMPv6 struct { cb detect.SignatureHandler } -var e2eICMPv6Metadata = detect.SignatureMetadata{ - ID: "ICMPv6", - EventName: "ICMPv6", - Version: "0.1.0", - Name: "Network ICMPv6 Test", - Description: "Network E2E Tests: ICMPv6", - Tags: []string{"e2e", "network"}, -} - func (sig *e2eICMPv6) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eICMPv6) GetMetadata() (detect.SignatureMetadata, error) { - return e2eICMPv6Metadata, nil + return detect.SignatureMetadata{ + ID: "ICMPv6", + EventName: "ICMPv6", + Version: "0.1.0", + Name: "Network ICMPv6 Test", + Description: "Network E2E Tests: ICMPv6", + Tags: []string{"e2e", "network"}, + }, nil } func (sig *e2eICMPv6) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-net-signatures/e2e-ipv4.go b/tests/e2e-net-signatures/e2e-ipv4.go index 413b8992a684..9bb468e56c2c 100644 --- a/tests/e2e-net-signatures/e2e-ipv4.go +++ b/tests/e2e-net-signatures/e2e-ipv4.go @@ -13,22 +13,20 @@ type e2eIPv4 struct { cb detect.SignatureHandler } -var e2eIPv4Metadata = detect.SignatureMetadata{ - ID: "IPv4", - EventName: "IPv4", - Version: "0.1.0", - Name: "Network IPv4 Test", - Description: "Network E2E Tests: IPv4", - Tags: []string{"e2e", "network"}, -} - func (sig *e2eIPv4) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eIPv4) GetMetadata() (detect.SignatureMetadata, error) { - return e2eIPv4Metadata, nil + return detect.SignatureMetadata{ + ID: "IPv4", + EventName: "IPv4", + Version: "0.1.0", + Name: "Network IPv4 Test", + Description: "Network E2E Tests: IPv4", + Tags: []string{"e2e", "network"}, + }, nil } func (sig *e2eIPv4) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-net-signatures/e2e-ipv6.go b/tests/e2e-net-signatures/e2e-ipv6.go index 68759f4e56e3..82506576c5f3 100644 --- a/tests/e2e-net-signatures/e2e-ipv6.go +++ b/tests/e2e-net-signatures/e2e-ipv6.go @@ -13,22 +13,20 @@ type e2eIPv6 struct { cb detect.SignatureHandler } -var e2eIPv6Metadata = detect.SignatureMetadata{ - ID: "IPv6", - EventName: "IPv6", - Version: "0.1.0", - Name: "Network IPv6 Test", - Description: "Network E2E Tests: IPv6", - Tags: []string{"e2e", "network"}, -} - func (sig *e2eIPv6) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eIPv6) GetMetadata() (detect.SignatureMetadata, error) { - return e2eIPv6Metadata, nil + return detect.SignatureMetadata{ + ID: "IPv6", + EventName: "IPv6", + Version: "0.1.0", + Name: "Network IPv6 Test", + Description: "Network E2E Tests: IPv6", + Tags: []string{"e2e", "network"}, + }, nil } func (sig *e2eIPv6) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-net-signatures/e2e-tcp.go b/tests/e2e-net-signatures/e2e-tcp.go index 8547f9b2c668..2a509e39b681 100644 --- a/tests/e2e-net-signatures/e2e-tcp.go +++ b/tests/e2e-net-signatures/e2e-tcp.go @@ -13,22 +13,20 @@ type e2eTCP struct { cb detect.SignatureHandler } -var e2eTCPMetadata = detect.SignatureMetadata{ - ID: "TCP", - EventName: "TCP", - Version: "0.1.0", - Name: "Network TCP Test", - Description: "Network E2E Tests: TCP", - Tags: []string{"e2e", "network"}, -} - func (sig *e2eTCP) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eTCP) GetMetadata() (detect.SignatureMetadata, error) { - return e2eTCPMetadata, nil + return detect.SignatureMetadata{ + ID: "TCP", + EventName: "TCP", + Version: "0.1.0", + Name: "Network TCP Test", + Description: "Network E2E Tests: TCP", + Tags: []string{"e2e", "network"}, + }, nil } func (sig *e2eTCP) GetSelectedEvents() ([]detect.SignatureEventSelector, error) { diff --git a/tests/e2e-net-signatures/e2e-udp.go b/tests/e2e-net-signatures/e2e-udp.go index d7107e07a401..ea0dc71d668c 100644 --- a/tests/e2e-net-signatures/e2e-udp.go +++ b/tests/e2e-net-signatures/e2e-udp.go @@ -13,22 +13,20 @@ type e2eUDP struct { cb detect.SignatureHandler } -var e2eUDPMetadata = detect.SignatureMetadata{ - ID: "UDP", - EventName: "UDP", - Version: "0.1.0", - Name: "Network UDP Test", - Description: "Network E2E Tests: UDP", - Tags: []string{"e2e", "network"}, -} - func (sig *e2eUDP) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback return nil } func (sig *e2eUDP) GetMetadata() (detect.SignatureMetadata, error) { - return e2eUDPMetadata, nil + return detect.SignatureMetadata{ + ID: "UDP", + EventName: "UDP", + Version: "0.1.0", + Name: "Network UDP Test", + Description: "Network E2E Tests: UDP", + Tags: []string{"e2e", "network"}, + }, nil } func (sig *e2eUDP) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {