RSS

Falco Rules Changelog

Falco rules are used in the Sysdig Secure Policy Editor.

Commit Date

Rule Notes

Version of the Falco Rules Installer (On-Prem)

January 20, 2023

Rule Changes

  • Added the following rules:

    • Modify Security Group Rule Allowing Ingress Open to the World

    • Connection to IPFS Network Detected

  • Improved condition for the following rules:

    • Create Security Group Rule Allowing Ingress Open to the World

    • Create a Network ACL Entry Allowing Ingress Open to the World

    • Detect reconnaissance scripts

    • Lastlog Files Cleared

    • Launch Remote File Copy Tools in Container

    • Put Bucket Lifecycle

    • Delete or rename shell history

  • Added exception for the following rules:

    • Put Bucket Lifecycle

    • Update Assume Role Policy

  • Updated IoCs Ruleset with new findings.

  • Reduced false positives for the following rule Find AWS Credentials rule.

  • Default Policy Changes

    Added the following rules:

    • Modify Security Group Rule Allowing Ingress Open to the World

    • Connection to IPFS Network Detected

0.99.0

January 09, 2023

Rule Changes

  • Reduced false positives for the Container Run as Root User rule.

  • Improve condition for the Suspicious Operations with Firewalls rule.

  • Added the following rules:

    • K8s Networkpolicy Deleted

    • Modify Security Group

    • K8s Networkpolicy Created/modified

    • AWS SSM Send Command

  • Added tags to the K8s Networkpolicy Deleted rule.

  • Added exceptions for the following:

    • Delete Organization Config Rule

    • Delete Cluster

    • Elasticsearch Domain Creation without Encryption at Rest

    • ECR Image Pushed

    • Put Remediation Configurations

    • Delete Configuration Aggregator

    • Put Organization Config Rule

    • Put Organization Conformance Pack

    • Stop Configuration Recorder

    • Delete Organization Conformance Pack

    • ECS Service Created

    • ECS Service Deleted

    • Terminal Shell in ECS Container

    • ECS Task Run or Started

    • ECS Service Task Definition Updated

    • ECS Task Stopped

    • Create HTTP Target Group without SSL

    • Elasticsearch Domain Creation without VPC

    • Run Instances

    • CloudTrail Trail Created

    • Create Security Group Rule Allowing SSH Ingress

    • Guard Duty Disassociate from Master Account

    • Guard Duty Delete Members

    • Disable GuardDuty

    • Delete Detector

    • Create Access Key for Root User

    • Guard Duty Disassociate Members

    • Stop Monitoring Members

    • Password Recovery Requested

    • Deactivate Hardware MFA for Root User

    • Add AWS User to Group

    • Attach Administrator Policy

    • Attach IAM Policy to User

    • Deactivate MFA for Root User

    • Create Group

    • Create IAM Policy that Allows All

    • Create Access Key for User

    • Deactivate Virtual MFA for Root User

    • Delete Virtual MFA for Root User

    • Create AWS user (SSO)

    • Create AWS user

    • Delete AWS user (SSO)

    • Deactivate MFA for User Access

    • Delete Group

    • Put IAM Inline Policy to User

    • Delete AWS user

    • Remove AWS User from Group

    • Update Account Password Policy Not Expiring

    • Update Account Password Policy Expiring in More Than 90 Days

    • Update Account Password Policy Not Preventing Reuse of Last 24 Passwords

    • Update Account Password Policy Not Preventing Reuse of Last 4 Passwords

    • Update Account Password Policy Not Requiring 14 Characters

    • Update Account Password Policy Not Requiring 7 Characters

    • Update Account Password Policy Not Requiring Lowercase

    • Update Account Password Policy Not Requiring Number

    • Update Account Password Policy Not Requiring Symbol

    • Update Account Password Policy Not Requiring Uppercase

    • Replace Route

    • Modify Image Attribute

    • Modify Snapshot Attribute

    • Revoke Security Group Egress

    • Revoke Security Group Igress

    • Run Instances in Non-approved Region

    • Create Internet-facing AWS Public Facing Load Balancer

    • Delete Listener

    • Modify Listener

    • Disable EBS Encryption by Default

    • Contact EC2 Instance Metadata Service From Container

    • EC2 Serial Console Access Enabled

    • Make EBS Snapshot Public

    • Get Password Data

  • Default Policy Changes

  • Added the following rules:

    • K8s Networkpolicy Deleted

    • Modify Security Group

    • K8s Networkpolicy Created/modified

    • AWS SSM Send Command

0.98.2

January 04, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • aws_latest_runtimes

    • Read sensitive file untrusted

    • Read Shell Configuration File

  • Updated IoCs Ruleset with new findings.

  • Added exception for the DB program spawned process rule.

  • Improve output for the Suspicious System Service Modification rule.

0.98.0

December 04, 2022

Rule Changes

  • Reduced false positives for the following rules:

    • eBPF Program Loaded into Kernel

    • Non sudo setuid

    • Read SSH information

    • Read Shell Configuration File

    • Write below etc

    • Reconnaissance attempt to find SUID binaries

    • Suspicious Domain Contacted

  • Updated IoCs Ruleset with new findings.

  • Improved detection for the Non sudo setuid rule.

  • Added the following rule: Detect cloned process by PRoot

  • Default Policy Changes

    Added the Detect cloned process by PRoot rule.

0.96.0

December 01, 2022

Rule Changes

Disable the Create Hidden Files or Directories rule.

0.94.2

November 29, 2022

Rule Changes

  • Improved output for the Suspicious Cron Modification rule.

  • Reduced false positive for the Read SSH information rule.

  • Updated IoCs Ruleset with new findings.

  • Enabled the Create Hidden Files or Directoriesrule.

  • Added the Create/modify EKS serviceaccount boundrule to the AWS IAM role.

  • Add the Suspicious Domain Contactedrule.

Default Policy Changes

  • Added the Suspicious Domain Contactedrule.

  • Added the Create/modify EKS serviceaccount boundrule to the AWS IAM role.

0.94.0

November 22, 2022

Rule Changes

  • Reduced false positives for the following rules:

    • Privileged Shell Spawned Inside Container

    • Clear Log Activities

    • Read ssh information

    • Search Private Keys or Passwords

    • Launch Suspicious Network Tool in Container

    • Container Run as Root User

    • Change Thread Namespace

    • Read Shell Configuration File

  • Improve tags for the eBPF Program Loaded into Kernelrule.

  • Updated IoCs Ruleset with new findings.

  • Improved detection for the Non sudo setuid rule.

  • Added the following rules:

    • Mutated Pod Detected

    • Configmap aws-auth changed

  • Default Policy Changes

    • Added the following rules:

      • Mutated Pod Detected

      • Configmap aws-auth changed

0.93.0

November 10, 2022

Rule Changes

  • Reduced false positives for the following rules:

    • Suspicious Kernel Parameter Modification

    • The docker client is executed in a container

    • Mount Launched in Privileged Container

    • Reconnaissance attempt to find SUID binaries

    • PTRACE attached to process

    • Linux Kernel Module Injection Detected

  • Updated IoCs Ruleset with new findings.

  • Improved detection for the Non sudo setuid rule.

  • Added the following rules:

    • Redirect STDOUT/STDIN to Network Connection in Host

    • Lastlog files cleared

  • Default Policy Changes

    • Added the following rules:

      • Redirect STDOUT/STDIN to Network Connection in Host

      • Lastlog files cleared

    • Move the Unexpected Connection from legitimate Process/Port rule to Default Policy

0.92.0

October 19, 2022

Rule Changes

  • Rename lists, macros, and rules for Falco Cloud.

  • Add the Unexpected Connection from legitimate Process/Port rule.

  • Updated IoCs Ruleset with new findings.

  • Edit the output for the  Reconnaissance attempt to find SUID binaries rule.

Default Policy Changes

  • Rename lists, macros, and rules for Falco Cloud.

  • Add the Unexpected Connection from legitimate Process/Port rule.

0.91.0

October 14, 2022

Rule Changes

  • Update the sensitive_kernel_parameter_files list to detect changes on the ptrace_scope file.

  • Added the Diamorphine Rootkit Activity  rule.

  • Updated IoCs Ruleset with new findings.

  • Reduced false positives in the Dump memory for credentials rule.

Default Policy Changes

  • Added the Diamorphine Rootkit Activity rule.

  • Reduced false positives in the Dump memory for credentials rule.

0.90.0

October 07, 2022

Rule Changes

  • Tuning the Dump memory for credentials on rule.

  • Add the kill malicious process and detect dump memory for credentials rule.

  • Updated IoCs Ruleset with new findings.

  • Updated Cloud Mitre tags.

  • Reduced false positives in Falco Rules.

  • Added news rules: Dump memory for credentials Kill known malicious process

  • Use glob in the user_ssh_directory macro and remove openat2 from conditions.

  • Added exception to the AWS Command Executed by Untrusted User rule.

  • Changed exception in the Change Resource Record Sets rule.

  • Changed the allowed_k8s_users list.

Default Policy Changes

  • Tuned the Dump memory for credentials rule.

  • Added the new rules: Dump memory for credentials and Kill known malicious process .

0.89.0

September 23, 2022

Rule Changes

  • Increased IoCs and added additional exceptions.

  • Added exclusions to reduce false Positives.

  • Adding additional parameters to sensitive_kernel_parameter_files list.

0.87.0

September 08, 2022

Rule Changes

  • Added additional exceptions to aid in addressing false positives: Suspicious Kernel Parameter Modification.

  • Updated IoCs Ruleset with new findings.

Default Policy Changes

Removed the following rules from default policies:Scripting Language Execution below dev.

0.85.0

August 24, 2022

Rule Changes

  • New rules:Share RDS Snapshot with Foreign Account

  • Rule tuning for the following:

    • PTRACE anti-debug attempt

    • Suspicious Cron Modification

    • Suspicious Java Child Processes

    • Create Symlink Over Sensitive Files

    • Netcat Remote Code Execution in Container

    • eBPF Program Loaded into Kernel

  • Updated IoCs Ruleset with new findings.

0.83.0

August 19, 2022

Rule Changes

  • Fixed the output for two PTRACE rules.

  • Added additional conditions to improve detections for Delete/rename Bash History.

  • Enable the do_unexpected_udp_checkmacro.

  • Added the new rule: GCP Firewall Remote Access from Internet. It detects remote access ports allowed through the firewall from the public internet (0.0.0.0/0).

Auto-Tuner Exception Updates

  • Added additional exceptions for Privileged Shell Inside Container.

  • Added Azure core image to the exception, Suspicious Cron Modification.

0.82.0

Aug 11, 2022

Rule Changes

  • Added Azure rule: Azure RDP Access Is Allowed from The Internet

  • Updated auto-tuner exceptions to reduce excessive noise:

    • Change Resource Record Sets (AWS)

    • Create Hidden Files or Directories

    • Describe Instances (AWS)

    • GCP Delete Compute VM Instance

    • GCP Operation by a Non-corporate Account

    • List Buckets (AWS)

    • Non sudo setuid

    • Root User Executing AWS Command

    • Run shell untrusted

    • The docker client is executed in a container

    • User mgmt binaries

  • Updated IoCs Ruleset with new findings.

  • Default Policy Changes

    Added new rules: Azure RDP Access Is Allowed from The Internet

0.81.2

Aug 05, 2022

Rule Changes

  • Added additional exceptions to older agent versions to aid in addressing false positives:

    • Linux Kernel Module Injection Detected

    • eBPF Program Loaded into Kernel

    • Privileged Shell Spawned Inside Container

  • Added the following new rules:

    • GPG Key Reconnaissance

    • Create Access Key for User

  • Extended the condition of the following rules:

    • Base64-encoded Python Script Execution

    • nsenter Container Escape

  • Updated IoCs Ruleset with new findings.

  • Default Policy Changes

    Added new rules to default policies.

    • nsenter Container Escape

    • GPG Key Reconnaissance

    • Create Access Key for User

0.80.1

July 26, 2022

Rule Changes

  • Added additional exceptions to older agent versions to aid in addressing false positives:

    • Non sudo setuid

    • Set Setuid or Setgid bit

    • eBPF Program Loaded into Kernel

  • Added the following new rules:

    • PTRACE anti-debug attempt

    • PTRACE attached to process

    • Detect reconnaissance scripts

    • Detect malicious cmdlines

    • GCP Create DNS Record

    • GCP Create DNS Zone

    • GCP Delete DNS Record

    • GCP Update DNS Record

    • GCP Update DNS Zone

    • GCP Cloud Armor Blocked Connection

    • GCP Cloud IDS Alert

    • Delete AWS user (SSO)

  • Updated the following rule: Reconnaissance attempt to find SUID binaries

  • Updated the following lists: falco_privileged_images

  • Updated IoCs Ruleset with new findings.

  • Default Policy Changes

    Added new rules to default policies.

0.79.2

July 15, 2022

Rule Changes

  • Added additional exceptions to older agent versions to aid in addressing false positives:

    • Non sudo setuid

    • Set Setuid or Setgid bit

    • eBPF Program Loaded into Kernel

  • Added the following new rules:

    • Detect curl Using Socks Proxy

    • Create AWS user (SSO)

    • GCP Delete VPN

    • GCP App Engine Firewall Rule Created

    • GCP Compute Firewall Rule Created

    • GCP Create VPN

    • GCP Sensitive Role Added to User

  • Added additional exceptions to:

    • Read sensitive file untrusted

    • Run shell untrusted

    • Non sudo setuid

    • Clear Log Activities

    • Execution of binary using ld-linux

    • eBPF Program Loaded into Kernel

    • Terminal shell in container

    • The docker client is executed in a container

  • Added the Detect curl Using Socks Proxy rule to IoCs Malware Activity and Sysdig Runtime Threat Detection policies

  • Added Create AWS user (SSO) to the Sysdig AWS Activity Logs policy.

  • Added GCP Delete VPN and GCP Sensitive Role Added to the User rules to Sysdig GCP Notable Events policy.

  • Added the GCP App Engine Firewall Rule Created, GCP Compute Firewall Rule Created, and GCP Create VPN rules to the Sysdig GCP Activity Logs policy.

  • Split AWS rules into individual files and moved lists out of individual files and into its own file at the top of the output aws_cloudtrail.yaml.

  • Fixed tag in the Delete Cluster rule.

  • Updated IoCs Ruleset with new findings.

0.78.0

July 08, 2022

Rule Changes

  • Restored the following missing rule: nsenter Container Escape

  • Cleaned up the following duplicate macro: falco_sensitive_mount_containers

  • Adjusted the following eBPF rule: eBPF Program Loaded into Kernel

  • Updated IoCs Ruleset with new findings.

  • Updated all the Cloudtrail rules to add ARNs to output.

Default Policy Changes

Modified to work with both old default_policies and managed default_policies.

0.77.0

July 01, 2022

Rule Changes

Added Miner IP Pool Threat Intelligence: Detect outbound connections to common miner pool ports

0.76.1

June 30, 2022

Rule Changes

  • Added additional exceptions : Linux Kernel Module Injection Detected

  • Created the following new rules:

    • GCP App Engine Firewall Rule Deleted

    • GCP App Engine Firewall Rule Updated

    • GCP Create Cloud Function v2 Not Using Latest Runtime

    • GCP Create Cloud Function v2

    • GCP Compute Firewall Rule Deleted

    • GCP Compute Firewall Rule Updated

    • GCP Delete Compute VM Instance

    • GCP Update Cloud Function v2

    • Malicious Environment Variable in Spawned Process

    • nsenter Container Escape

  • Updated the following GCP rules:

    • GCP Create Cloud Function Not Using Latest Runtime

    • GCP Create Cloud Function

    • GCP Create DLP Job

    • GCP Delete DLP Job

    • GCP Paused DLP Job

    • GCP Suspicious IP Inbound Request

    • GCP Update Cloud Function

    • GCP Updated DLP Job

  • Added CIS tag to rules related to CIS Docker Security Benchmark controls:

    • Container Run as Root User

    • Disallowed SSH Connection

    • Launch Privileged Container

    • Launch Root User Container

    • Launch Sensitive Mount Container

    • Mount Launched in Privileged Container

    • Privileged Shell Spawned Inside Container

    • Reconnaissance attempt to find SUID binaries

    • The docker client is executed in a container

    • Write below root

  • Updated IoCs Ruleset with new findings.

Default Policy Changes

Added the following rules to the default policy:

  • GCP App Engine Firewall Rule Deleted

  • GCP Compute Firewall Rule Deleted

  • Malicious Environment Variable in Spawned Process

  • nsenter Container Escape

0.76.0

June 24, 2022

Rule Changes

  • Added additional exceptions to older agent versions to aid in addressing false positives:

    • Create Symlink Over Sensitive Files

    • Execution of binary using ld-linux

    • Run shell untrusted

  • Modified the following macros:

    • truncate_shell_history

    • modify_shell_history

  • Extended the condition of the rule, Detect crypto miners using the Stratum protocol , to improve detection capabilites

  • New rules created:

    • Launch malicious container image

    • GCP Suspicious IP Inbound Request

    • GCP Allow Public Access to Bucket

    • GCP KMS Schedule Key Deletion

    • GCP Create DLP Job

    • GCP Delete DLP Job

    • GCP Update DLP Job

    • GCP Paused DLP Job

  • Updated IoCs Ruleset with new findings.

Default Policy Changes

  • Added the following rule to the default policy, IoCs Malware Activity: Launch malicious container image

  • Added the following rules to the default policy, Sysdig GCP Best Practices:

    • GCP Suspicious IP Inbound Request

    • GCP Allow Public Access to Bucket

    • GCP KMS Schedule Key Deletion

    • GCP Delete DLP Job

    • GCP Paused DLP Job

0.75.0

June 17, 2022

Rule Changes

  • Added the following new rules:

    • AWS Suspicious IP Inbound Request

    • eBPF Program Loaded into Kernel

  • Modified the following rules:

    • Symlink over Sensitive Files

    • Container Drift rules (with new exceptions)

  • Updated the macro: sysdig_commercial_images. It now contains two new KSPM images.

  • Add the new macro ti_anon_ips  for Tor source IPs.

  • Updated IoCs Ruleset with new findings.

Default Policy Changes

  • Added the new rule,  AWS Suspicious IP Inbound Request to the Sysdig AWS Best Practices policy.

  • Added the new rule, eBPF Program Loaded into Kernel  to the Suspicious Container Activity policy.

0.74.3

June 03, 2022

Rule Changes

  • Added a new rule: Suspicious Java Child Processes

  • Updated the package_mgmt_procs macro to detect package management process with python

  • Updated some exceptions in the rule,Change thread namespace

  • Updated IoCs Ruleset with new findings.

Default Policy Changes

Added the new rule, Suspicious Java Child Processes,to the IoCs Malware Activity

0.72.0

May 26, 2022

Rule Changes

  • Added the following new rules:

    • Reconnaissance attempt to find SUID binaries

    • Suspicious Home Directory Creation

  • Modified exceptions to reduce noise:

    • Change thread namespace

    • Contact cloud metadata service from container

    • DB program spawned process

    • K8s ConfigMap Created

    • K8s ConfigMap Deleted

    • K8s Serviceaccount Created

    • Netcat Remote Code Execution in Container

    • Privileged Shell Spawned Inside Container

    • Set Setuid or Setgid bit

    • System ClusterRole Modified/Deleted

    • Write below monitored dir

    • Write below root

  • Updated IoCs Ruleset with new findings.

Default Policy Changes

  • Added the following new policies:

    • Reconnaissance attempt to find SUID binaries

    • Suspicious Home Directory Creation

0.70.3

May 20, 2022

Rule Changes

  • Added additional exceptions to the following rules to aid in addressing false positives:

    • Set Setuid or Setgid bit

    • Execution from /tmp

  • Fixed the condition of the following rules:

    • Execution from /tmp

    • Execution from /dev/shm

  • Updated IoCs Ruleset with new findings.

0.69.0

May 13, 2022

Rule Changes

  • Added additional exceptions to older agent versions to aid in addressing false positives:

    • Run shell untrusted

    • Launch Privileged Container

    • Container Run as Root User

    • Write below root

    • Write below rpm database

    • DB program spawned process

    • Privileged Shell Spawned Inside Container

    • Launch Suspicious Network Tool in Container

    • Remove Bulk Data from Disk

    • Set Setuid or Setgid bit

    • Packet socket created in container

    • Execution from /tmp

  • Created the new rule, Possible Backdoor using BPF. This rule triggers if process was seen attaching a BPF filter on a network socket, this could indicate packet sniffing for use in a backdoor such as BPFDoor. Network diagnostic tools may also trigger this rule.

  • Created the new rule, Execution of binary using ld-linux. This method can be used to execute programs that do not have the exec bit set and may possibly evade detection measures.

  • Fixed the condition of the following rules:

    • Write below binary dir

    • Set Setuid or Setgid bit

  • Updated IoCs Ruleset with new findings

Default Policy Changes

    • Added the new rule,  Possible Backdoor using BPF to the Notable Network Activity policy. Write below binary dir

    • Added the new rule,  Execution of binary using ld-linux to the IoCs Malware Activity policy.

0.68.1

May 6, 2022

Rule Changes

  • Added additional exceptions to older agent versions to aid in addressing false positives:

    • Modify binary dirs

    • Redirect STDOUT/STDIN to Network Connection in Container

    • Container Run as Root User

    • Execution from /tmp

  • Created the new rule Tampering with Security Software in Container. This rule detects common techniques by threat actors to disable runtime security software.

  • Created the new rule Detect outbound connections to TOR Entry Nodes. This rule detects when clients reach the TOR network through its entry nodes. NOTE: This is an EXPERIMENTAL rule and only contains a subset of TOR entry nodes. It will be improved upon in the future.

  • Fixed the condition of the following rule: Execution from /tmp

  • Updated IoCs Ruleset with new findings.

Default Policy Changes

  • Moved the rule Redirect STDOUT/STDIN to Network Connection in Container to the Notable Container Activity default policy

  • Added the new rule Tampering with Security Software in Container to the Suspicious Container Activity default policy

  • Added the new rule Detect outbound connections to TOR Entry Nodes to the IoCs Malware Activity default policy

0.67.1

April 28, 2022

Rule Changes

  • Added new rule file, threat_intelligence_feed.yaml , with lists and macros directly updated by Sysdig Threat Research Team.

  • Updated the following list: sysdig_commercial_images

  • Updated IoCs Ruleset with new findings.

  • Updated Falco rules conditions:

    • Execution from /tmp

    • Execution from /dev/shm

    • Network Connection outside Local Subnet

  • Added additional exceptions to aid in addressing false positives:

    • Execution from /tmp

    • Create Symlink Over Sensitive Files

    • Change thread namespace

    • DB program spawned process  

    • Suspicious Cron Modification

0.66.1

April 21, 2022

Rule Changes

  • Added a new AWS Cloudtrail rule: Create RDS DB Instance with Public Access

  • Added the following Falco rules:

    • Base64-encoded Shell Script Execution
    • Execution from /dev/shm
  • Added additional exceptions to aid in addressing false positives:

    • Service Account Created in Kube Namespace
    • K8s Serviceaccount Created
  • Modified to add a list of malicious IPs: Outbound Connection to C2 Servers

  • Updated IoCs Ruleset with new findings

Default Policy Changes

  • Added the following:

    • Base64-encoded Shell Script Execution
    • Execution from /dev/shm
  • Moved to enabled policy: Outbound Connection to C2 Servers

0. 65.1

April 18, 2022

Rule Changes

Added additional exceptions to the following rules to aid in addressing false positives:

  • Change thread namespace

  • Create Symlink Over Sensitive Files

  • Container Run as Root User

  • DB program spawned process

  • Privileged Shell Spawned Inside Container

  • Run shell untrusted

  • Set Setuid or Setgid bit

  • Write below etc

0.65.0

April 17, 2022

Rule Changes

Added additional exceptions to the following rules to aid in addressing false positives: Privileged Shell Spawned Inside Container

0.64.1

April 15, 2022

Rule Changes

  • Added additional exceptions to the following rules to aid in addressing false positives:

    • Packet socket created in container

    • Change thread namespace

    • Run shell untrusted

    • Container Run as Root User

  • Created the new rule Base64-encoded Python Script Execution. This rule detects base64-encoded Python scripts on command line arguments. Base64 can be used to encode binary data for transfer to ASCII-only command lines. Attackers can leverage this technique in various exploits to load shellcode and evade detection.

  • Fixed the output of the following rules:

    • K8s Serviceaccount Created

    • K8s Serviceaccount Deleted

    • Updated IoCs Ruleset with new findings

Rule Changes

  • Added the Base64-encoded Python Script Execution  rule to the IoCs Malware Activity default policy

  • Added the Launch Ingress Remote File Copy Tools in Container rule to the Notable Container Activity default policy

  • Created the new default policy,  Known Exploit Detection. This policy embedes the rules that can identify potential exploits of well-known CVEs.

0.64.0

April 12, 2022

Rule Changes

  • Added additional exceptions to the following rules to aid in addressing false positives:

    • Schedule Cron Jobs

    • Set Setuid or Setgid bit

    • Create Symlink Over Sensitive Files

  • Disable the Unprivileged Delegation of Page Faults Handling to a Userspace Process rule removing its condition.

0.63.0

April 09, 2022

Rule Changes

  • Updated the following rules:

    • Simple output changes to the Detect outbound connections to common miner pool portscode> rule.

    • Updated priority and included additional cron paths for the Create Symlink Over Sensitive Files rule.

    • Updated IoCs Ruleset with new findings

  • The following new rules have been introduced.

    • Privileged Shell Spawned Inside Container. This rule detects a root shell being opened by a compromised process for interaction by the attack

    • Debugfs Launched in Privileged Container. This rule detects file system debugger, debugfs, launched inside a privileged container which might lead to container escape.

    • Mount Launched in Privileged Container. This rule detects file system mount occurrence inside a privileged container which might lead to container escape.

    • Unprivileged Delegation of Page Faults Handling to a Userspace Process. This rule detects a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs

    • Launch Ingress Remote File Copy Tools in Container. This rule detects ingress remote file copy tools launched in a container. For example, curl and wget.

    • Suspicious Cron Modification. This rule detects direct writes to cron job files.

Default Policy Changes

  • Policy: Notable Filesystem Changes

    • added the Suspicious Cron Modification rule.

    Policy: Suspicious Container Activity

    • Added the Debugfs Launched in Privileged Container rule.

    • Added the Unprivileged Delegation of Page Faults Handling to a Userspace Process rule.

    Policy: Suspicious Lateral Movement Activity to Cloud

    • Added the Mount Launched in Privileged Container rule.

    Policy: Unexpected Spawned Processes

    • Added the Privileged Shell Spawned Inside Container rule.

0.62.1

April 06, 2022

Rule Changes

Reduce noise for the rulesWrite below monitored dir and write below etc by adding additional exceptions.

0.62.0

March 25, 2022

Rule Changes

  • Added the following new rules:

    • Base64'd ELF file on Command Line

    • Execution from /tmp

  • Updated auto-tuner exceptions for the following:

    • Launch Sensitive Mount Container

    • Service Account Created in Kube Namespace

  • Updated IoCs Ruleset with new findings.

Default Policy Changes

  • Added the following new rules:

    • Base64'd ELF file on Command Line

    • Execution from /tmp

0.60.0

March 18, 2022

Rule Changes

  • Updated the Launch Root User Container condition rule.

  • Updated the following lists to address false positive :

    • miner_domains

    • allowed_k8s_users

  • Updated some exceptions in the  Schedule Cron Jobs rule.

  • Created the sssd_writing_krb  macro from the new release of OSS Falco.

  • Updated IoCs Ruleset with new findings.

  • Updated the following macros based on the changes in Falco OS:

    • modify_shell_history

    • truncate_shell_history

    • write_etc_common

Default Policy Changes

  • TheIoCs Malware Activity policy has been updated.

    • Malicious filenames writtenadded.

    • Malicious process detected removed.

  • Removed some rules from Notable Filesystem Changes policy:

    • Write below etc

    • Write below root

    • Write below rpm database

    • Write below binary dir

  • Removed one rule from the Notable Container Activity policy: Change thread namespace

0.59.2

March 10, 2022

Rule Changes

  • Exclude ptp and dp from the Change thread namespacerule.

  • Exclude self from the K8s Serviceaccount Created rule.

  • Exclude known cron writers from the Schedule Cron Jobs rule.

  • Updated the IoCs Ruleset with new findings.

0.58.1

March 06, 2022

Rule Changes

  • Add additional exceptions to aid in addressing false positive for rules:

    • Schedule Cron Jobs

    • Non sudo setuid

    • Launch Privileged Container

    • K8s Serviceaccount Created

  • Updated the following macros baed on the changes in Falco OS:aws_eks_core_images

  • Updated IoCs Ruleset with new findings.

0.57.2

March 03, 2022

Rule Changes

Fixed exception to aid in addressing false positives for rules: Contact K8S API Server From Container

0.56.5

March 01, 2022

Rule Changes

  • Update rule: DB program spawned process

  • Create macro:pgbackrest_info_childs

0.56.4

February 18, 2022

Rule Changes

  • Add additional exceptions to older agent versions to aid in addressing false positive for rules:

    • Modify Shell Configuration File

    • Modify Shell Configuration File

    • Write below etc

    • Write below rpm database

    • DB program spawned process

    • Clear Log Activities

    • Launch Root User Container

  • Updated the following macros based on the changes in Falco OS:

    • containerd_shell_modify

    • tanium_client_running_python

    • postgres_running_pgbackrest

    • proc_file_suffix

    • known_redirect_procs

  • Updated the following lists to address false positives:

    • known_setuid_binaries

    • known_k8s_api_programs

    • gke_trusted_images_launch_root_list

  • Updated IoCs Ruleset with new findings.

0.55.2

February 10, 2022

Rule Changes

  • Add additional exceptions to older agent versions to aid in addressing false positive for rules:

    • Change thread namespace

    • Write below rpm database

    • Write below root

    • Clear Log Activities

    • Launch Root User Container

  • Updated the following macros based on the changes in Falco OS:

    • parent_python_running_sdchecks

    • python_running_sdchecks

    • exe_sysdig

    • tanium_client_running_python

    • sysdig_dragent

    • trusted_logging_images

  • Updated the following lists based on the changes in Falco OS:

    • sysdig_commercial_images

    • allowed_dev_files

    • user_known_chmod_applications

    • miner_domains

  • Updated IoCs Ruleset with new findings.

0.54.3

February 07, 2022

Rule Changes

    Add additional exceptions to older agent versions to aid in addressing false positive for rules: Launch Root User Container

0.53.4

February 04, 2022

Rule Changes

  • Add additional exceptions to older agent versions to aid in addressing false positive for rules:

    • Modify Shell Configuration File

    • Write below etc

    • Write below root

    • Read sensitive file trusted after startup

    • Change thread namespace

    • Launch Suspicious Network Tool in Container

    • Redirect STDOUT/STDIN to Network Connection in Container

  • Updated the following macros based on the changes in Falco OS:

    • spawned_process

    • sensitive_mount

  • Updated the following lists based on the changes in Falco OS:

    • falco_hostnetwork_images

    • deb_binaries

    • known_sa_list

    • falco_sensitive_mount_images

  • Updated the following lists to address false positives:

    • db_server_binaries

    • user_known_chmod_applications

  • Updated IoCs Ruleset with new findings.

0.53.3

January 29, 2022

Rule Changes

  • Add additional exceptions to older agent versions to aid in addressing false positives for rules:Write below etc.

  • Updated IoCs Ruleset with new findings.

  • Add new rules:

    • Modify ld.so.preload

    • Polkit Local Privilege Escalation Vulnerability(CVE-2021-4034)

0.52.0

January 21, 2022

Rule Changes

Updated IoCs Ruleset with new findings.

0.51.1

January 14, 2022

Rule Changes

  • Created a new AWS Rule: Read Object through AWSSupportServiceRolePolicy Assumed Role.

  • Updated tags for AWS Rule:AWS Command Executed on Unused Region.

  • Updated tags for the following GCP Rules:

    • GCP Invitation Sent to Non-corporate Account

    • GCP Create User-managed Service Account Key

    • GCP Create GCP-managed Service Account Key

    • GCP Create Cloud Function Not Using Latest Runtime

    • GCP Set Bucket IAM Policy

    • GCP Create Bucket

0.50.5

Topics in This Section
2021 Archive

2021 Archive of released Falco Rules.

2020 Archive

2020 Archive of released Falco Rules.

2019 Archive

2019 Archive of released Falco Rules.