Share the weirdest or most clever Falco rule you’ve created — whether it caught something serious or just made you laugh. Bonus points for real-world outcomes or memes.
When I was studying for CKS last year, it was my last exam before getting the kubestronaut prize, I used some kind of weird strategies to learn rules.
Instead of doing too much killer.sh or killercoda, here is what I used among others:
- macro: trusted_package_managers
condition: proc.name in (apt, yum, dnf, apk, pip, npm)
- macro: package_manager_context
condition: >
container.id != host
and (proc.cmdline contains "install" or proc.cmdline contains "update")
- rule: impersonate_package_manager
desc: "Non-package manager binary masquerading as package manager via parent process"
condition: >
spawned_process
and not trusted_package_managers
and package_manager_context
and proc.pname in (trusted_package_managers)
and not proc.aname in (docker-build, ci-runner)
output: >
SUSPICIOUS: Binary impersonating package manager!
(user=%user.name cmd=%proc.cmdline parent=%proc.pname image=%container.image)
priority: CRITICAL
tags: [malware, cryptojacking, mitre_t1564.001]
Try it and et me know…
2 Likes