Find the Hacker

Find the Hacker with Sysdig and FalcoMark Stemm, Falco Engineer

Information presented is confidential

Overview

• A contest!• Use Sysdig and Falco to identify suspicious

behavior• Write a Falco rule that captures this behavior• Send a Falco notification to our public slack

channel:• sysdig.slack.com, #ccwfs-falco-alerts

• Winner gets a prize!

http://sysdig.slack.com/


The Prize!

Holy Stone F181 RC Quadcopter Drone• HD Camera RTF 4 Channel 2.4GHz 6-Gyro Headless System Black

(Upgraded with Altitude Hold Function)

• Value: $ 85.99


Scenario Details

• EC2 Instance running at:• IP Address=52.52.146.24• username=ccwfs, passwd=SysD1gR0cks

• has sysdig, falco installed• This machine is compromised

• An attacker has installed program(s) that is/are doing something suspicious

• There is a specific IP related to this suspicious activity• Not the IPs 52.52.146.24 or 172.XXX—those are the

instance IPs


Your job

• Identify the suspicious behavior• you can use sysdig, falco, anything else

• Write a falco rule that identifies this behavior and the IP address related to it• rule’s output should include the IP address, your name/email/etc.

• Send the notification to our public slack channel via a web hook• https://hooks.slack.com/services/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

• Hint: to transform JSON with field “output” to slack-compatible JSON:• jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/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

• Hint: to run falco with a custom config file: falco -c <conf.yaml>

https://hooks.slack.com/services/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




Hints


Hint #1

• The suspicious behavior is related to something below /etc

• How can you find things reading/writing below /etc?• sudo sysdig fd.directory=/etc


Hint #2

• What is cpp doing?• sudo sysdig proc.name=cpp

• What network activity is cpp performing• sudo sysdig "proc.name=cpp and evt.type in (connect, bind, listen, send, sendto, recv, recvfrom, read, write)"


Hint #3

• What identifies the specific IP address in question?• sudo sysdig -p "commmand=%proc.cmdline dest IP=%fd.rip Port=%fd.rport" proc.name=cpp and evt.type=sendto


Hint #4

• What’s a falco rule that identifies this activity?

- rule: Exfiltration attempt desc: Attempt to exfiltrate /etc/shadow condition: proc.name=cpp and evt.type=connect and evt.dir=< output: commmand=%proc.cmdline dest IP=%fd.rip Port=%fd.rport (I'm mstemm) priority: WARNING


Hint #5

• How do you configure falco to send this notification to the slack webhook?

# Whether to output events in json or textjson_output: true…program_output: enabled: true program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/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”



Thank You!

Software

Find the Hacker