Upload
sysdig
View
96
Download
3
Embed Size (px)
Citation preview
Find the Hacker with Sysdig and FalcoMark Stemm, Falco Engineer
Information presented is confidential
Overview
• A contest!• Use Sysdig and Falco to identify suspicious
behavior• Write a Falco rule that captures this behavior• Send a Falco notification to our public slack
channel:• sysdig.slack.com, #ccwfs-falco-alerts
• Winner gets a prize!
Information presented is confidential
The Prize!
Holy Stone F181 RC Quadcopter Drone• HD Camera RTF 4 Channel 2.4GHz 6-Gyro Headless System Black
(Upgraded with Altitude Hold Function)
• Value: $ 85.99
Information presented is confidential
Scenario Details
• EC2 Instance running at:• IP Address=52.52.146.24• username=ccwfs, passwd=SysD1gR0cks
• has sysdig, falco installed• This machine is compromised
• An attacker has installed program(s) that is/are doing something suspicious
• There is a specific IP related to this suspicious activity• Not the IPs 52.52.146.24 or 172.XXX—those are the
instance IPs
Information presented is confidential
Your job
• Identify the suspicious behavior• you can use sysdig, falco, anything else
• Write a falco rule that identifies this behavior and the IP address related to it• rule’s output should include the IP address, your name/email/etc.
• Send the notification to our public slack channel via a web hook• https://hooks.slack.com/services/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
• Hint: to transform JSON with field “output” to slack-compatible JSON:• jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/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
• Hint: to run falco with a custom config file: falco -c <conf.yaml>
Hints
Information presented is confidential
Hint #1
• The suspicious behavior is related to something below /etc
• How can you find things reading/writing below /etc?• sudo sysdig fd.directory=/etc
Information presented is confidential
Hint #2
• What is cpp doing?• sudo sysdig proc.name=cpp
• What network activity is cpp performing• sudo sysdig "proc.name=cpp and evt.type in (connect, bind, listen, send, sendto, recv, recvfrom, read, write)"
Information presented is confidential
Hint #3
• What identifies the specific IP address in question?• sudo sysdig -p "commmand=%proc.cmdline dest IP=%fd.rip Port=%fd.rport" proc.name=cpp and evt.type=sendto
Information presented is confidential
Hint #4
• What’s a falco rule that identifies this activity?
- rule: Exfiltration attempt desc: Attempt to exfiltrate /etc/shadow condition: proc.name=cpp and evt.type=connect and evt.dir=< output: commmand=%proc.cmdline dest IP=%fd.rip Port=%fd.rport (I'm mstemm) priority: WARNING
Information presented is confidential
Hint #5
• How do you configure falco to send this notification to the slack webhook?
# Whether to output events in json or textjson_output: true…program_output: enabled: true program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/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”
Thank You!