signature: add kubernetes_certificate_theft_attempt.go sig

Author: roikol

signatures/golang/export.go

@@ -32,4 +32,5 @@ var ExportedSignatures = []detect.Signature{
 	&FilelessExecution{},
 	&IllegitimateShell{},
 	&KernelModuleLoading{},
+	&KubernetesCertificateTheftAttempt{},
 }

signatures/golang/kubernetes_certificate_theft_attempt.go

@@ -0,0 +1,113 @@
+package main
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/aquasecurity/tracee/signatures/helpers"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/protocol"
+	"github.com/aquasecurity/tracee/types/trace"
+)
+
+type KubernetesCertificateTheftAttempt struct {
+	cb                 detect.SignatureHandler
+	legitProcs         []string
+	k8sCertificatesDir string
+}
+
+func (sig *KubernetesCertificateTheftAttempt) Init(cb detect.SignatureHandler) error {
+	sig.cb = cb
+	sig.legitProcs = []string{"kube-apiserver", "kubelet", "kube-controller", "etcd"}
+	sig.k8sCertificatesDir = "/etc/kubernetes/pki/"
+	return nil
+}
+
+func (sig *KubernetesCertificateTheftAttempt) GetMetadata() (detect.SignatureMetadata, error) {
+	return detect.SignatureMetadata{
+		ID:          "TRC-35",
+		Version:     "1",
+		Name:        "K8s TLS certificate theft detected",
+		Description: "Theft of Kubernetes TLS certificates was detected. TLS certificates are used to establish trust between systems. The Kubernetes certificate is used to to enable secure communication between Kubernetes components, such as kubelet scheduler controller and API Server. An adversary may steal a Kubernetes certificate on a compromised system to impersonate Kubernetes components within the cluster.",
+		Properties: map[string]interface{}{
+			"Severity":             3,
+			"Category":             "credential-access",
+			"Technique":            "Steal Application Access Token",
+			"Kubernetes_Technique": "",
+			"id":                   "attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a",
+			"external_id":          "T1528",
+		},
+	}, nil
+}
+
+func (sig *KubernetesCertificateTheftAttempt) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
+	return []detect.SignatureEventSelector{
+		{Source: "tracee", Name: "security_file_open", Origin: "*"},
+		{Source: "tracee", Name: "security_inode_rename", Origin: "*"},
+	}, nil
+}
+
+func (sig *KubernetesCertificateTheftAttempt) OnEvent(event protocol.Event) error {
+
+	eventObj, ok := event.Payload.(trace.Event)
+	if !ok {
+		return fmt.Errorf("invalid event")
+	}
+
+	path := ""
+
+	switch eventObj.EventName {
+
+	case "security_file_open":
+
+		// check process touching certificate is not on allow list
+		for _, legitProc := range sig.legitProcs {
+			if legitProc == eventObj.ProcessName {
+				return nil
+			}
+		}
+
+		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
+		if err != nil {
+			return err
+		}
+
+		if helpers.IsFileRead(flags) {
+			pathname, err := helpers.GetTraceeStringArgumentByName(eventObj, "pathname")
+			if err != nil {
+				return err
+			}
+
+			path = pathname
+		}
+
+	case "security_inode_rename":
+
+		oldPath, err := helpers.GetTraceeStringArgumentByName(eventObj, "old_path")
+		if err != nil {
+			return err
+		}
+
+		path = oldPath
+
+	}
+
+	if strings.HasPrefix(path, sig.k8sCertificatesDir) {
+		metadata, err := sig.GetMetadata()
+		if err != nil {
+			return err
+		}
+		sig.cb(detect.Finding{
+			SigMetadata: metadata,
+			Event:       event,
+			Data:        nil,
+		})
+	}
+
+	return nil
+}
+
+func (sig *KubernetesCertificateTheftAttempt) OnSignal(s detect.Signal) error {
+	return nil
+}
+func (sig *KubernetesCertificateTheftAttempt) Close() {}

signatures/golang/kubernetes_certificate_theft_attempt_test.go

@@ -0,0 +1,229 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/tracee/signatures/signaturestest"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/trace"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestKubernetesCertificateTheftAttempt(t *testing.T) {
+	testCases := []struct {
+		Name     string
+		Events   []trace.Event
+		Findings map[string]detect.Finding
+	}{
+		{
+			Name: "should trigger detection - security_file_open",
+			Events: []trace.Event{
+				{
+					ProcessName: "malware",
+					EventName:   "security_file_open",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "flags",
+							},
+							Value: interface{}("O_RDONLY"),
+						},
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "pathname",
+							},
+							Value: interface{}("/etc/kubernetes/pki/ca.crt"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{
+				"TRC-35": {
+					Data: nil,
+					Event: trace.Event{
+						ProcessName: "malware",
+						EventName:   "security_file_open",
+						Args: []trace.Argument{
+							{
+								ArgMeta: trace.ArgMeta{
+									Name: "flags",
+								},
+								Value: interface{}("O_RDONLY"),
+							},
+							{
+								ArgMeta: trace.ArgMeta{
+									Name: "pathname",
+								},
+								Value: interface{}("/etc/kubernetes/pki/ca.crt"),
+							},
+						},
+					}.ToProtocol(),
+					SigMetadata: detect.SignatureMetadata{
+						ID:          "TRC-35",
+						Version:     "1",
+						Name:        "K8s TLS certificate theft detected",
+						Description: "Theft of Kubernetes TLS certificates was detected. TLS certificates are used to establish trust between systems. The Kubernetes certificate is used to to enable secure communication between Kubernetes components, such as kubelet scheduler controller and API Server. An adversary may steal a Kubernetes certificate on a compromised system to impersonate Kubernetes components within the cluster.",
+						Properties: map[string]interface{}{
+							"Severity":             3,
+							"Category":             "credential-access",
+							"Technique":            "Steal Application Access Token",
+							"Kubernetes_Technique": "",
+							"id":                   "attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a",
+							"external_id":          "T1528",
+						},
+					},
+				},
+			},
+		},
+		{
+			Name: "should trigger detection - security_inode_rename",
+			Events: []trace.Event{
+				{
+					EventName: "security_inode_rename",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "old_path",
+							},
+							Value: interface{}("/etc/kubernetes/pki/ca.crt"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{
+				"TRC-35": {
+					Data: nil,
+					Event: trace.Event{
+						EventName: "security_inode_rename",
+						Args: []trace.Argument{
+							{
+								ArgMeta: trace.ArgMeta{
+									Name: "old_path",
+								},
+								Value: interface{}("/etc/kubernetes/pki/ca.crt"),
+							},
+						},
+					}.ToProtocol(),
+					SigMetadata: detect.SignatureMetadata{
+						ID:          "TRC-35",
+						Version:     "1",
+						Name:        "K8s TLS certificate theft detected",
+						Description: "Theft of Kubernetes TLS certificates was detected. TLS certificates are used to establish trust between systems. The Kubernetes certificate is used to to enable secure communication between Kubernetes components, such as kubelet scheduler controller and API Server. An adversary may steal a Kubernetes certificate on a compromised system to impersonate Kubernetes components within the cluster.",
+						Properties: map[string]interface{}{
+							"Severity":             3,
+							"Category":             "credential-access",
+							"Technique":            "Steal Application Access Token",
+							"Kubernetes_Technique": "",
+							"id":                   "attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a",
+							"external_id":          "T1528",
+						},
+					},
+				},
+			},
+		},
+		{
+			Name: "should not trigger detection - security_file_open wrong open flags",
+			Events: []trace.Event{
+				{
+					ProcessName: "test",
+					EventName:   "security_file_open",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "flags",
+							},
+							Value: interface{}("O_WRONLY"),
+						},
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "pathname",
+							},
+							Value: interface{}("/etc/kubernetes/pki/ca.crt"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+		{
+			Name: "should not trigger detection - security_file_open wrong path",
+			Events: []trace.Event{
+				{
+					ProcessName: "test",
+					EventName:   "security_file_open",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "flags",
+							},
+							Value: interface{}("O_RDONLY"),
+						},
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "pathname",
+							},
+							Value: interface{}("/tmp/ca.crt"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+		{
+			Name: "should not trigger detection - security_file_open legit proc",
+			Events: []trace.Event{
+				{
+					ProcessName: "kube-apiserver",
+					EventName:   "security_file_open",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "flags",
+							},
+							Value: interface{}("O_RDONLY"),
+						},
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "pathname",
+							},
+							Value: interface{}("/etc/kubernetes/pki/ca.crt"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+		{
+			Name: "should not trigger detection - security_inode_rename wrong path",
+			Events: []trace.Event{
+				{
+					EventName: "security_inode_rename",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "old_path",
+							},
+							Value: interface{}("/tmp/ca.crt"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			holder := signaturestest.FindingsHolder{}
+			sig := KubernetesCertificateTheftAttempt{}
+			sig.Init(holder.OnFinding)
+
+			for _, e := range tc.Events {
+				err := sig.OnEvent(e.ToProtocol())
+				require.NoError(t, err)
+			}
+			assert.Equal(t, tc.Findings, holder.GroupBySigID())
+		})
+	}
+}