signature: add kernel_module_loading.go sig

roikol · rafaeldtinoco · commit 40fc0cdad0c4 · 2022-10-20T22:55:13.000-03:00
diff --git a/signatures/golang/export.go b/signatures/golang/export.go
@@ -31,4 +31,5 @@ var ExportedSignatures = []detect.Signature{
 	&DynamicCodeLoading{},
 	&FilelessExecution{},
 	&IllegitimateShell{},
+	&KernelModuleLoading{},
 }
diff --git a/signatures/golang/kernel_module_loading.go b/signatures/golang/kernel_module_loading.go
@@ -0,0 +1,92 @@
+package main
+
+import (
+	"fmt"
+
+	"github.com/aquasecurity/tracee/signatures/helpers"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/protocol"
+	"github.com/aquasecurity/tracee/types/trace"
+)
+
+type KernelModuleLoading struct {
+	cb detect.SignatureHandler
+}
+
+func (sig *KernelModuleLoading) Init(cb detect.SignatureHandler) error {
+	sig.cb = cb
+	return nil
+}
+
+func (sig *KernelModuleLoading) GetMetadata() (detect.SignatureMetadata, error) {
+	return detect.SignatureMetadata{
+		ID:          "TRC-57",
+		Version:     "1",
+		Name:        "Kernel module loading detected",
+		Description: "Loading of a kernel module was detected. Kernel modules are binaries meant to run in the kernel. Adversaries may try and load kernel modules to extend their capabilities and avoid detection by running in the kernel and not user space.",
+		Properties: map[string]interface{}{
+			"Severity":             2,
+			"Category":             "persistence",
+			"Technique":            "Kernel Modules and Extensions",
+			"Kubernetes_Technique": "",
+			"id":                   "attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6",
+			"external_id":          "T1547.006",
+		},
+	}, nil
+}
+
+func (sig *KernelModuleLoading) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
+	return []detect.SignatureEventSelector{
+		{Source: "tracee", Name: "init_module", Origin: "*"},
+		{Source: "tracee", Name: "security_kernel_read_file", Origin: "*"},
+	}, nil
+}
+
+func (sig *KernelModuleLoading) OnEvent(event protocol.Event) error {
+
+	eventObj, ok := event.Payload.(trace.Event)
+	if !ok {
+		return fmt.Errorf("invalid event")
+	}
+
+	switch eventObj.EventName {
+
+	case "init_module":
+		metadata, err := sig.GetMetadata()
+		if err != nil {
+			return err
+		}
+		sig.cb(detect.Finding{
+			SigMetadata: metadata,
+			Event:       event,
+			Data:        nil,
+		})
+
+	case "security_kernel_read_file":
+
+		loadedType, err := helpers.GetTraceeStringArgumentByName(eventObj, "type")
+		if err != nil {
+			return err
+		}
+
+		if loadedType == "kernel-module" {
+			metadata, err := sig.GetMetadata()
+			if err != nil {
+				return err
+			}
+			sig.cb(detect.Finding{
+				SigMetadata: metadata,
+				Event:       event,
+				Data:        nil,
+			})
+		}
+
+	}
+
+	return nil
+}
+
+func (sig *KernelModuleLoading) OnSignal(s detect.Signal) error {
+	return nil
+}
+func (sig *KernelModuleLoading) Close() {}
diff --git a/signatures/golang/kernel_module_loading_test.go b/signatures/golang/kernel_module_loading_test.go
@@ -0,0 +1,127 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/tracee/signatures/signaturestest"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/trace"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestKernelModuleLoading(t *testing.T) {
+	testCases := []struct {
+		Name     string
+		Events   []trace.Event
+		Findings map[string]detect.Finding
+	}{
+		{
+			Name: "should trigger detection - init_module",
+			Events: []trace.Event{
+				{
+					EventName: "init_module",
+				},
+			},
+			Findings: map[string]detect.Finding{
+				"TRC-57": {
+					Data: nil,
+					Event: trace.Event{
+						EventName: "init_module",
+					}.ToProtocol(),
+					SigMetadata: detect.SignatureMetadata{
+						ID:          "TRC-57",
+						Version:     "1",
+						Name:        "Kernel module loading detected",
+						Description: "Loading of a kernel module was detected. Kernel modules are binaries meant to run in the kernel. Adversaries may try and load kernel modules to extend their capabilities and avoid detection by running in the kernel and not user space.",
+						Properties: map[string]interface{}{
+							"Severity":             2,
+							"Category":             "persistence",
+							"Technique":            "Kernel Modules and Extensions",
+							"Kubernetes_Technique": "",
+							"id":                   "attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6",
+							"external_id":          "T1547.006",
+						},
+					},
+				},
+			},
+		},
+		{
+			Name: "should trigger detection - security_kernel_read_file",
+			Events: []trace.Event{
+				{
+					EventName: "security_kernel_read_file",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "type",
+							},
+							Value: interface{}("kernel-module"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{
+				"TRC-57": {
+					Data: nil,
+					Event: trace.Event{
+						EventName: "security_kernel_read_file",
+						Args: []trace.Argument{
+							{
+								ArgMeta: trace.ArgMeta{
+									Name: "type",
+								},
+								Value: interface{}("kernel-module"),
+							},
+						},
+					}.ToProtocol(),
+					SigMetadata: detect.SignatureMetadata{
+						ID:          "TRC-57",
+						Version:     "1",
+						Name:        "Kernel module loading detected",
+						Description: "Loading of a kernel module was detected. Kernel modules are binaries meant to run in the kernel. Adversaries may try and load kernel modules to extend their capabilities and avoid detection by running in the kernel and not user space.",
+						Properties: map[string]interface{}{
+							"Severity":             2,
+							"Category":             "persistence",
+							"Technique":            "Kernel Modules and Extensions",
+							"Kubernetes_Technique": "",
+							"id":                   "attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6",
+							"external_id":          "T1547.006",
+						},
+					},
+				},
+			},
+		},
+		{
+			Name: "should not trigger detection - security_kernel_read_file wrong type",
+			Events: []trace.Event{
+				{
+					EventName: "security_kernel_read_file",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "type",
+							},
+							Value: interface{}("firmware"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			holder := signaturestest.FindingsHolder{}
+			sig := KernelModuleLoading{}
+			sig.Init(holder.OnFinding)
+
+			for _, e := range tc.Events {
+				err := sig.OnEvent(e.ToProtocol())
+				require.NoError(t, err)
+			}
+			assert.Equal(t, tc.Findings, holder.GroupBySigID())
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -31,4 +31,5 @@ var ExportedSignatures = []detect.Signature{`
`31`	`31`	`&DynamicCodeLoading{},`
`32`	`32`	`&FilelessExecution{},`
`33`	`33`	`&IllegitimateShell{},`
	`34`	`+ &KernelModuleLoading{},`
`34`	`35`	`}`