signature: add default_loader_modification.go sig

roikol · rafaeldtinoco · commit 80f1aaa214da · 2022-10-20T22:55:13.000-03:00
diff --git a/signatures/golang/default_loader_modification.go b/signatures/golang/default_loader_modification.go
@@ -0,0 +1,105 @@
+package main
+
+import (
+	"fmt"
+	"regexp"
+
+	"github.com/aquasecurity/tracee/signatures/helpers"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/protocol"
+	"github.com/aquasecurity/tracee/types/trace"
+)
+
+type DefaultLoaderModification struct {
+	cb                   detect.SignatureHandler
+	dynamicLoaderPattern string
+	compiledRegex        *regexp.Regexp
+}
+
+func (sig *DefaultLoaderModification) Init(cb detect.SignatureHandler) error {
+	var err error
+	sig.cb = cb
+	sig.dynamicLoaderPattern = "^\\/(lib|usr\\/lib).*\\/ld.*\\.so[^\\/]*"
+	sig.compiledRegex, err = regexp.Compile(sig.dynamicLoaderPattern)
+	return err
+}
+
+func (sig *DefaultLoaderModification) GetMetadata() (detect.SignatureMetadata, error) {
+	return detect.SignatureMetadata{
+		ID:          "TRC-169",
+		Version:     "1",
+		Name:        "Default dynamic loader modification detected",
+		Description: "The default dynamic loader has been modified. The dynamic loader is an executable file loaded to process memory and run before the executable to load dynamic libraries to the process. An attacker might use this technique to hijack the execution context of each new process and bypass defenses.",
+		Properties: map[string]interface{}{
+			"Severity":             3,
+			"Category":             "defense-evasion",
+			"Technique":            "Hijack Execution Flow",
+			"Kubernetes_Technique": "",
+			"id":                   "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
+			"external_id":          "T1574",
+		},
+	}, nil
+}
+
+func (sig *DefaultLoaderModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
+	return []detect.SignatureEventSelector{
+		{Source: "tracee", Name: "security_file_open", Origin: "*"},
+		{Source: "tracee", Name: "security_inode_rename", Origin: "*"},
+	}, nil
+}
+
+func (sig *DefaultLoaderModification) OnEvent(event protocol.Event) error {
+
+	eventObj, ok := event.Payload.(trace.Event)
+	if !ok {
+		return fmt.Errorf("invalid event")
+	}
+
+	path := ""
+
+	switch eventObj.EventName {
+
+	case "security_file_open":
+
+		flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
+		if err != nil {
+			return err
+		}
+
+		if helpers.IsFileWrite(flags) {
+			pathname, err := helpers.GetTraceeStringArgumentByName(eventObj, "pathname")
+			if err != nil {
+				return err
+			}
+
+			path = pathname
+		}
+
+	case "security_inode_rename":
+		newPath, err := helpers.GetTraceeStringArgumentByName(eventObj, "new_path")
+		if err != nil {
+			return err
+		}
+
+		path = newPath
+	}
+
+	if sig.compiledRegex.MatchString(path) {
+		metadata, err := sig.GetMetadata()
+		if err != nil {
+			return err
+		}
+		sig.cb(detect.Finding{
+			SigMetadata: metadata,
+			Event:       event,
+			Data:        nil,
+		})
+	}
+
+	return nil
+}
+
+func (sig *DefaultLoaderModification) OnSignal(s detect.Signal) error {
+	return nil
+}
+func (sig *DefaultLoaderModification) Close() {}
diff --git a/signatures/golang/default_loader_modification_test.go b/signatures/golang/default_loader_modification_test.go
@@ -0,0 +1,201 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/tracee/signatures/signaturestest"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/trace"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDefaultLoaderModification(t *testing.T) {
+	testCases := []struct {
+		Name     string
+		Events   []trace.Event
+		Findings map[string]detect.Finding
+	}{
+		{
+			Name: "should trigger detection - security_file_open",
+			Events: []trace.Event{
+				{
+					EventName: "security_file_open",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "pathname",
+							},
+							Value: interface{}("/usr/lib/x86_64-linux-gnu/ld-2.31.so"),
+						},
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "flags",
+							},
+							Value: interface{}("O_WRONLY"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{
+				"TRC-169": {
+					Data: nil,
+					Event: trace.Event{
+						EventName: "security_file_open",
+						Args: []trace.Argument{
+							{
+								ArgMeta: trace.ArgMeta{
+									Name: "pathname",
+								},
+								Value: interface{}("/usr/lib/x86_64-linux-gnu/ld-2.31.so"),
+							},
+							{
+								ArgMeta: trace.ArgMeta{
+									Name: "flags",
+								},
+								Value: interface{}("O_WRONLY"),
+							},
+						},
+					}.ToProtocol(),
+					SigMetadata: detect.SignatureMetadata{
+						ID:          "TRC-169",
+						Version:     "1",
+						Name:        "Default dynamic loader modification detected",
+						Description: "The default dynamic loader has been modified. The dynamic loader is an executable file loaded to process memory and run before the executable to load dynamic libraries to the process. An attacker might use this technique to hijack the execution context of each new process and bypass defenses.",
+						Properties: map[string]interface{}{
+							"Severity":             3,
+							"Category":             "defense-evasion",
+							"Technique":            "Hijack Execution Flow",
+							"Kubernetes_Technique": "",
+							"id":                   "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
+							"external_id":          "T1574",
+						},
+					},
+				},
+			},
+		},
+		{
+			Name: "should trigger detection - security_inode_rename",
+			Events: []trace.Event{
+				{
+					EventName: "security_inode_rename",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "new_path",
+							},
+							Value: interface{}("/usr/lib/x86_64-linux-gnu/ld-2.31.so"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{
+				"TRC-169": {
+					Data: nil,
+					Event: trace.Event{
+						EventName: "security_inode_rename",
+						Args: []trace.Argument{
+							{
+								ArgMeta: trace.ArgMeta{
+									Name: "new_path",
+								},
+								Value: interface{}("/usr/lib/x86_64-linux-gnu/ld-2.31.so"),
+							},
+						},
+					}.ToProtocol(),
+					SigMetadata: detect.SignatureMetadata{
+						ID:          "TRC-169",
+						Version:     "1",
+						Name:        "Default dynamic loader modification detected",
+						Description: "The default dynamic loader has been modified. The dynamic loader is an executable file loaded to process memory and run before the executable to load dynamic libraries to the process. An attacker might use this technique to hijack the execution context of each new process and bypass defenses.",
+						Properties: map[string]interface{}{
+							"Severity":             3,
+							"Category":             "defense-evasion",
+							"Technique":            "Hijack Execution Flow",
+							"Kubernetes_Technique": "",
+							"id":                   "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
+							"external_id":          "T1574",
+						},
+					},
+				},
+			},
+		},
+		{
+			Name: "should not trigger detection - security_file_open wrong open flags",
+			Events: []trace.Event{
+				{
+					EventName: "security_file_open",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "pathname",
+							},
+							Value: interface{}("/usr/lib/x86_64-linux-gnu/ld-2.31.so"),
+						},
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "flags",
+							},
+							Value: interface{}("O_RDONLY"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+		{
+			Name: "should not trigger detection - security_file_open wrong path",
+			Events: []trace.Event{
+				{
+					EventName: "security_file_open",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "pathname",
+							},
+							Value: interface{}("/tmp/something"),
+						},
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "flags",
+							},
+							Value: interface{}("O_WRONLY"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+		{
+			Name: "should not trigger detection - security_inode_rename wrong path",
+			Events: []trace.Event{
+				{
+					EventName: "security_inode_rename",
+					Args: []trace.Argument{
+						{
+							ArgMeta: trace.ArgMeta{
+								Name: "new_path",
+							},
+							Value: interface{}("/tmp/something"),
+						},
+					},
+				},
+			},
+			Findings: map[string]detect.Finding{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			holder := signaturestest.FindingsHolder{}
+			sig := DefaultLoaderModification{}
+			sig.Init(holder.OnFinding)
+
+			for _, e := range tc.Events {
+				err := sig.OnEvent(e.ToProtocol())
+				require.NoError(t, err)
+			}
+			assert.Equal(t, tc.Findings, holder.GroupBySigID())
+		})
+	}
+}
diff --git a/signatures/golang/export.go b/signatures/golang/export.go
@@ -14,4 +14,5 @@ var ExportedSignatures = []detect.Signature{
 	&ScheduledTaskModification{},
 	&LdPreload{},
 	&CgroupNotifyOnReleaseModification{},
+	&DefaultLoaderModification{},
 }

Original file line number	Diff line number	Diff line change
`@@ -14,4 +14,5 @@ var ExportedSignatures = []detect.Signature{`
`14`	`14`	`&ScheduledTaskModification{},`
`15`	`15`	`&LdPreload{},`
`16`	`16`	`&CgroupNotifyOnReleaseModification{},`
	`17`	`+ &DefaultLoaderModification{},`
`17`	`18`	`}`