Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tetragon: Add MITRE ATT&CK references and tags to privileged execution events. #3110

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

tixxdz
Copy link
Member

@tixxdz tixxdz commented Nov 14, 2024

Privileged execution will be automatically tagged with following:

    {
      "process_exec": {
        "process": {
          "exec_id": "cm9yb25vYToyNTM0Nzk3NjE2NzY0NjY6NzQxMDI2",
          "pid": 741026,
          "uid": 0,
          "cwd": "/home/tixxdz/work/roronoa/code/src/github.com/tixxdz/tetragon",
          "binary": "/usr/bin/sudo",
          "arguments": "id",
          "..."
        }
        "message": "Privilege Escalation via SUID/SGID binary execution",
        "tags": [
          "attack.techniques",
          "attack.T1548",
          "attack.T1068",
          "attack.tactics",
          "attack.TA0004"
        ]
      }
    }
tetragon: Add MITRE ATT&CK references and tags to privileged execution events.

Will produce an event of:

{
  "process_exec": {
    "process": {
      "exec_id": "cm9yb25vYToyNTM0Nzk3NjE2NzY0NjY6NzQxMDI2",
      "pid": 741026,
      "uid": 0,
      "cwd": "/home/tixxdz/work/roronoa/code/src/github.com/tixxdz/tetragon",
      "binary": "/usr/bin/sudo",
      "arguments": "id",
      ...
    }
    "message": "Privilege Escalation via SUID/SGID binary execution",
    "tags": [
      "attack.techniques",
      "attack.T1548",
      "attack.T1068",
      "attack.tactics",
      "attack.TA0004"
    ]
  },
  ...
}

Signed-off-by: Djalal Harouni <[email protected]>
@tixxdz tixxdz added the release-note/major This PR introduces major new functionality label Nov 14, 2024
@tixxdz tixxdz requested a review from a team as a code owner November 14, 2024 17:48
@tixxdz tixxdz requested a review from olsajiri November 14, 2024 17:48
Copy link

netlify bot commented Nov 14, 2024

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit e7f3596
🔍 Latest deploy log https://app.netlify.com/sites/tetragon/deploys/673637f8ea07100008849be7
😎 Deploy Preview https://deploy-preview-3110--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@tixxdz tixxdz marked this pull request as draft November 14, 2024 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-note/major This PR introduces major new functionality
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant