vicenteherrera

Keybase proof

I hereby claim:

• I am vicenteherrera on github.
• I am vicenteherrera (https://keybase.io/vicenteherrera) on keybase.
• I have a public key whose fingerprint is 9880 E4EC 31BB 616E B88B 6433 AB69 37F1 5D0B 3596

To claim this, I am signing this object:

vicenteherrera

javascript:%20function%20startPiP()%20%7B%20%20%20%20var%20videos%20=%20document.getElementsByTagName('video');%20%20%20%20for(vid%20in%20videos)%20%7B%20%20%20%20%20%20if(videos%5Bvid%5D.src)%20videos%5Bvid%5D.webkitSetPresentationMode(%22picture-in-picture%22);%20%20%20%20%7D%20%20%7D%20startPiP();

vicenteherrera

Test gist 1

vicenteherrera

- rule: Anonymous Request Allowed
  desc: >
    Detect any request made by the anonymous user that was allowed
  condition: kevt and ka.user.name=system:anonymous and ka.auth.decision!=reject and not health_endpoint
  output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
  priority: WARNING
  source: k8s_audit
  tags: [k8s]

vicenteherrera

- rule: Change thread namespace
  desc: >
    an attempt to change a program/thread\'s namespace (commonly done
    as a part of creating a container) by calling setns.
  condition: >
    evt.type = setns
    and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries,
                          sysdig, nsenter, calico, oci-umount, network_plugin_binaries)
    and not proc.name in (user_known_change_thread_namespace_binaries)
    and not proc.name startswith "runc"

vicenteherrera

- rule: DB program spawned process
  desc: >
    a database-server related program spawned a new process other than itself.
    This shouldn\'t occur and is a follow on from some SQL injection attacks.
  condition: >
    proc.pname in (db_server_binaries)
    and spawned_process
    and not proc.name in (db_server_binaries)
    and not postgres_running_wal_e
  output: >

vicenteherrera

- rule: Detect crypto miners using the Stratum protocol
  desc: Miners typically specify the mining pool to connect to with a URI that begins with 'stratum+tcp'
  condition: spawned_process and proc.cmdline contains "stratum+tcp"
  output: Possible miner running (command=%proc.cmdline container=%container.info image=%container.image.repository)
  priority: CRITICAL
  tags: [process, mitre_execution]

vicenteherrera

- rule: Detect outbound connections to common miner pool ports
  desc: Miners typically connect to miner pools on common ports.
  condition: net_miner_pool
  output: Outbound connection to IP/Port flagged by cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository)
  priority: CRITICAL
  tags: [network, mitre_execution]

vicenteherrera

- rule: Disallowed K8s User
  desc: Detect any k8s operation by users outside of an allowed set of users.
  condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users)
  output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]

vicenteherrera

- rule: Full K8s Administrative Access
  desc: Detect any k8s operation by an administrator with full access.
  condition: >
    kevt  and non_system_user  and ka.user.name in (admin_k8s_users)  and not allowed_full_admin_users
  output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
  priority: WARNING
  source: k8s_audit
  tags: [k8s, NIST, NIST_3.1, PCI, PCI_DSS_2.1]