From e7ff8a411dc9f96d0ed756199b19113375e5cffb Mon Sep 17 00:00:00 2001
From: JayJersan <jerwin999@hotmail.com>
Date: Mon, 25 Mar 2024 11:45:41 +0530
Subject: [PATCH] Added crypto-miner, removed 5G from name and
 shell-history-mod from metadata

Signed-off-by: JayJersan <jerwin999@hotmail.com>
---
 ...es.yaml => ksp-mitre-remote-services.yaml} |  4 +-
 ...l => ksp-mitre-tactic-impair-defense.yaml} |  4 +-
 ...yaml => ksp-network-service-scanning.yaml} |  4 +-
 generic/system/ksp-prevent-crypto-miners.yaml | 68 +++++++++++++++++++
 generic/system/metadata.yaml                  | 48 ++++++++-----
 5 files changed, 104 insertions(+), 24 deletions(-)
 rename generic/system/{ksp-mitre-5g-remote-services.yaml => ksp-mitre-remote-services.yaml} (89%)
 rename generic/system/{ksp-mitre-5g-tactic-impair-defense.yaml => ksp-mitre-tactic-impair-defense.yaml} (88%)
 rename generic/system/{ksp-5g-network-service-scanning.yaml => ksp-network-service-scanning.yaml} (91%)
 create mode 100644 generic/system/ksp-prevent-crypto-miners.yaml

diff --git a/generic/system/ksp-mitre-5g-remote-services.yaml b/generic/system/ksp-mitre-remote-services.yaml
similarity index 89%
rename from generic/system/ksp-mitre-5g-remote-services.yaml
rename to generic/system/ksp-mitre-remote-services.yaml
index ea680d46..1699b832 100644
--- a/generic/system/ksp-mitre-5g-remote-services.yaml
+++ b/generic/system/ksp-mitre-remote-services.yaml
@@ -5,10 +5,10 @@
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorPolicy
 metadata:
-  name: ksp-mitre-5g-remote-services
+  name: ksp-mitre-remote-services
   namespace: default    # Change your namespace
 spec:
-  tags: ["MITRE", "FIGHT", "FGT1021"]
+  tags: ["MITRE", "FIGHT", "FGT1021","5G"]
   message: "Warning! access sensitive files detected"
   selector:
     matchLabels: 
diff --git a/generic/system/ksp-mitre-5g-tactic-impair-defense.yaml b/generic/system/ksp-mitre-tactic-impair-defense.yaml
similarity index 88%
rename from generic/system/ksp-mitre-5g-tactic-impair-defense.yaml
rename to generic/system/ksp-mitre-tactic-impair-defense.yaml
index 510f686f..6d60afef 100644
--- a/generic/system/ksp-mitre-5g-tactic-impair-defense.yaml
+++ b/generic/system/ksp-mitre-tactic-impair-defense.yaml
@@ -5,10 +5,10 @@
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorPolicy
 metadata:
-  name: ksp-mitre-5g-tactic-impair-defense
+  name: ksp-mitre-tactic-impair-defense
   namespace: default  #change with your namespace
 spec:
-  tags: ["MITRE", "FGT1562","FIGHT"]
+  tags: ["MITRE", "FGT1562","FIGHT","5G"]
   message: "Selinux Files Accessed by Unknown Process"
   selector:
     matchLabels:
diff --git a/generic/system/ksp-5g-network-service-scanning.yaml b/generic/system/ksp-network-service-scanning.yaml
similarity index 91%
rename from generic/system/ksp-5g-network-service-scanning.yaml
rename to generic/system/ksp-network-service-scanning.yaml
index cacf98ef..728fe106 100644
--- a/generic/system/ksp-5g-network-service-scanning.yaml
+++ b/generic/system/ksp-network-service-scanning.yaml
@@ -5,10 +5,10 @@
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorPolicy
 metadata:
-  name: ksp-5g-network-service-scanning
+  name: ksp-network-service-scanning
   namespace: default # Change your namespace
 spec:
-  tags: ["MITRE", "FGT1046","FIGHT"]
+  tags: ["MITRE", "FGT1046","FIGHT","5G"]
   message: "Network service has been scanned!"
   selector:
     matchLabels:
diff --git a/generic/system/ksp-prevent-crypto-miners.yaml b/generic/system/ksp-prevent-crypto-miners.yaml
new file mode 100644
index 00000000..daf465ed
--- /dev/null
+++ b/generic/system/ksp-prevent-crypto-miners.yaml
@@ -0,0 +1,68 @@
+# KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
+# To learn more about KubeArmor visit: 
+# https://www.accuknox.com/kubearmor/ 
+
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: ksp-mitre-prevent-crypto-miners
+spec:
+  selector:
+    matchLabels:
+      app: wordpress
+      
+  action: Block
+  process:
+    matchDirectories:
+    - dir: /tmp/
+      recursive: true
+    
+    matchPaths:
+    # do not allow execution of xmrig (xmrig.com)
+    - execname: xmrig
+    
+    # prevent execution of Dero miner
+    - execname: dero
+    - execname: dero-miner-linux-amd64
+    - execname: dero-wallet-cli-linux-amd64
+    - execname: derod-linux-amd64
+
+    # do not allow execution of masscan/zgrab2/nmap used for recon 
+    - execname: zgrab2
+    - execname: masscan
+    - execname: nmap
+    
+    # do not allow package management tools execution
+    - execname: apt
+    - execname: apk
+    
+    # time sync is important for miners. typically ntpdate is used.
+    - execname: ntpdate
+  
+  # Do not allow overwriting system binaries
+  file:
+    matchDirectories:
+    - dir: /usr/local/bin/
+      readOnly: true
+      recursive: true
+    - dir: /sbin/
+      readOnly: true
+      recursive: true
+    - dir: /bin/
+      readOnly: true
+      recursive: true
+    - dir: /usr/bin/
+      readOnly: true
+      recursive: true
+    - dir: /var/local/bin/
+      readOnly: true
+      recursive: true
+    - dir: /boot/
+      readOnly: true
+      recursive: true
+    
+  message: cryptominer detected and blocked
+  severity: 10
+  tags: 
+    - cryptominer
+    - MITRE_T1496_resource_hijacking
\ No newline at end of file
diff --git a/generic/system/metadata.yaml b/generic/system/metadata.yaml
index 2eca4cad..8a080de3 100644
--- a/generic/system/metadata.yaml
+++ b/generic/system/metadata.yaml
@@ -164,18 +164,18 @@ policyRules:
     tldr: The adversary is trying to avoid being detected.
     detailed: Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
   yaml: ksp-deny-write-under-etc-directory.yaml
-- name: shell-history-mod
-  precondition: 
-  - /root/*_history
-  - OPTSCAN
-  description:
-    refs:
-    - name: MITRE_T1070_indicator_removal
-      url:
-      - https://attack.mitre.org/techniques/T1070/
-    tldr: Adversaries may delete or modify artifacts generated within systems to remove evidence.
-    detailed: Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform. Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.
-  yaml: ksp-shell-history-modification.yaml
+# - name: shell-history-mod
+#   precondition: 
+#   - /root/*_history
+#   - OPTSCAN
+#   description:
+#     refs:
+#     - name: MITRE_T1070_indicator_removal
+#       url:
+#       - https://attack.mitre.org/techniques/T1070/
+#     tldr: Adversaries may delete or modify artifacts generated within systems to remove evidence.
+#     detailed: Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform. Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.
+#   yaml: ksp-shell-history-modification.yaml
 - name: file-system-mounts
   precondition: 
   - /bin/mount
@@ -327,7 +327,7 @@ policyRules:
   - OPTSCAN
   description:
     refs:
-    - name: 5g-tactic-impair-defense
+    - name: tactic-impair-defense
       url:
       - https://fight.mitre.org/techniques/FGT1562
     tldr: Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
@@ -336,14 +336,14 @@ policyRules:
       and anti-virus, but also detection capabilities that defenders can use to audit activity and identify 
       malicious behavior. This may also span both native defenses as well as supplemental capabilities installed 
       by users and administrators.
-  yaml: ksp-mitre-5g-tactic-impair-defense.yaml
+  yaml: ksp-mitre-tactic-impair-defense.yaml
 - name: network-service-scanning
   precondition: 
   - /bin/*
   - OPTSCAN
   description:
     refs:
-    - name: 5g-tactic-network-service-scanning
+    - name: tactic-network-service-scanning
       url:
       - https://fight.mitre.org/techniques/FGT1046
     tldr: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation.
@@ -351,14 +351,14 @@ policyRules:
       network infrastructure devices, including those that may be vulnerable to remote software exploitation. 
       Common methods to acquire this information include port and/or vulnerability scans using tools that are
       brought onto a system.
-  yaml: ksp-5g-network-service-scanning.yaml
+  yaml: ksp-network-service-scanning.yaml
 - name: remote-services
   precondition: 
   - /var/*
   - OPTSCAN
   description:
     refs:
-    - name: 5g-tactic-remote-services
+    - name: tactic-remote-services
       url:
       - https://fight.mitre.org/techniques/FGT1021
     tldr: Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC.
@@ -366,4 +366,16 @@ policyRules:
       may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS 
       is native software used for remote management. ARD leverages a blend of protocols, including VNC to 
       send the screen and control buffers and SSH for secure file transfer.
-  yaml: ksp-mitre-5g-remote-services.yaml
\ No newline at end of file
+  yaml: ksp-mitre-remote-services.yaml
+- name: crypto-miners
+  precondition: 
+  - /bin/*
+  - OPTSCAN
+  description:
+    refs:
+    - name: MITRE_T1496_resource_hijacking
+      url:
+      - https://attack.mitre.org/techniques/T1496/
+    tldr: Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.
+    detailed: One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. Servers and cloud-based systems are common targets because of the high potential for available resources.
+  yaml: ksp-prevent-crypto-miners.yaml
\ No newline at end of file