Initial commit

lightspin-tech · Aug 21, 2022 · 55a1bb1 · 55a1bb1
commit 55a1bb1
Show file tree

Hide file tree

Showing 15 changed files with 286 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,36 @@
+name: Docker
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  IMAGE_TAG: latest
+  IMAGE_NAME: k8s-attack-simulation
+
+jobs:
+  build_and_push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: export branch name
+        run: echo "BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV
+
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GH_TOKEN }}
+
+      - name: Build image and push
+        uses: docker/build-push-action@v3
+        with:
+          file: Dockerfile
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }}
+            ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
+          labels: 
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,7 @@
+FROM ubuntu:latest 
+
+RUN apt-get -y update 
+
+COPY src /src/
+
+RUN chmod -R +x /src/
diff --git a/README.md b/README.md
@@ -0,0 +1,53 @@
+# Light K8S Attack Simulations
+
+This repository contains cases to simulate an unusual/malicious behavior in linux containers. These simulations triggers alerts for new advanced Falco rules, used in Lightspin K8s runtime protection solution.
+
+Every case has a Dockerfile that build an image for the relevant simulation and yaml file to apply Pod inside the cluster that monitor by Falco. 
+When the pod is running the container inside runs a bash script, this script contains the relevant command to trigger the Falco alert. 
+
+## Use Cases
+
+Technique Name | Rule Name  | Description|
+----------|-------------|------------------|
+modify-password-files | Modify Password Files |Attempts to modify /etc/passwd and /etc/shadow files | 
+dump-process-memory | Dump Process Memory | Gathering credentials from information stored in the Proc filesystem | 
+modify-ssh-authorized-keys | Modify SSH Authorized Keys | Editing of SSH authorized_keys file to maintain persistence on compromised environment |
+logs-removal | Logs Removal | Delete of system and audit logs |
+mount-cgroups-into-container | Mount Cgroups Into Container | Detect mount of cgroups into container (used to container escapes) |
+
+## Get Started 
+
+1. Connect the K8s cluster to Lightspin and enable the runtime protection option.
+2. Connect to the cluster using kubectl cli.
+3. Clone the repository and change directory to the main folder
+```console
+git clone https://github.com/lightspin-tech/light-k8s-attack-simulations.git
+cd light-k8s-attack-simulations
+``` 
+4. Choose use case (Technique name) from the above table.
+5. Run the following command:
+```console
+./light-attack-simulation.sh run [Technique Name]
+```
+
+## Uninstall
+
+Run the following command:
+```console
+./light-attack-simulation.sh delete [Technique Name]
+```
+
+## Usage
+
+```bash
+Syntax: ./light-attack-simulation.sh [-h] [run|delete] [techniqueName] [-n|--namspace]
+
+required arguments:
+run		run technique simulation
+delete		delete technique simulation
+techniqueName		name of use-case
+
+other arguments:
+-h --help         show this help message and exit
+-n --namespcae		install pod on spesific namespace
+ ```
diff --git a/build.yml b/build.yml
@@ -0,0 +1,36 @@
+name: Docker
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  IMAGE_TAG: latest
+  IMAGE_NAME: k8s-attack-simulation
+
+jobs:
+  build_and_push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: export branch name
+        run: echo "BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV
+
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GH_TOKEN }}
+
+      - name: Build image and push
+        uses: docker/build-push-action@v3
+        with:
+          file: Dockerfile
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }}
+            ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
+          labels: 
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
diff --git a/light-attack-simulation.sh b/light-attack-simulation.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+Help()
+{
+	# Display Help
+	echo ""
+	echo "Syntax: ./light-attack-simulation.sh [-h] [run|delete] [techniqueName] [-n|--namspace]"
+	echo ""
+	echo "required arguments:"
+	echo "run		run technique simulation"
+	echo "delete		delete technique simulation"
+	echo "techniqueName		name of the use-case"
+	echo ""
+	echo "other arguments:"
+	echo "-h --help         show this help message and exit"
+	echo "-n --namespcae		install pod on spesific namespace"
+}
+
+namespace="default"
+
+while test $# -gt 0; do
+	case "$1" in
+		run) 
+			shift
+			operation="run"
+			yaml="$1.yaml"
+			shift
+			;;
+		delete)
+			shift
+			operation="delete"
+			yaml="$1"
+			shift
+			;;
+		-h|--help)
+			Help
+			exit 0
+			;;
+		-n|--namespace)
+			shift
+			namespace=$1
+			shift
+			;;
+	esac
+done
+if [ $operation == "run" ]; then
+	kubectl apply -f ./manifests/$yaml -n $namespace
+else
+	kubectl delete pods $yaml -n $namespace
+fi
+exit 0
diff --git a/manifests/dump-process-memory.yaml b/manifests/dump-process-memory.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: dump-process-memory
+  labels:
+    app: ubuntu
+spec:
+  containers:
+  - image: ghcr.io/lightspin-tech/light-k8s-attack-simulations/k8s-attack-simulation:latest
+    command: ["src/shell-dump-process-memory.sh"]
+    imagePullPolicy: Always
+    name: simulation
+    securityContext:
+        capabilities:
+          add: ["SYS_PTRACE"]
diff --git a/manifests/logs-removal.yaml b/manifests/logs-removal.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: logs-removal
+  labels:
+    app: ubuntu
+spec:
+  containers:
+  - image: ghcr.io/lightspin-tech/light-k8s-attack-simulations/k8s-attack-simulation:latest
+    command: ["src/shell-logs-removal.sh"]
+    imagePullPolicy: Always
+    name: simulation
diff --git a/manifests/modify-password-files.yaml b/manifests/modify-password-files.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: modify-password-files
+  labels:
+    app: ubuntu
+spec:
+  containers:
+  - image: ghcr.io/lightspin-tech/light-k8s-attack-simulations/k8s-attack-simulation:latest
+    command: ["src/shell-modify-password-files.sh"]  
+    imagePullPolicy: Always
+    name: simulation
diff --git a/manifests/modify-ssh-authorized-keys.yaml b/manifests/modify-ssh-authorized-keys.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: modify-ssh-authorized-keys
+  labels:
+    app: ubuntu
+spec:
+  containers:
+  - image: ghcr.io/lightspin-tech/light-k8s-attack-simulations/k8s-attack-simulation:latest
+    command: ["src/shell-modify-ssh-authorized-keys.sh"]
+    imagePullPolicy: Always
+    name: simulation
diff --git a/manifests/mount-cgroups-into-container.yaml b/manifests/mount-cgroups-into-container.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: mount-cgroups-into-container
+  labels:
+    app: ubuntu
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/simulation: unconfined
+spec:
+  containers:
+  - image: ghcr.io/lightspin-tech/light-k8s-attack-simulations/k8s-attack-simulation:latest
+    command: ["src/shell-mount-cgroups-into-container.sh"]
+    imagePullPolicy: Always
+    name: simulation
+    securityContext:
+      capabilities:
+        add: ["SYS_ADMIN"]
diff --git a/src/shell-dump-process-memory.sh b/src/shell-dump-process-memory.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+PID=$$
+HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
+MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
+MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
+MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
+dd if=/proc/"${PID}"/mem of="/home/test.dd" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
+
+/bin/bash -c "sleep 6045d"
diff --git a/src/shell-logs-removal.sh b/src/shell-logs-removal.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+rm -rf /private/var/audit/*
+rm -rf /private/var/log/system.log*
+
+/bin/bash -c "sleep 6045d"
diff --git a/src/shell-modify-password-files.sh b/src/shell-modify-password-files.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+echo 'mak:$y$j9T$sN9jH1Sc4Y0RR1v2oGJi9/$vwoBEO9buQ6ITqZDcV78Y8UHo/NfT9byc.iT5QgP2Y4:19197:0:99999:7:::' >> /etc/shadow
+
+/bin/bash -c "sleep 6045d"
diff --git a/src/shell-modify-ssh-authorized-keys.sh b/src/shell-modify-ssh-authorized-keys.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+mkdir ~/.ssh
+echo 'blabla' > ~/.ssh/authorized_keys 
+if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys="blablabla"; echo $ssh_authorized_keys > ~/.ssh/authorized_keys; fi;
+unset ssh_authorized_keys
+
+/bin/bash -c "sleep 6045d"
diff --git a/src/shell-mount-cgroups-into-container.sh b/src/shell-mount-cgroups-into-container.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+mkdir /tmp/cgrp
+mount -t cgroup -o rdma cgroup /tmp/cgrp
+
+/bin/bash -c "sleep 6045d"