K8s Security Pro
#12 Audit & Monitoring professional

Falco Runtime Security Rules

A 7-rule Falco detection ruleset covering shell access, crypto mining, credential theft, privilege escalation, network recon, package installation, and /etc tampering.

CIS Benchmark
5.7.1
MITRE ATT&CK
T1059.004T1496T1552.001T1548.001T1046T1105T1036

Overview

This template provides a comprehensive Falco runtime security ruleset with 7 detection rules covering the most critical attack patterns in Kubernetes. Falco monitors kernel syscalls in real-time, detecting malicious behavior as it happens — not after the fact.

Security threat addressed: Preventive controls (NetworkPolicy, RBAC, PSS) can be bypassed. Runtime detection catches active attacks in progress: shells spawned in containers, crypto miners, credential theft, and privilege escalation attempts.

When to use: Deploy Falco as a DaemonSet across all nodes and load these rules as a custom rule file. Connect alerts to your SIEM or incident response workflow.

Threat Model

  • Active attack detection: Unlike preventive controls, Falco detects attacks that have already bypassed other defenses.
  • Cryptojacking identification: Detects both known mining processes and network connections to mining pools.
  • Credential theft alerting: Monitors reads of sensitive files like /etc/shadow, K8s PKI certs, and SA tokens.
  • Post-exploitation visibility: Detects privilege escalation, network recon, and persistence techniques.

MITRE ATT&CK:

  • T1059.004 — Unix Shell: Shell spawned in container indicates hands-on-keyboard activity.
  • T1496 — Resource Hijacking: Crypto miner process detection and mining pool connections.
  • T1552.001 — Credentials in Files: Sensitive file reads for credential theft.
  • T1548.001 — Setuid/Setgid: Privilege escalation via setuid binaries.
  • T1046 — Network Service Discovery: Network recon tool execution.
  • T1105 — Ingress Tool Transfer: Package manager execution in running containers.
  • T1036 — Masquerading: Configuration tampering via writes to /etc.

Real-world scenario: An attacker exploits an RCE vulnerability, spawns a bash shell, downloads xmrig crypto miner, and starts mining. Falco triggers three separate alerts: shell spawned, package manager executed, and crypto miner detected — enabling immediate incident response.

YAML Source

# Part of: k8s-security-pro
# RULE 1: Shell Spawned in Container (WARNING)
# MITRE ATT&CK: T1059.004, T1609
- rule: Shell spawned in container
  desc: >
    An interactive shell was spawned inside a running container.
    Strong indicator of hands-on-keyboard activity.
  condition: >
    spawned_process
    and container
    and shell_procs
    and proc.tty != 0
    and not user_expected_shell_in_container
    and not package_mgmt_procs
  output: >
    Shell spawned in container
    (user=%user.name container_id=%container.id
    image=%container.image.repository shell=%proc.name
    pod_name=%k8s.pod.name ns=%k8s.ns.name)
  priority: WARNING
  tags: [container, shell, mitre_execution, T1059.004, T1609]

# RULE 2: Cryptocurrency Mining Detection (CRITICAL)
# MITRE ATT&CK: T1496
- rule: Cryptocurrency mining process detected
  desc: >
    A known cryptocurrency mining process was detected in a container.
    Immediate incident response required.
  condition: >
    spawned_process and container and crypto_mining_procs
  output: >
    CRITICAL: Crypto miner detected
    (process=%proc.name container_name=%container.name
    pod_name=%k8s.pod.name ns=%k8s.ns.name)
  priority: CRITICAL
  tags: [container, cryptomining, mitre_impact, T1496]
# ... truncated -- get all 7 rules with macros at k8s-security.pro/pricing

Get the complete template with all 7 rules, reusable macros, mining pool port detection, sensitive mount detection, container escape detection, and network recon alerts in the Professional tier.

Installation

kubectl:

# Install Falco via Helm
helm install falco falcosecurity/falco --namespace falco --create-namespace \
  --set falcosidekick.enabled=true

# Mount the rules file as a ConfigMap
kubectl create configmap falco-custom-rules -n falco --from-file=12_falco_rule_shell_in_container.yaml

Helm:

helm install k8s-security ./charts/k8s-security -f values-prod.yaml

Kustomize:

kubectl apply -k kustomize/overlays/prod

Verification

# Verify Falco is running
kubectl get pods -n falco

# Check Falco logs for rule loading
kubectl logs -n falco -l app.kubernetes.io/name=falco | grep "rule"

# Trigger a test alert (shell in container)
kubectl exec -it <pod-name> -- /bin/sh

# Check Falco output for the alert
kubectl logs -n falco -l app.kubernetes.io/name=falco | grep "Shell spawned"

CIS Benchmark References

  • 5.7.1 — Use a runtime security tool for container behavior monitoring. Falco directly satisfies this requirement with real-time syscall monitoring.

MITRE ATT&CK References

  • T1059.004 — Unix Shell: Rule 1 detects interactive shell spawning in containers.
  • T1496 — Resource Hijacking: Rule 2 detects crypto mining processes and pool connections.
  • T1552.001 — Credentials in Files: Rule 3 detects reads of sensitive files (shadow, PKI, tokens).
  • T1548.001 — Setuid/Setgid: Rule 4 detects privilege escalation via setuid binaries and container escape tools.
  • T1046 — Network Service Discovery: Rule 5 detects network reconnaissance tools (nmap, netcat, etc.).
  • T1105 — Ingress Tool Transfer: Rule 6 detects package manager execution in running containers.
  • T1036 — Masquerading: Rule 7 detects configuration tampering via writes to /etc.

Further Reading

Get Full Access to This Template

This template is included in the Professional tier and above.

View Pricing Plans
← All Templates Get All Templates →