From 8e9cfb02c619123163f4a331164661f0d9d3ff24 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Wed, 20 Mar 2024 12:54:12 -0400 Subject: [PATCH 1/4] docs: clarify generation of sample detections Work to clarify generating sample detections for k8s and docker --- README.md | 56 ++++++++++++++++++++++++++----------------------------- 1 file changed, 26 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index df6f2e6..1cbf0b5 100644 --- a/README.md +++ b/README.md @@ -24,80 +24,76 @@ Automated detections currently available include: (\*) eligible for Prevention if configured in policy (\*\*) container starting using exposed port (-p 8080:80) required and a Kali attack host ready. Please note that a detection will only occur once you execute commands via meterpreter! -# Downloading & Usage +## Downloading & Usage + +### Download via Quay.io -## Download via Quay.io Container images hosted at [https://quay.io/repository/crowdstrike/detection-container](https://quay.io/repository/crowdstrike/detection-container) are automatically rebuilt as mult-architecture images with every merged pull request. Pull this container with the following Docker (or podman!) command: Using Docker CLI: + ```shell docker pull quay.io/crowdstrike/detection-container ``` Using Podman CLI: + ```shell podman pull quay.io/crowdstrike/detection-container ``` If a specific architecture is desired to be used, add the `--platform` flag with the desired architecture(s): `linux/arm64,linux/amd64,linux/s390x,linux/ppc64le` -## Build from Source +### Build from Source + Clone this repository and build the container using ``docker build`` or ``podman build``: With Docker CLI: + ```shell docker build -t /detection-container . ``` Podman CLI: + ```shell podman build -t /detection-container . ``` Multi-architecture Build (requires Docker with BuildKit): + ```shell make docker-buildx ``` -# Generate Sample Detections -The detection-container can used in one of two modes: +## Generate Sample Detections -1. ``interactive`` mode, which will expose a TUI where you can select pre-canned scripts that will generate simple detections (e.g., "hit #1 for credential dumping!"). +The detection-container operates in one of two modes, suitable for both Docker and Kubernetes environments: -2. ``non-interactive`` mode, which will randomly create detections. This is how CrowdStrike runs the detection-container internally as it will constantly create sample detections for product demos. +### Interactive Mode -## Interactive Mode -The following command will utilize Docker's interactive mode, present you with a text-based interface, and remove the container from your system after running: +This mode exposes a text-based user interface (TUI) for selecting pre-canned scripts to generate simple detections (e.g., "hit #1 for credential dumping!"). -```shell +For Docker, use the following command to run the detection container interactively: + +```bash sudo docker run --rm -it quay.io/crowdstrike/detection-container ``` -This will present a text user interface: -![detection-container Text User Interface](docs/images/cli-interface.png) +For Kubernetes environments, refer to the [vulnapp project](https://github.com/CrowdStrike/vulnapp) for running the detection container interactively. -Enter the menu option of the detection you would like to create and hit enter. Depending on which detection was selected you may be guided through additional menus. +### Non-interactive Mode -## Non-interactive Mode -Non-interactive mode will randomly create detections. Between each detection the container will pause for a randomized amount of time ranging from 100 to 1800 seconds (roughly 1.5 - 30 minutes). This pause ensures events trigger unique detections in the Falcon console that are not grouped together. +In this mode, detections are randomly generated with pauses between each to ensure uniqueness in the Falcon console. The pause duration ranges from 100 to 1800 seconds (approximately 1.5 to 30 minutes). -The following command will run detection-container non-interactively: -```shell +For Docker, use the following command to run the detection container non-interactively: + +```bash sudo docker run --rm quay.io/crowdstrike/detection-container ``` -Output will be sent to the console (via ``stdout``) regarding what detections are being generated. An example of running in non-interactive mode, plus output, is shown below: - -![non-interactive mode](docs/images/non-interactive.png) - -## Kubernetes Interactive Mode - -For running the detection container in interactive mode on Kubernetes clusters, please see the [vulnapp project](https://github.com/CrowdStrike/vulnapp) - -## Kubernetes Non-interactive Mode - -For running the detection container in non-interactive mode which will randomly create detections, run the following command: -``` -$ kubectl create -f https://raw.githubusercontent.com/CrowdStrike/detection-container/main/detections.example.com +For Kubernetes environments, use the following command to run the detection container non-interactively: +```bash +kubectl create -f https://raw.githubusercontent.com/CrowdStrike/detection-container/main/detections.example.com ``` From b868feb51e5267bc35a8543c53429d77eee36bca Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Wed, 20 Mar 2024 15:39:47 -0400 Subject: [PATCH 2/4] docs: update formatting and ensure consistent code snippets --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1cbf0b5..d85c3cc 100644 --- a/README.md +++ b/README.md @@ -21,8 +21,10 @@ Automated detections currently available include: | [Webserver Trigger Metasploit Payload](https://github.com/CrowdStrike/detection-container/blob/main/bin/metasploit/Webserver_Trigger_Metasploit_Payload.sh) \*\* | Simulates a malicious file upload, which executes a reverse TCP meterpreter to Kali. Please review the script for details on how to trigger this detection. | | [Reverse TCP Trojan (inert)](https://github.com/CrowdStrike/detection-container/blob/main/bin/Reverse_Shell_Trojan.sh) \* | Inert Trojan, written by CrowdStrike, that will attempt to connect to 192.168.0.1 on TCP port 4444. Tnis will be detected and killed by CrowdStrike's on-sensor machine learning with the aggressive policy settings. | -(\*) eligible for Prevention if configured in policy -(\*\*) container starting using exposed port (-p 8080:80) required and a Kali attack host ready. Please note that a detection will only occur once you execute commands via meterpreter! +> [!NOTE] +> (**\***) eligible for Prevention if configured in policy +> +> (**\*\***) container starting using exposed port (-p 8080:80) required and a Kali attack host ready. Please note that a detection will only occur once you execute commands via meterpreter! ## Downloading & Usage From e4b5ca37905ab9d50de59b031b9d410c3b331406 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Wed, 20 Mar 2024 15:56:38 -0400 Subject: [PATCH 3/4] add images back..woops --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index d85c3cc..aba56cf 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,10 @@ The detection-container operates in one of two modes, suitable for both Docker a This mode exposes a text-based user interface (TUI) for selecting pre-canned scripts to generate simple detections (e.g., "hit #1 for credential dumping!"). +An example of running in interactive mode is shown below: + +![detection-container Text User Interface](docs/images/cli-interface.png) + For Docker, use the following command to run the detection container interactively: ```bash @@ -88,6 +92,10 @@ For Kubernetes environments, refer to the [vulnapp project](https://github.com/C In this mode, detections are randomly generated with pauses between each to ensure uniqueness in the Falcon console. The pause duration ranges from 100 to 1800 seconds (approximately 1.5 to 30 minutes). +Output will be sent to the console (via ``stdout``) regarding what detections are being generated. An example of running in non-interactive mode, plus output, is shown below: + +![non-interactive mode](docs/images/non-interactive.png) + For Docker, use the following command to run the detection container non-interactively: ```bash From d8fe2a57436e9ff0ea280f5e75b06b3572e2c60f Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Wed, 20 Mar 2024 16:06:56 -0400 Subject: [PATCH 4/4] make images smaller by using tag --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index aba56cf..1b9b24a 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,7 @@ This mode exposes a text-based user interface (TUI) for selecting pre-canned scr An example of running in interactive mode is shown below: -![detection-container Text User Interface](docs/images/cli-interface.png) +detection-container Text User Interface For Docker, use the following command to run the detection container interactively: @@ -94,7 +94,7 @@ In this mode, detections are randomly generated with pauses between each to ensu Output will be sent to the console (via ``stdout``) regarding what detections are being generated. An example of running in non-interactive mode, plus output, is shown below: -![non-interactive mode](docs/images/non-interactive.png) +non-interactive mode For Docker, use the following command to run the detection container non-interactively: