Falco rules map to MITRE ATT&CK techniques by acting as behavioral indicators that, when triggered, suggest a system is exhibiting tactics and techniques commonly associated with adversarial activity.
Let’s see this in action with a common scenario: detecting suspicious process creation.
Consider this Falco rule:
- rule: Suspicious Parent Process
desc: Detect a suspicious parent process spawning a child process. This could indicate privilege escalation or lateral movement.
condition: >
evt.type = syscall and proc.name != "init" and proc.name != "systemd" and
ppid.name in ("sshd", "sudo", "su") and proc.name in ("bash", "sh", "powershell.exe", "cmd.exe")
output: >
Suspicious process spawned (name=%proc.name, pid=%proc.pid) by parent (name=%ppid.name, pid=%ppid.pid)
enabled: true
priority: WARNING
tags: [process, attack, execution, privilege-escalation, lateral-movement]
When this rule triggers, Falco outputs something like:
16:30:05.123456789: Warning Suspicious process spawned (name=bash, pid=12345) by parent (name=sshd, pid=54321)
This alert tells us that a bash shell process was spawned by an sshd process. In a typical server environment, sshd is expected to spawn shells for legitimate user logins. However, if this bash process is then used to execute commands that aren’t part of a normal user session, or if it’s spawned by an sshd process that itself was started in an unusual way, it could indicate an attacker has gained initial access via SSH and is now attempting to execute commands or escalate privileges.
The Mental Model: Detection as a Detective
Falco’s core strength is its ability to monitor system calls and other kernel-level events. It’s like having a highly observant detective watching every interaction between processes, files, and the network. When a specific sequence or pattern of these interactions matches a known "modus operandi" of an attacker (a MITRE ATT&CK technique), Falco raises an alert.
The mapping to MITRE ATT&CK is achieved through the tags field in the Falco rule. In the example above, tags: [process, attack, execution, privilege-escalation, lateral-movement] directly links the detected behavior to broader categories of attacker actions.
process: This is a general category indicating the alert relates to process activity.attack: A broad tag indicating this rule is designed to detect malicious behavior.execution: This maps to the MITRE ATT&CK "Execution" tactic (TA0002), which is about techniques adversaries use to run malicious code.privilege-escalation: This maps to the "Privilege Escalation" tactic (TA0004), techniques used to gain higher-level permissions.lateral-movement: This maps to the "Lateral Movement" tactic (TA0008), techniques adversaries use to move from one system to another within a network.
By combining Falco’s detailed event monitoring with the structured taxonomy of MITRE ATT&CK, security teams can:
- Prioritize Alerts: Focus on alerts that map to high-severity or high-impact MITRE techniques.
- Understand Threats: Gain context about what an attacker might be trying to achieve when an alert fires. Is it just running a command, or are they trying to gain root privileges?
- Improve Detection: Translate known adversary behaviors (MITRE techniques) into concrete, actionable Falco rules.
- Measure Coverage: Assess how well their Falco rules cover the MITRE ATT&CK framework, identifying gaps in their detection capabilities.
The Levers You Control
The primary levers for mapping Falco rules to MITRE ATT&CK are:
condition: This is where you define the specific system call patterns or process behaviors that indicate a technique. For example, detecting specific command-line arguments used withcurlmight map to "Command and Scripting Interpreter" (T1059) or "Ingress Tool Transfer" (T1105).tags: This is the explicit link. You assign one or more MITRE ATT&CK tactic and technique IDs (or descriptive names, as in the example) to the rule.output: While not directly mapping, a well-crafted output message can include details that help a security analyst quickly identify the relevant MITRE technique.
The Real Magic: Contextualizing System Calls
The real power is in how Falco can correlate seemingly innocuous system calls into a narrative of malicious activity. A single execve system call by itself might mean nothing. But when that execve is by a bash spawned by sshd (as in our example), and that bash process then attempts to openat sensitive configuration files or execute commands like whoami, id, or setuid, Falco can chain these events together. The condition in your Falco rule is what allows you to define these chains. For instance, a rule looking for proc.name = bash and then evt.type = openat followed by evt.type = execve within a short timeframe, especially when spawned by a suspicious parent, could be tagged with privilege-escalation or defense-evasion (T1070 - Indicator Removal on Host, if it’s deleting logs).
Consider a rule designed to detect "Scheduled Task/Job: Scheduled Task" (T1053.005). This might involve monitoring openat calls for files in /etc/cron.d/ or /etc/cron.hourly/, followed by openat calls to /bin/crontab or /usr/bin/at, and then an execve for the actual script being scheduled. The condition would look something like:
- rule: Create Cron Job
desc: Detect creation of new cron jobs.
condition: >
(evt.type = openat and evt.arg.pathname contains "/etc/cron.d/") or
(evt.type = openat and evt.arg.pathname contains "/etc/cron.hourly/") or
(evt.type = openat and evt.arg.pathname contains "/etc/cron.daily/") or
(evt.type = openat and evt.arg.pathname contains "/etc/cron.weekly/") or
(evt.type = openat and evt.arg.pathname contains "/etc/cron.monthly/") or
(evt.type = openat and evt.arg.pathname = "/usr/bin/crontab") or
(evt.type = execve and proc.name = "crontab")
output: >
Cron job modification detected: process=%proc.name, cmdline=%proc.cmdline,
file_path=%evt.arg.pathname, user=%user.name
enabled: true
priority: HIGH
tags: [scheduled-task, persistence, execution]
This rule, with its tags scheduled-task, persistence, and execution, directly informs an analyst that this activity aligns with MITRE ATT&CK’s "Persistence" tactic (TA0003) and specifically the "Scheduled Task/Job: Scheduled Task" technique.
The effectiveness of this mapping hinges on understanding the adversarial mindset and how it translates into observable system behaviors. Falco provides the visibility, and MITRE ATT&CK provides the framework for interpreting that visibility in the context of known threats.
The next step is understanding how to leverage Falco’s output for automated threat hunting and response.