From 7499ef861a211756411b680e8f954a6c5f648807 Mon Sep 17 00:00:00 2001 From: harshnair75567-cloud Date: Sun, 12 Apr 2026 15:04:36 +0530 Subject: [PATCH 1/2] Add LotL prevention policy for security measures This policy detects and blocks unauthorized downloads and sensitive file reads to prevent potential security breaches. --- examples/policies/lotl_prevention_policy.yaml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 examples/policies/lotl_prevention_policy.yaml diff --git a/examples/policies/lotl_prevention_policy.yaml b/examples/policies/lotl_prevention_policy.yaml new file mode 100644 index 000000000..cd8ef7cc7 --- /dev/null +++ b/examples/policies/lotl_prevention_policy.yaml @@ -0,0 +1,25 @@ +# lotl_prevention_policy.yaml +metadata: + name: "Blue Team LotL Shield" + version: "1.0" + description: "Detects and blocks common Living off the Land binaries often misused by autonomous agents." + +rules: + - id: "block-unauthorized-download" + action: "shell_exec" + condition: + # This catches agents trying to pipe web scripts directly into bash + parameter: "command" + operator: "regex_match" + value: "(curl|wget).*\\|.*(bash|sh|python)" + effect: "DENY" + message: "Critical: Potential remote code execution via piped shell script detected." + + - id: "block-sensitive-file-read" + action: "file_read" + condition: + parameter: "path" + operator: "in" + value: ["/etc/shadow", "/etc/passwd", "~/.ssh/id_rsa"] + effect: "DENY" + message: "Security Violation: Unauthorized access to system credentials." From 917238a6cea137eaf7bef5d05db822c7ce6c6301 Mon Sep 17 00:00:00 2001 From: harshnair75567-cloud Date: Sun, 12 Apr 2026 15:31:59 +0530 Subject: [PATCH 2/2] fix: harden regex and expand sensitive file list based on security review --- examples/policies/lotl_prevention_policy.yaml | 23 +++++++++++-------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/examples/policies/lotl_prevention_policy.yaml b/examples/policies/lotl_prevention_policy.yaml index cd8ef7cc7..8f11c0855 100644 --- a/examples/policies/lotl_prevention_policy.yaml +++ b/examples/policies/lotl_prevention_policy.yaml @@ -1,25 +1,30 @@ # lotl_prevention_policy.yaml metadata: name: "Blue Team LotL Shield" - version: "1.0" - description: "Detects and blocks common Living off the Land binaries often misused by autonomous agents." + version: "1.1" + description: "Detects and blocks Living off the Land (LotL) commands and unauthorized sensitive file access." rules: - - id: "block-unauthorized-download" + - id: "block-unauthorized-download-pipe" action: "shell_exec" condition: - # This catches agents trying to pipe web scripts directly into bash parameter: "command" + # Improved Regex to reduce false positives and catch obfuscation operator: "regex_match" - value: "(curl|wget).*\\|.*(bash|sh|python)" + value: "(curl|wget|powershell)\\s+.*(-s|-fsSL|-enc|DownloadString).*\\|.*(bash|sh|python|iex)" effect: "DENY" - message: "Critical: Potential remote code execution via piped shell script detected." + message: "Security Violation: Potential remote code execution via piped shell script detected." - - id: "block-sensitive-file-read" + - id: "block-sensitive-system-read" action: "file_read" condition: parameter: "path" + # Expanded list based on Blue Team best practices operator: "in" - value: ["/etc/shadow", "/etc/passwd", "~/.ssh/id_rsa"] + value: [ + "/etc/shadow", "/etc/passwd", "/etc/hostname", + "~/.ssh/id_rsa", "~/.aws/credentials", + "/var/run/docker.sock", "/etc/kubernetes/admin.conf" + ] effect: "DENY" - message: "Security Violation: Unauthorized access to system credentials." + message: "Security Violation: Unauthorized access to critical system credentials or configuration."