@alegrey91 Could you review this PR ?

@alegrey91 I think you closed this instead of merging?

Hello @0xquark, and thanks a lot for your contribution! We really appreciate your effort :)
I'll try to review your PR asap!

@alegrey91 I think you closed this instead of merging?

Yes, sorry 😅

@0xquark , sorry for my confusion. Is this rule connected to a control?

Hi @0xquark and still thanks for your contribution! I just checked the code that you submitted. It looks good, but I realized that we don't have as much information available in order to have a deep overview about the GTFOBins present. What I mean is that we should be able to extract for each container the whole list of binaries inside them and use this list to effectively check their presence. In your implementation (the only possible at the moment), we can only have a limited knowledge about them, since we don't have enough data. I'm going to schedule an internal call with the team in order to take a decision on how to provide these data and allow you to implement a better and more complete rule. I'll keep you updated :) If you have any doubt feel free to ask. I'll try to make you understand better the point.

Adding to this, I think that we will have access to image SBOMs within a few weeks. This means we can look for packages containing these binaries in Kubescape API SBOM objects

Thanks for the review @alegrey91 and @slashben. I first thought of implementing it by iterating over all the present binaries in a container but i was not able to find a way to do that ( Is it possible if i use find on / and check perms to get the executables find / -type f -executable ). Kubescape API SBOM objects could be really helpful, will implement in the coming weeks then.
Would it be a good idea to have a similar rule that checks for the gtfobins binaries in the container commands?
I've modified the rule to iterate over each pod object in the input, then checks each container in the pod for the presence of GTFOBins binaries. It does this by defining a set of GTFOBin binaries, then checking if any of these binaries are present in the container's command field.
It could be possible that the user may be using some binaries in the command that has bigger risks while running the container, there may be an alternative present to that binary.

@0xquark , sorry for my confusion. Is this rule connected to a control?
Is it possible to make a control for this rule?

My Implementation of above rule using find : https://pastebin.com/1ef61nTP

@alegrey91 , @0xquark - hey guys, what is the status with this PR ?