From 507cc61b60cfd2cf562d51a6acde7cc714c0d059 Mon Sep 17 00:00:00 2001 From: Lorenzo Susini Date: Tue, 12 Sep 2023 13:34:09 +0000 Subject: [PATCH 1/3] new(rules): add rule for detecting fileless execution Signed-off-by: Lorenzo Susini --- rules/falco-incubating_rules.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml index b5886a9d9..0131d3821 100644 --- a/rules/falco-incubating_rules.yaml +++ b/rules/falco-incubating_rules.yaml @@ -1221,3 +1221,25 @@ output: Exfiltrating Artifacts via Kubernetes Control Plane (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) priority: NOTICE tags: [maturity_incubating, container, filesystem, mitre_exfiltration, TA0010] +- list: known_memfd_execution_binaries + items: [] + +- macro: known_memfd_execution_processes + condition: (proc.name in (known_memfd_execution_binaries)) + +- rule: Fileless execution via memfd_create + desc: > + Detect if a binary is executed from memory using the memfd_create technique. + This is a well-known defense evasion technique for executing malware on victim machine without storing payload on disk and to avoid leaving traces about what has been executed. + Adopters can whitelist processes that may use fileless execution for benign purposes by adding itmes to the list `known_memfd_execution_processes`. + It is worth underline that this technique is used by runc to fix CVE-2019-5736. For this reason, the macro `known_memfd_execution_processes` take this into account. + condition: > + spawned_process + and proc.is_exe_from_memfd=true + and not known_memfd_execution_processes + output: > + Detected fileless execution via memfd_create (user=%user.name user_loginuid=%user.loginuid user_uid=%user.uid comm=%proc.cmdline exe=%proc.exe container_id=%container.id + image=%container.image.repository proc.name=%proc.name proc.sname=%proc.sname proc.pname=%proc.pname proc.aname[2]=%proc.aname[2] exe_flags=%evt.arg.flags + proc.exepath=%proc.exepath proc.cwd=%proc.cwd proc.tty=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid evt.res=%evt.res) + priority: CRITICAL + tags: [maturity_incubating, host, container, process, mitre_defense_evasion, T1620] From 12958b5010786714c900f196926d6073390723f1 Mon Sep 17 00:00:00 2001 From: Lorenzo Susini <49318629+loresuso@users.noreply.github.com> Date: Thu, 14 Sep 2023 10:25:09 +0200 Subject: [PATCH 2/3] update(rules): improve fileless execution rule description and output Co-authored-by: Melissa Kilby Signed-off-by: Lorenzo Susini <49318629+loresuso@users.noreply.github.com> Signed-off-by: Lorenzo Susini --- rules/falco-incubating_rules.yaml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml index 0131d3821..88b48c1ae 100644 --- a/rules/falco-incubating_rules.yaml +++ b/rules/falco-incubating_rules.yaml @@ -1221,6 +1221,7 @@ output: Exfiltrating Artifacts via Kubernetes Control Plane (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) priority: NOTICE tags: [maturity_incubating, container, filesystem, mitre_exfiltration, TA0010] + - list: known_memfd_execution_binaries items: [] @@ -1229,17 +1230,14 @@ - rule: Fileless execution via memfd_create desc: > - Detect if a binary is executed from memory using the memfd_create technique. - This is a well-known defense evasion technique for executing malware on victim machine without storing payload on disk and to avoid leaving traces about what has been executed. - Adopters can whitelist processes that may use fileless execution for benign purposes by adding itmes to the list `known_memfd_execution_processes`. - It is worth underline that this technique is used by runc to fix CVE-2019-5736. For this reason, the macro `known_memfd_execution_processes` take this into account. + Detect if a binary is executed from memory using the memfd_create technique. This is a well-known defense evasion + technique for executing malware on a victim machine without storing the payload on disk and to avoid leaving traces + about what has been executed. Adopters can whitelist processes that may use fileless execution for benign purposes + by adding items to the list known_memfd_execution_processes. condition: > spawned_process and proc.is_exe_from_memfd=true and not known_memfd_execution_processes - output: > - Detected fileless execution via memfd_create (user=%user.name user_loginuid=%user.loginuid user_uid=%user.uid comm=%proc.cmdline exe=%proc.exe container_id=%container.id - image=%container.image.repository proc.name=%proc.name proc.sname=%proc.sname proc.pname=%proc.pname proc.aname[2]=%proc.aname[2] exe_flags=%evt.arg.flags - proc.exepath=%proc.exepath proc.cwd=%proc.cwd proc.tty=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid evt.res=%evt.res) + output: Fileless execution via memfd_create (container_start_ts=%container.start_ts proc_cwd=%proc.cwd evt_res=%evt.res proc_sname=%proc.sname gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info) priority: CRITICAL tags: [maturity_incubating, host, container, process, mitre_defense_evasion, T1620] From 32db1eb03003a158cccde18e127e7e173a1d6fdb Mon Sep 17 00:00:00 2001 From: Lorenzo Susini Date: Thu, 14 Sep 2023 12:34:51 +0000 Subject: [PATCH 3/3] update(incubating rules): bump required engine version Signed-off-by: Lorenzo Susini --- rules/falco-incubating_rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml index 88b48c1ae..f09414dca 100644 --- a/rules/falco-incubating_rules.yaml +++ b/rules/falco-incubating_rules.yaml @@ -24,7 +24,7 @@ # Starting with version 8, the Falco engine supports exceptions. # However the Falco rules file does not use them by default. -- required_engine_version: 17 +- required_engine_version: 26 - macro: open_write condition: (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0)