Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new(rules): add rule for detecting fileless execution via memfd_create #98

Merged
merged 3 commits into from
Sep 14, 2023
Merged

new(rules): add rule for detecting fileless execution via memfd_create #98

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
507cc61
new(rules): add rule for detecting fileless execution
loresuso Sep 12, 2023
12958b5
update(rules): improve fileless execution rule description and output
loresuso Sep 14, 2023
32db1eb
update(incubating rules): bump required engine version
loresuso Sep 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 21 additions & 1 deletion rules/falco-incubating_rules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@

# Starting with version 8, the Falco engine supports exceptions.
# However the Falco rules file does not use them by default.
- required_engine_version: 17
- required_engine_version: 26

- macro: open_write
condition: (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0)
Expand Down Expand Up @@ -1221,3 +1221,23 @@
output: Exfiltrating Artifacts via Kubernetes Control Plane (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
priority: NOTICE
tags: [maturity_incubating, container, filesystem, mitre_exfiltration, TA0010]

- list: known_memfd_execution_binaries
items: []
loresuso marked this conversation as resolved.
Show resolved Hide resolved

- macro: known_memfd_execution_processes
condition: (proc.name in (known_memfd_execution_binaries))

- rule: Fileless execution via memfd_create
desc: >
loresuso marked this conversation as resolved.
Show resolved Hide resolved
Detect if a binary is executed from memory using the memfd_create technique. This is a well-known defense evasion
technique for executing malware on a victim machine without storing the payload on disk and to avoid leaving traces
about what has been executed. Adopters can whitelist processes that may use fileless execution for benign purposes
by adding items to the list known_memfd_execution_processes.
condition: >
spawned_process
and proc.is_exe_from_memfd=true
and not known_memfd_execution_processes
output: Fileless execution via memfd_create (container_start_ts=%container.start_ts proc_cwd=%proc.cwd evt_res=%evt.res proc_sname=%proc.sname gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
priority: CRITICAL
tags: [maturity_incubating, host, container, process, mitre_defense_evasion, T1620]
Loading