[TRACKING] "drop+exec" kernel signal correlations detections + threat modeling beyond

[incertum]

This issue is for tracking the development of a more generic and robust solution to detect the classic drop an implant and execute it TTP called "drop+exec". In addition, perform threat modeling not limited to this use case, e.g. "fileless" attacks or malicious scripts run by interpreter ...

Please follow initial discussion in https://github.com/falcosecurity/libs/pull/595 by @loresuso, @LucaGuerra and @incertum for additional context.

Documentation: @leogr could we create a hackmd doc you own/ track titled "Falco Detections - Threat Modeling - drop+exec use case" or similar? Thank you!

Next engineering steps:

• Test and merge once ready after rebase https://github.com/falcosecurity/libs/pull/287 (@loresuso)
• Finalize, test and merge https://github.com/falcosecurity/libs/pull/595 (@incertum)
• New PR for userspace modeling - kernel signal correlations detections for initial "drop+exec" use case (@LucaGuerra, @loresuso , @incertum and everyone else who wants to contribute 😄 )
• Above possibly accompanied by a proposal doc PR

[leogr]

Sure! :smiley:

:point_right: https://hackmd.io/@leogr/SJKUMEbWo

[loresuso]

@incertum just rebased https://github.com/falcosecurity/libs/pull/287! I've also written a proposal in the hackmd to detect fileless execution. Feedback is highly appreciated!

[incertum]

Amazing will take a look! @loresuso made some suggestions in the doc on how to maybe simplify "memfd+exec", have 100% confidence that this is doable and sane and would suggest to implement it rather sooner than later if possible.

Would you want to take a crack at opening a PR for this when you get to it 😄 🚀 ? Feel free to plan me in for helping testing it as well! This is really good stuff.

[loresuso]

Thank you @incertum for all the comments! I will start experimenting soon, and I will keep you posted on this 🙂 And yes, any help in testing this kind of PRs is always welcome 🙏