libs
libs copied to clipboard
[TRACKING] "drop+exec" kernel signal correlations detections + threat modeling beyond
This issue is for tracking the development of a more generic and robust solution to detect the classic drop an implant and execute it TTP called "drop+exec". In addition, perform threat modeling not limited to this use case, e.g. "fileless" attacks or malicious scripts run by interpreter ...
Please follow initial discussion in https://github.com/falcosecurity/libs/pull/595 by @loresuso, @LucaGuerra and @incertum for additional context.
Documentation: @leogr could we create a hackmd doc you own/ track titled "Falco Detections - Threat Modeling - drop+exec use case" or similar? Thank you!
Next engineering steps:
- Test and merge once ready after rebase https://github.com/falcosecurity/libs/pull/287 (@loresuso)
- Finalize, test and merge https://github.com/falcosecurity/libs/pull/595 (@incertum)
- New PR for userspace modeling - kernel signal correlations detections for initial "drop+exec" use case (@LucaGuerra, @loresuso , @incertum and everyone else who wants to contribute 😄 )
- Above possibly accompanied by a
proposal
doc PR
Sure! :smiley:
:point_right: https://hackmd.io/@leogr/SJKUMEbWo
@incertum just rebased https://github.com/falcosecurity/libs/pull/287! I've also written a proposal in the hackmd to detect fileless execution. Feedback is highly appreciated!
Amazing will take a look! @loresuso made some suggestions in the doc on how to maybe simplify "memfd+exec", have 100% confidence that this is doable and sane and would suggest to implement it rather sooner than later if possible.
Would you want to take a crack at opening a PR for this when you get to it 😄 🚀 ? Feel free to plan me in for helping testing it as well! This is really good stuff.
Thank you @incertum for all the comments! I will start experimenting soon, and I will keep you posted on this 🙂 And yes, any help in testing this kind of PRs is always welcome 🙏