Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TRACKING] "drop+exec" kernel signal correlations detections + threat modeling beyond #615

Closed
incertum opened this issue Sep 15, 2022 · 10 comments
Labels
kind/documentation Improvements or additions to documentation

Comments

@incertum
Copy link
Contributor

This issue is for tracking the development of a more generic and robust solution to detect the classic drop an implant and execute it TTP called "drop+exec". In addition, perform threat modeling not limited to this use case, e.g. "fileless" attacks or malicious scripts run by interpreter ...

Please follow initial discussion in #595 by @loresuso, @LucaGuerra and @incertum for additional context.

Documentation:
@leogr could we create a hackmd doc you own/ track titled "Falco Detections - Threat Modeling - drop+exec use case" or similar? Thank you!

Next engineering steps:

@leogr
Copy link
Member

leogr commented Sep 15, 2022

Sure! 😃

👉 https://hackmd.io/@leogr/SJKUMEbWo

@loresuso
Copy link
Member

loresuso commented Sep 16, 2022

@incertum just rebased #287!
I've also written a proposal in the hackmd to detect fileless execution. Feedback is highly appreciated!

@incertum
Copy link
Contributor Author

Amazing will take a look! @loresuso made some suggestions in the doc on how to maybe simplify "memfd+exec", have 100% confidence that this is doable and sane and would suggest to implement it rather sooner than later if possible.

Would you want to take a crack at opening a PR for this when you get to it 😄 🚀 ? Feel free to plan me in for helping testing it as well! This is really good stuff.

@loresuso
Copy link
Member

Thank you @incertum for all the comments! I will start experimenting soon, and I will keep you posted on this 🙂 And yes, any help in testing this kind of PRs is always welcome 🙏

@poiana
Copy link
Contributor

poiana commented Dec 18, 2022

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@incertum
Copy link
Contributor Author

See HackMD and we also made progress and merged @loresuso and my PR. Next is likely @loresuso "memfd+exec" signal and "userland exec" it's in the back of my head, however no true inspiration yet ...

@leogr
Copy link
Member

leogr commented Jan 11, 2023

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Apr 11, 2023

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@incertum
Copy link
Contributor Author

/remove-lifecycle stale

@incertum
Copy link
Contributor Author

incertum commented Jun 2, 2023

Seems we are on track for the initial TTPs we wanted to address. Future threat modeling shall we continued in new issues.

@incertum incertum closed this as completed Jun 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests

4 participants