-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TRACKING] "drop+exec" kernel signal correlations detections + threat modeling beyond #615
Comments
Sure! 😃 |
Amazing will take a look! @loresuso made some suggestions in the doc on how to maybe simplify "memfd+exec", have 100% confidence that this is doable and sane and would suggest to implement it rather sooner than later if possible. Would you want to take a crack at opening a PR for this when you get to it 😄 🚀 ? Feel free to plan me in for helping testing it as well! This is really good stuff. |
Thank you @incertum for all the comments! I will start experimenting soon, and I will keep you posted on this 🙂 And yes, any help in testing this kind of PRs is always welcome 🙏 |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
Seems we are on track for the initial TTPs we wanted to address. Future threat modeling shall we continued in new issues. |
This issue is for tracking the development of a more generic and robust solution to detect the classic drop an implant and execute it TTP called "drop+exec". In addition, perform threat modeling not limited to this use case, e.g. "fileless" attacks or malicious scripts run by interpreter ...
Please follow initial discussion in #595 by @loresuso, @LucaGuerra and @incertum for additional context.
Documentation:
@leogr could we create a hackmd doc you own/ track titled "Falco Detections - Threat Modeling - drop+exec use case" or similar? Thank you!
Next engineering steps:
is_exe_upper_layer
#287 (@loresuso)proposal
doc PRThe text was updated successfully, but these errors were encountered: