Description and Motivation
Dropping an implant, making the file executable and executing the implant is amongst one of the oldest tricks. While memory based cyber attacks mostly circumvent touching disk, reliably detecting drifts, that is, a suspicious new executable is executed is often considered a crucial baseline detection.
Three Falco contributors have come to similar conclusions, that is, (1) it is at process startup where we need to fetch better kernel signals and (2) this old problem "drop+exec" has not yet been well addressed.
This document is for discussing the development of a more generic and robust solution to detect the classic drop an implant and execute it TTP called "drop+exec". In addition, perform threat modeling not limited to this use case, e.g. "fileless" attacks or malicious scripts run by interpreter ...
Desired Outcome
Robust and stable Falco rules that work in new / unknown environments with acceptable FP (False Positives) rate, no FNs (False Negatives). Falco rules shall work especially in containers, hopefully also on the host. Threat actors reading this will need to work harder to circumvent new more robust detections.