Leonardo Grasso

@leogr

Joined on Jan 27, 2020

  • Description and Motivation Dropping an implant, making the file executable and executing the implant is amongst one of the oldest tricks. While memory based cyber attacks mostly circumvent touching disk, reliably detecting drifts, that is, a suspicious new executable is executed is often considered a crucial baseline detection. Three Falco contributors have come to similar conclusions, that is, (1) it is at process startup where we need to fetch better kernel signals and (2) this old problem "drop+exec" has not yet been well addressed. This document is for discussing the development of a more generic and robust solution to detect the classic drop an implant and execute it TTP called "drop+exec". In addition, perform threat modeling not limited to this use case, e.g. "fileless" attacks or malicious scripts run by interpreter ... Desired Outcome Robust and stable Falco rules that work in new / unknown environments with acceptable FP (False Positives) rate, no FNs (False Negatives). Falco rules shall work especially in containers, hopefully also on the host. Threat actors reading this will need to work harder to circumvent new more robust detections.
     Like 2 Bookmark
  • Impact What kind of vulnerability is it? Who is impacted? This vulnerability might impact users or automated system that are building Falco from source. Basically, it was noticed that some dependencies in the CMake-files were download via hard-coded HTTP links. Since the dowload happened via a clear-text connection, an attacker with Man-in-the-Middle capabilities could spoof the connection to dowload malicius content instead of the legitimate dependencies. Patches Has the problem been patched? What versions should users upgrade to? The problem has been addressed by https://github.com/falcosecurity/falco/pull/774 on Aug 17, 2019.
     Like  Bookmark