Fileless Execution

Executing a process from memory, without a file in the disk

MITRE ATT&CK

Defense Evasion: Obfuscated Files or Information

Rego Policy

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55


package tracee.TRC_5

import data.tracee.helpers

__rego_metadoc__ := {
	"id": "TRC-5",
	"version": "0.1.0",
	"name": "Fileless Execution",
	"eventName": "fileless_execution",
	"description": "Executing a process from memory, without a file in the disk",
	"tags": ["linux", "container"],
	"properties": {
		"Severity": 2,
		"MITRE ATT&CK": "Defense Evasion: Obfuscated Files or Information",
	},
}

eventSelectors := [{
	"source": "tracee",
	"name": "sched_process_exec",
}]

tracee_selected_events[eventSelector] {
	eventSelector := eventSelectors[_]
}

tracee_match {
	input.eventName == "sched_process_exec"
	pathname = helpers.get_tracee_argument("pathname")
	startswith(pathname, "memfd:")

	not startswith(pathname, "memfd:runc")
	input.containerId == ""
}

tracee_match {
	input.eventName == "sched_process_exec"
	pathname = helpers.get_tracee_argument("pathname")
	startswith(pathname, "memfd:")

	input.containerId != ""
}

tracee_match {
	input.eventName == "sched_process_exec"
	pathname = helpers.get_tracee_argument("pathname")
	startswith(pathname, "/dev/shm")
}

tracee_match {
	input.eventName == "sched_process_exec"
	pathname = helpers.get_tracee_argument("pathname")
	startswith(pathname, "/run/shm")
}