Tracee > Defense Evasion > New Executable Was Dropped During Runtime
MEDIUM
Source
Tracee
ID
TRC-9
Version
0.1.0
Date
28 Jun 2022

New Executable Was Dropped During Runtime

An Executable file was dropped in your system during runtime. Usually container images are built with all binaries needed inside, a dropped binary may indicate an adversary infiltrated into your container.

MITRE ATT&CK

Defense Evasion: Masquerading

Rego Policy

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
package tracee.TRC_9

import data.tracee.helpers

__rego_metadoc__ := {
	"id": "TRC-9",
	"version": "0.1.0",
	"name": "New Executable Was Dropped During Runtime",
	"description": "An Executable file was dropped in your system during runtime. Usually container images are built with all binaries needed inside, a dropped binary may indicate an adversary infiltrated into your container.",
	"tags": ["linux", "container"],
	"properties": {
		"Severity": 2,
		"MITRE ATT&CK": "Defense Evasion: Masquerading",
	},
}

eventSelectors := [{
	"source": "tracee",
	"name": "magic_write",
	"origin": "container",
}]

tracee_selected_events[eventSelector] {
	eventSelector := eventSelectors[_]
}

tracee_match = res {
	input.eventName == "magic_write"

	file_header := helpers.get_tracee_argument("bytes")
	helpers.is_elf_file(file_header)

	pathname := helpers.get_tracee_argument("pathname")
	res := {"file path": pathname}
}