Skip to content

Commit

Permalink
rules: add runc to known_memfd_execution_binaries
Browse files Browse the repository at this point in the history 
Signed-off-by: Yutong Sun <yutongsu@amazon.com>
  • Loading branch information
@ytsssun @poiana
ytsssun authored and poiana committed Feb 17, 2025
1 parent d8415c1 commit 4633f29
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions rules/falco_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1230,10 +1230,15 @@
tags: [maturity_stable, host, container, network, process, mitre_execution, T1059]

- list: known_memfd_execution_binaries
items: []
items: [runc]

- macro: known_memfd_execution_processes
condition: (proc.name in (known_memfd_execution_binaries))
condition: >
(proc.name in (known_memfd_execution_binaries))
or (proc.pname in (known_memfd_execution_binaries))
or (proc.exepath = "memfd:runc_cloned:/proc/self/exe")
or (proc.exe = "memfd:runc_cloned:/proc/self/exe")
- rule: Fileless execution via memfd_create
desc: >
Expand Down

0 comments on commit 4633f29

Please sign in to comment.