[New Rule] Name of rule: Linux Fileless Execution via memfd_create

[litemars]

Description

There are bunch of fileless execution techniques are quite powerful a linux environment. The most common and used one is the memfd_create.

Target Ruleset

linux

Target Rule Type

Custom (KQL or Lucene)

Tested ECS Version

9.2.0

Query

host.os.type:"linux" AND event.type:"start" AND
(
/* Detection Method 1: Executable path contains memfd reference /
process.executable:(memfd OR /memfd: OR /proc/self/fd/) OR

/* Detection Method 2: Process arguments reference memfd (excluding monitoring tools) /
(
process.args:(memfd OR /memfd: OR /proc/self/fd/ OR /proc//fd/) AND
NOT process.name:(ps OR lsof OR netstat OR ss)
) OR

/* Detection Method 3: Parent process is running from memfd */
process.parent.executable:(memfd OR /memfd:)
) AND

/* Exclusions: Legitimate container runtimes */
NOT process.parent.name:(containerd OR dockerd OR cri-o OR containerd-shim OR systemd OR podman OR runc) AND

/* Exclusions: Standard system binaries /
NOT process.executable:(/usr/bin/ OR /usr/sbin/* OR /bin/* OR /sbin/*)

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

No response

References

No response

Redacted Example Data

No response

[Aegrah]

Hi @litemars, thanks for the issue. We are currently working on new data sources to more reliably detect these techniques. More info is coming out regarding this soon. But in the meantime, we have rules detecting fileless execution in our protections artifact repository (our EDR rules):

• https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/linux/defense_evasion_network_activity_from_in_memory_file.toml
• https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/linux/defense_evasion_execution_of_in_memory_file_via_interactive_session.toml

And I recently added two new rules for memfd & /memfd: parent executions. These will be coming to production soon as well. Let me know if that helps.

[litemars]

Hi @Aegrah,

Recently I was testing a loader that uses "memfd" to copy the encrypted payload over to memory and it was not detected by your EDR or rules. Feel free to close to close this issue if the "memfd" rules will be deployed in production.

[Aegrah]

@litemars, would you mind sharing the PoC that you were working with (and potentially your workflow if it's not too much work for you)? If so, I can check whether the rules I created will catch it once they will go to production.

[litemars]

@Aegrah, you can find a PoC here: https://github.com/litemars/hARMless