- Stage: 0 (strawperson)
- Date: 2024-09-26
This RFC proposes adding new fields and event types to enhance the detection of fileless malware execution and related malicious activities on Linux systems.
The new fields include:
- file.is_memfd - Indicates if the file is an anonymous file descriptor (memfd) created using the memfd_create system call.
- file.is_shmem - Indicates if the file is a POSIX shared memory object created using the shm_open system call, typically located in /dev/shm.
- process.is_setuid - Indicates if the process has the setuid bit set, allowing it to run with the privileges of its owner.
- process.is_setgid - Indicates if the process has the setgid bit set, allowing it to run with the privileges of its group.
- process.is_memfd - Indicates if the process was executed from a memory file descriptor (memfd).
- process.inode_nlink - Number of links to the inode of the process executable file, obtained from the i_nlink variable in the inode structure.
New process event types:
- memfd_create
- shmget (SystemV shared memory API)
- ptrace
- load_module
New file event types:
- memfd_open
- shmem_open
These additions will enable the detection and investigation of various malware execution techniques, such as executing code from memory file descriptors (memfd), hiding malicious binaries in shared memory objects (shm_open and shmget), debugging other processes for code injection (ptrace), and loading kernel modules for rootkits (load_module). The proposed fields also cover privilege escalation using setuid/setgid binaries.
The data can be collected by monitoring system calls and events on Linux hosts using kernel instrumentation techniques like eBPF or kprobes.
The following are the people that consulted on the contents of this RFC.
- @stanek-michal | author