►
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Fileless Attack - Detecting the Undetectable - Carolina Valencia, Aqua Security
A fileless attack is a technique that takes incremental steps toward gaining control of your environment while remaining undetected. In a fileless attack, the malware is directly loaded into memory and executed, evading common defenses and static scanning. Often, attackers may also use compression or encryption to cloak the malware file to avoid detection. Most commonly used against Windows, we have recently seen a growing trend in its use against Linux, and, more specifically, within containers. In this guide, we will break down a fileless attack by creating a fileless demo and detecting unexpected activity with eBPF tools in the Cloud Native Security Runtime Space: Falco, Tracee, and Tetragon.
A
Yeah
well
good
afternoon,
yeah
well
and
the
people
that
is
online
too
very
happy
to
be
here.
It's
my
first
time
doing
a
long
trip
because
I
am
from
Peru,
but
I
live
in
Brazil.
It's
like
14
hours,
far
away
and
well.
I
will
talk
about
my
experience
that
I
have
research
a
little
about.
How
is
the
finest
attacking
Linux.
A
Hear
about
myself,
I
really
like
Community,
because
we
learn
and
also
I
participate
in
in
the
kubernetes
documentations,
helping
in
the
helping
in
the
translation
in
Portuguese
and
Spanish,
mainly
in
Spanish
and
currently
in
this
release.
I
am
working
in
this
in
the
release
docs
or
of
126..
If
everyone
is
interested,
you
can
also
pick
me
and
also
I,
really
like
Cloud
native
and
security
and
tropical
weathers.
A
A
Yeah
well,
the
definition
about
file
is,
as
you
can
see,
is
some
malicious
code
will
try
to
run
the
to
execute
it
in
our
system,
but
without
using
the
file
system
is
the
main
definitions
about
the
file
system.
That's
keep
in
mind,
and
also
it's
very
it's
known
as
a
non-malware
or
zero
food
footprint
because
of
this,
because
they
it's
difficult
to
detect
because
traditional
security
tours
use
file
system
to
detect
this
kind
of
attacks
or
issues.
A
And
when
you
see
it's
something
like
you
also
will
hear
about
leaving
of
the
land,
so
Impressions
and
also
you
can
the
file
is.
When
you
try
to
search,
you
will
see
that
they
have
a
lot
of
material
or
a
lot
of
attacks.
That's
happening
in
Windows,
traditionally
more
in
Windows
will
have
several
attacks
that
it's
already
happened
and
they
use
legitimate
programs
like
Powershell
to
introduce
like
like
we
can
see
in
this
image
and
it's
it's.
A
When
also
when
we
see
about
file
list,
we
will
read
that
this
Advanced
persistence
threat
apt,
and
is
this
because
generally
when
you
are
hearing
about
files,
is
because
it's
on
against
big
companies
or
between
nations?
You
see
that
the
hackers
put
a
lot
of
a
lot
of
Force
who
allowed
the
yeah
they
put
a
lot
of
effort.
Sometimes
the
words
in
the
English
words
is
missing,
but
well
put
a
lot
of
effort
to
to
attack
and
yeah.
A
This
is
a
famous
a
famous
case
that
is
the
cobal
kitty
that
they
attack
and
this
payload
to
this
violence
attack.
It's
like
one
year
that
it's
happening
inside
of
the
system
before
the
security
team
or
anyone
detect
this
attack
on
they
use
like
Powershell
or
a
legitimate
programs
like
in
this
case
it
was
Cobalt
strike,
but
this
is
more
the
literature
that
we
will
hear
about
violence
attack
in
Windows,
but
now
I
will
tell
how
can
happen.
These
file
is
attack
in
Linux,
because,
right
now
our
kubernet
containers
and
everything
is
running
in
Linux.
A
A
Will
will
try
to
use
these
legitims
programs
in
Linux
to
try
to
load
some
malicious
code
and
execute
it
basically
what's
up
the
attacks
is
already
happening
like
you
can
see
this
research,
and
also
it
was
like
some
inspiration,
because
sometimes
we
read
about
some
security
research
that
say
how
is
happening.
Fireless
and
I
want
to
simplify
a
little
how
how
is
doing
this
only
to
demonstrate
running
a
container?
How
can
we
use
mainfd
from
when
you
see
attacks
in
the
wild?
A
A
Because
when
we
run
this
is
a
legitimate
program,
it's
not
a
vulnerability
that
we
could
see
it
or
or
our
scanning
static
scanning
tools
help
us
to
detect.
This
is
a
files
vulnerability,
for
example.
It's
not
the
concept
and
there's
a
reason
that
we
can
find
this.
This
kind
of
of
attacks
using
these
specific
tools
so
to
following
this
is
a
song
of
the
attacks
that
I
will
is
about.
Linux
is.
A
A
code
that
is
using
main
FD
grade
now
already,
it
was
detected
by
several
security
research
teams
that
this
on
the
in
the
wild.
That
is
the
expression,
and
this
is
the
main
code
I
send
you
I
have
the
all
the
reference
in
the
slides,
but
basically
there
are
using
encryptations,
so
it's
not
only
using
the
the
system
called
that,
like
I
will
use
it.
It's
also
using
encryptation
to
help
us
to
help
with
the
obfuscation-
and
here
is
the
main
code
about
run
from
memory.
A
A
Some
these
men,
if
they
create,
is
the
most
easily
way
to
create
files.
It
could
be
created
in
other
ways,
but
it
is
more
simple.
You
only
have
to
call
this
is
called
and
they
will
create
a
file
descriptor,
and
you
have
many
codes
in
the
internet
that
is
already
using
this.
So
this
is
only
just
keep
in
mind
that
that's
the
reason
that
I
am
using
many
FD
grade
when
you.
A
A
We
have
our
system
calls
and
we
have
the
programs,
the
evpf
programs
that
is
lowered
it
in
the
kernel,
some
maybe
I,
I
put
some
some
other
things
like
the
Linux
security
for
me
is
a
little
Linux
security
mode
models
that
also
it's.
You
hear
a
lot
about
Linux
security
models
because
is
before
the
BPF.
A
Okay
and,
as
you
can
see,
when
we
talk
about
ebpf,
we
will
talk
about
kernel
events.
It's
a
lot
of
events
that
is
inside
of
our
kernel
and
we
have
like
kernel
functions
systems
calls,
but
it's
not
only
the
system's
Corner,
because
we
have
Trace
points
and
I
put
in
this
information,
because
when
you
see
the
rules
that
I
will
use,
it
is
related,
maybe
at
Trace
point
or
some
Cape
groups.
It
depends
how
you're
designed
your
ebpf
program.
A
So
the
trace
point
here
is
an
overview
the.
How
can
you
use
these
instrumentations?
Basically,
is
a
static,
instrumentations
points.
Today
you
can
instrument
several
things
inside
of
the
these
ebpf
programs.
When
the
the
events
happen,
if
we
attach
the
cppf
progresses
when
it's
starting
to
filter
this
information,
and
also
we
have
the
cape
groups
and
well
I-
was
reading
about
these
Trace
points.
A
Okay,
groups,
when
you,
when
you
have
both
you,
you
can
try
to
use
it
more
Trace
point
because
it's
more
stable,
but
in
some
uses
cases
you
only
have
k-proops
on
events
that
is
only
supported
by
K
person.
It
will
depends
that
the
design
of
the
type
of
event
that
you
want
to
filter
this
is
well
before.
A
A
A
That
is
already
memory
and
next
I
try
to
execute
this
malicious
code,
but
it's
in
the
file
descriptor,
and
we
are
spawning
this
in
the
display
name-
that
you
put
some,
for
example,
a
running
process
that
that,
in
my
case,
will
be
nginx
and
in
this
way,
is
expounded
using
with
this
exact
and
is
prominent
with
the
malicious
code
and
also
the
file
descriptor.
If
you
can
see
the
path
is
the
process
file
system.
A
A
A
This
part
of
the
rule
engine
that
you
can
see
is
here
is
the
rule.
Now
that
I
wrote
by
default,
it's
don't
detect
exactly
the
main
FD
creates,
so
you
can
customize
with
some
other
rules.
If
that's
the
case,
you
you
can
edit
in
the
kubernetes
mode
you
edit
a
config
map
that
is
the
this
is
the
print
about
the
config
map
that
I
did
and
I
tried
to
filter
by
basically
they
spawn
it
exact,
CBE
and
exact
beat.
That
is
two
ways
that
you
can
execute.
A
The
system
scores
yeah
and
I.
Try
to
also
filter
by
the
path.
The
process-
and
this
is
the
recording,
I,
hope
yeah
I
am
running.
The
main
FD
with
the
only
using
elf,
is
not
a
malicious
scope.
This
is
only
a
health
that
is
printing
the
date,
but
it
could
be
replaced
with
any
malicious
code,
so
you
can
run
it
without
problem
in
your
house.
It's
like
only
to
to
try
to
trigger
this
main
FD,
create
and
simulate.
The
process
of
of
a
file
is
execution
and.
A
I
could
fix
this
this
rule,
because
I
was
trying
to
talk
with
the
with
some
friends
of
Falco
and
I.
Think
I
have
some
output
that
I
call
improve.
I
will
try
to
improve
and
I
will
do
up.
The
updates
in
my
repository
but
I
I
think
that's
that
this
is
detected.
You
can
see
that
this
detective
execution
I
have
some
others
run
C
execution.
That
is
it's
appearing
right
now.
The
main
FD
create
is
the
Cisco
itself
is
not
supported.
A
We
have
also,
as
you
can
see
here,
the
collectors
is
they
have
the
collector
in
the
kernel
space
that
it
means
that
you
have
to.
You
have
to
write
your
your
rules
or
your
filters
that
they
can
map.
They
can
apply
these
filters
to
show
to
show
you
that
the
the
events
that
you
are
looking
for
example
in
the
before
June-
you
don't
have
some
signatures
by
default,
but
you
have
to
create
in
this
collector,
thus
I
think
it
will
be
more
clear
about
this
collector.
A
Seeing
the
the
tracing
policy
yeah
is.
The
name
is
a
custom
resource
definition
and
in
this
case,
because
I
am
trying
to
look
at
the
main
SD
create.
That
is
the
main
point
the
system
is
called.
I
am
Define
it
in
the
role
right
that,
if
some
CIS
called
magnifi
create
and
also
another
city
is
called
the
CIS
close
and
I
think
the
the
main
point
of
this
rule,
because
they
have
this
feature.
That
is
the
find
kill
that
you,
after
I,
find
my
main
if
they
create
yeah.
A
No,
it
is
here
is
in
the
execution
CB
because
they
have
the
main
FD
and
execution
itself.
This
is
malicious
content
when
he
noticed
that
they
have
this
or
this
much
of
magnifi
and
execution.
Cbes
I
will
kill
the
process
when
it's
matching
the
proxel
file
descriptor.
That
is
execution
of
my
program.
No
matter,
if
I,
if
I
will
Fred
actor,
I
can
see
this.
This
Rule
and
I
could
create
another
folder
to
to
apply
my
malicious
code
like
proxel
file
and
I
could
bypass
this
rule.
A
So
here
is
the
action
that
you
can
see.
That
is
killing
the
process,
and
next
I
will
talk
about
Tracy
in
the
case
of
Tracy
the
rule
it
was
already
there
so
I
didn't
have
to
create
it,
because
security
research
already
put
the
the
rule
there,
but
I
will
explain
a
little
about
the
rule
this
this
architecture,
about
how
eppf
in
Tracy
works.
As
you
can
see.
Also,
we
have
the
ABP
evpf
collector,
but
its
filter
by
the
events
of
the
of
the
sinators.
A
That
is
pre-lot,
because
when
you
run
also
in
the
next
slide,
you
will
see
that
the
queen
is
running
Tracy
in
the
mode
ebpf
evpf
Trace.
They
generate
a
lot
of
events,
but
in
this
case
there
are
a
filter
by
only
the
events
that
is
necessary
for
the
signatures.
The
sinators
is
already
the
all
the
rules,
preload
that
will
detect
some
kind
of
security
issues,
don't
design
a
tools
that
will
be
like
the
rules,
the
filters
that
already
created
in
Falco
tetron
that
is
trying
to
detect
some
malicious
actions.
A
And
here
this
is
the
rule
that
it's
it's
already
there
either
I
didn't
write
it.
It's
and
the
main
is
also
trying
to
look
in
these
cases
using
Trace
point
to
try
to
catch
this
ebpf
the
kernel
events
using
Trace
point
with
evpf
and
the
first
two
rules.
It's
trying
to
find
the
main
FD
and
the
others
is
also
other
parts
that
is
also
related
with
temporary
folders
and
that
it's
other
way
that
you
can
create
files-
and
here
is
the
demo
with
with
Tracy.
So
here
is
the
default
output.
A
This
is
the
mode
that
is
running
in
mode,
that
ebpf
Trace,
that
they
you
can
use
without
filters,
and
they
are
they.
You
will
see
all
the
bands
that
is
producing,
or
you
can
put
some
several
filters
that
it's
that
is
relevant
for
you.
So
in
this
case
I
only
put
like
how.
How
can
you
capture
a
binary?
A
A
It
would
be
more
difficult
to
detect
and,
as
you
can
see,
when
I
really
attacks
happen
in
the
wild,
they
are
have
a
more
complex
and
that's
something
that
you
can
be
awareness
that
that's
the
reason
that
only
yeah
it's
the
end,
because
in
the
other
part
we
have
run
in
memory
and
you
have
more
root.
Kids,
that
is
the
security,
is
very
difficult
and
I.
Think
my
sharing
in
about
this
experience
about
searching
about
violence
is
yeah.
A
How
can
I,
detect
files
and
I
will
try
to
put
the
rule,
because,
when
you
read
in
this
case,
I
only
use
main
fdcreate,
but
you
can
bypass
with
using
other
things
and
when
you
are
reading,
you
see
that
in
some
other
blogs,
for
example,
they
they
could
using
another
way
is
like
yeah
it's
down
on
the
Revit
hall,
because
you
are
thinking
that
with
this
rule,
you
are
catching
that
event
but
itself
when
it's
happening
or
when
you
see
in
the
blocks
of
the
security
people
that
is,
is
searching.
It's
yeah.
A
It's
it's
always
another
way.
You
you
can
bypass
and
I.
Only
I
think
I
want
to
give
a
thank
you
for
the
three
projects,
because
these
projects
are
sharing
their
knowledge
and
security,
because
you
can
see
and
I
see,
I
put
in
the
reference,
but
they
already
have
some
security
default
rules
that
you
can
try
to
catch
and
learn
how
they
are
doing
and
I
think
this
is
important.