diff --git a/rfcs/text/0047-fileless-execution-linux.md b/rfcs/text/0047-fileless-execution-linux.md new file mode 100644 index 000000000..8ab161511 --- /dev/null +++ b/rfcs/text/0047-fileless-execution-linux.md @@ -0,0 +1,132 @@ +# 0047: Fileless execution on Linux + + +- Stage: **0 (strawperson)** +- Date: **2024-09-26** + + + + + +This RFC proposes adding new fields and event types to enhance the detection of fileless malware execution and related malicious activities on Linux systems. + +The new fields include: + * file.is_memfd - Indicates if the file is an anonymous file descriptor (memfd) created using the memfd_create system call. + * file.is_shmem - Indicates if the file is a POSIX shared memory object created using the shm_open system call, typically located in /dev/shm. + * process.is_setuid - Indicates if the process has the setuid bit set, allowing it to run with the privileges of its owner. + * process.is_setgid - Indicates if the process has the setgid bit set, allowing it to run with the privileges of its group. + * process.is_memfd - Indicates if the process was executed from a memory file descriptor (memfd). + * process.inode_nlink - Number of links to the inode of the process executable file, obtained from the i_nlink variable in the inode structure. + +New process event types: + * memfd_create + * shmget (SystemV shared memory API) + * ptrace + * load_module + +New file event types: + * memfd_open + * shmem_open + +These additions will enable the detection and investigation of various malware execution techniques, such as executing code from memory file descriptors (memfd), hiding malicious binaries in shared memory objects (shm_open and shmget), debugging other processes for code injection (ptrace), and loading kernel modules for rootkits (load_module). The proposed fields also cover privilege escalation using setuid/setgid binaries. + + + + + +## Fields + + + + + +## Usage + + + +## Source data + +The data can be collected by monitoring system calls and events on Linux hosts using kernel instrumentation techniques like eBPF or kprobes. + + + + + + + +## Scope of impact + + + +## Concerns + + + + + + + +## People + +The following are the people that consulted on the contents of this RFC. + + * @stanek-michal | author + + + + +## References + + + +### RFC Pull Requests + + + +