Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/itaysk/tracee-malware


https://github.com/itaysk/tracee-malware

Last synced: about 1 month ago
JSON representation

Awesome Lists containing this project

README 

        
Using Tracee to profile and detect common malware behavior



This demo was created to accompany the Kubecon session I was co-presenting: [How This Innocent Image Had a Party in My Cluster](https://kccnceu20.sched.com/event/Zeks). 

It is a demonstration of some malware techniques and how [Tracee](https://github.com/aquasecurity/tracee) can be used to observe this behavior and detect it.



> Notice: This demo is not necessarily in sync with the latest current version of Tracee



The techniques demonstrated are:

1. Contacting a bare IP with bad reputation

2. Drop and execute at runtime

3. File-less execution using memfd

4. File-less Drop

5. Unpacking an executable at runtime



TOC:

1. [/helloworld](/helloworld) - a simple hello world program used as a dummy executable

2. [/spy](/spy) - a simple executable that calls out to a bad reputation IP address

3. [/rottendate](rottendate]- a simple web service delivered as a Docker image that returns the current date and time, but it also hides the "spy" program using all of the discussed evasion techniques

4. [/demo](/demo) - scripts to excercise the discussed potentially malicious patterns, and to trace their behavior using Tracee.



Demos:

- Execute the `run.sh` script to run through the scenario unattended. The scripts expect certain arguments which are documented in each script.

- The scripts are meant to run as a regular user but they will `sudo` to run some commands.

- Each demo is self contained, sets up it's requirements and cleans it up after itself.

- The results are obtained under the `/demo/*/out` directory.