| ▲ | skinfaxi 2 hours ago |
| Would love to learn more about their internal behavioural detection program. > One of the first things our security team did was confirm that our existing endpoint detection would catch this exploit. Our servers run behavioral detection that continuously monitors process execution patterns. It doesn't rely on knowing about specific vulnerabilities; it watches for anomalous behavior across the fleet. |
|
| ▲ | CGamesPlay 2 hours ago | parent | next [-] |
| Would certainly be interesting to learn more about. A simple check: allowlist of known "processes that run as root". Any new process shows up, something happened. |
| |
| ▲ | jeffbee 2 hours ago | parent [-] | | Based on what? Proc title? | | |
| ▲ | CGamesPlay 2 hours ago | parent | next [-] | | Proc title is very easily forged (without root even). Obviously a real privileged process could modify the kernel and do whatever it wants, but if I were trying to detect this I would start with /proc/$id/exe. | | |
| ▲ | Retr0id 2 hours ago | parent | next [-] | | /proc/pid/exe is also easily forged, without root. For example you can do LD_PRELOAD=evil.so /bin/foo on any dynamic executable, or spawn /bin/foo unmodified and inject code via ptrace or /proc/pid/mem. I have a fileless, execless copyfail exploit that works by injecting shellcode directly into systemd's pid 1. (I should probably publish it at some point...) | | |
| ▲ | jeffbee an hour ago | parent [-] | | Yeah the whole system is based on the ability of one task to apparently become another task, that's how Unix works. So the indicators in /proc are just that: indicative at best. There's no reason the task should even be assumed to be executing code in a file. A process can map code into anonymous memory and continue executing there without even branching. Again this is considered a feature of the system rather than a flaw. |
| |
| ▲ | jeffbee 2 hours ago | parent | prev [-] | | Maybe, but there's a prctl to change that reference which a root process can use. |
| |
| ▲ | dboreham 2 hours ago | parent | prev | next [-] | | They might just compute a hash over the binary, or the code space in memory. | |
| ▲ | parliament32 2 hours ago | parent | prev [-] | | It's curious they're just "monitoring" rather than preventing. In a serious environment you'd run IPE with dm-verity/fs-verity to ensure binaries are whitelisted and integrity-checked at every execution. | | |
| ▲ | staticassertion an hour ago | parent [-] | | lol no one does that (edit: or, rather, that is extremely uncommon, even in "serious" environments, for a ton of reasons). | | |
|
|
|
|
| ▲ | staticassertion an hour ago | parent | prev | next [-] |
| Syscalls and kernel module loading can both be logged, I assume that's sufficient here. |
| |
| ▲ | skinfaxi an hour ago | parent [-] | | Yes but I am interested in hearing about cloudflare's implementation, how they scale it to their whole fleet, and what kinds of heuristics they are using to classifying behavior as anomalous. |
|
|
| ▲ | mobeigi 2 hours ago | parent | prev [-] |
| I'd very much like to learn more about this too, deserves its own blog post. |
