Feb. 2, 2024, midnight | MalBot

Malware Analysis, News and Indicators - Latest topics malware.news


The following Falco rule will detect the affected container runtimes trying to change the directory to a proc file descriptor, which isn’t normal activity.  This rule should be considered experimental and can be used in OSS Falco and Sysdig Secure as a custom rule.


- rule: Suspicious Chdir Event Detected
desc: Detects a process changing a directory using a proc-based file descriptor. 
condition: >
evt.type=chdir and evt.dir=< and evt.rawres=0 and evt.arg.path startswith "/proc/self/fd/" 
output: >
Suspicious Chdir event detected, executed …

block can change changing code container detect directory event falco file isn normal oss proc process sysdig sysdig secure test

Deputy Chief Information Security Officer

@ United States Holocaust Memorial Museum | Washington, DC

Humbly Confident Security Lead

@ YNAB | Remote

Information Technology Specialist II: Information Security Engineer

@ WBCP, Inc. | Pasadena, CA.

Director of the Air Force Cyber Technical Center of Excellence (CyTCoE)

@ Air Force Institute of Technology | Dayton, OH, USA

Senior Cyber Security Analyst

@ Valley Water | San Jose, CA

Information Security Consultant- PAM

@ Eurofins | Bengaluru, India