 Yeah. Well, good afternoon. Yeah, well, the people that is online too. Very happy to be here. It's my first time on a long trip because I am from Peru, but I live in Brazil. It's like 14 hours far away. Well, I will talk about my experience that I have researched a little about how is the file is attacking Linux. Here about myself, I really like community because we learn and also I participated in the Kubernetes documentation helping in the translation in Portuguese and Spanish mainly in Spanish. And currently in this release, I am working in the release docs of 126. If everyone is interested, you can also ping me. And also I really like cloud native and security and tropical weather. Yeah, I think it's an overview about myself. And we will talk about files because when you try to search this in Google, you will find a lot of information. And next we will give a brief introduction about eBPF. And how can we use these tools to detect these kinds of attacks? Specific detection that I will use in my demo that will be about files. Well, the definition about files, as you can see, is some malicious code will try to run to execute it in our system. But without using the file system is the main definition about files. That's keeping in mind. And also it's known as a non malware or serial footprint because of this. Because it's difficult to detect because traditional security tools use file system to detect these kinds of attacks or issues. And when you see it's something like you also will hear about living of the land, some expressions. And also you can, the files, when you try to search, you will see that they have a lot of material or a lot of attacks that's happening in Windows. Traditionally, more in Windows, we have several attacks that it's already happened. And they use legitimate programs like PowerShell to introduce, like we can see in this image, it seems that this is the normal process. But the threat actor is using this to introduce some payloads that could damage or could insert malicious code. And when also when we see about filest, we will read that this advanced persistent threat, APT. And this is because generally when you are hearing about filest, it's because it's against big companies or between nations. You see that the hackers put a lot of a lot of force or a lot of the, yeah, they put a lot of effort. Sometimes the words, the English words is missing. But well, put a lot of effort to attack. And yeah, this is a famous case that is the cobal kitty that they attack. And this payload or this filest attack, it's like one year that it's happened inside of the system before the security team or anyone detect this attack. And they use like PowerShell or legitimate programs like in this case, it was cobal strike. But this is more the literature that we will hear about filest attack in Windows. But now I will tell how can happen this filest attack in Linux because right now our Kubernetes containers and everything is running in Linux. And mainly when we talk about filest in Linux, it's using the LD preload or Ptrace or this main FD creates is called that it will be the focus of my demo. But this is the common artifacts that it could happen filest in Linux. So as you can see, first we, some threat actor will try to use these legitimate programs in Linux to try to load some malicious code and execute it, basically. The attacks is already happening, like you can see this research. And also it was like some inspiration because sometimes we read about some security research that say how it's happening filest. And I want to simplify a little how it's doing this only to demonstrate running a container. How can we use main FD? When you see attacks in the wild, it's already creating some malicious code that is trying to use this technique in the containers. Some part, this filest introduced on malware. As you can see, our static scanning tools don't help us to detect this kind of attack. Because when we run, this is a legitimate program. It's not a vulnerability that we could see it or our static scanning tools help us to detect this is a filest vulnerability, for example. It's not the concept. There's a reason that we can find this kind of attacks using these specific tools. So to follow in, this is some of the attacks that I will use about Linux. It's a code that is using main FD create. Now already it was detected by several security research teams in the wild that is the expression. This is the main code. I have all the references in the slides. But basically they are using encryptations. It's not only using the system code that I will use it. It's also using encryptation to help with obfuscation. And here is the main code about run from memory. That is the main part that will be called the main FD create. Try to write this malicious code in this new file descriptor and execute it. I will use this. This is the main part. So this main FD create is the most easily way to create files. It could be created in other ways, but this is more simple. You only have to call this call and they will create a file descriptor. You have many codes in the internet that is already using this. So this is only just keeping in mind that that's the reason that I am using main FD create when you... Next, a brief introduction about eBPF to see how it can help us to detect this kind of attack or this malicious. And here is an overview of how it can be eBPF. Because when we talk about eBPF, we will talk a lot of user space and kernel space. We have our system calls and we have the programs, the eBPF programs that is loaded in the kernel. Maybe I put some other things like the Linux security, for me it's a little Linux security models, that also you hear a lot about Linux security models because before eBPF, we write some code in the kernel using this. But right now we are using more eBPF because it's like a more modern technology that gives us benefits. And here we have programs like Falco, Tracy, etc. I will use it to try to detect the main FD create. And as you can see when we talk about eBPF, we will talk about kernel events. It's a lot of events that is inside of our kernel. We have kernel functions, system calls, but it's not only the system call because we have trace points. And I put in this information because when you see the rules that I will use it, it's related maybe at trace points or some cave groups. It depends how you are designing your eBPF program. So the trace point here is an overview. How can you use these instrumentations? Basically it's static instrumentation points. You can instrument several things inside of these eBPF programs when the events happen and we attach these eBPF programs is when it's starting to filter this information. And also we have the cave groups. Well, I was reading about these trace points cave groups. When you have both, you can try to use it more trace points because it's more stable. But in some uses cases, you only have cave groups on events that is only supported by cave groups. It depends on the design of the type of event that you want to filter. Before I was only talking about these cave groups and trace points because in the rules, you will see these words. Just keep in mind. Right now I will talk about how I developed the demo and I will run using Falco, Tracy, and Tetragon. Here we have these three tools that they use eBPF. My demos, it's based in the default installation of these tools because they both support Linux machines and Kubernetes. And I installed it in the default version in Kubernetes clusters. My demo is trying to detect these suspicious malicious code that is these three main steps, three main lines that I am calling. They may not be created. Next, I am writing in this new file descriptor that is in memory. I am writing some malicious code in this file descriptor that is already in memory. Next, I try to execute this malicious code that is in the file descriptor. We are spawning this in the display name that you put some, for example, a running process that in my case will be nginx. In this way, it is spawned using with this exec and spawned with the malicious code. Also, the file descriptor, as you can see, the path is the process file system. This is the main code that it was before the explanation of a Zuri code that it was how it was implemented in this specific way. You can implement it in several other ways, but this is following that it was in the wild attack about this Zuri that I put in the before slide. This is the code. I just put it some more print lines. Also, all the code is in my repository that they have the code and also they have a little explanation about each runtime at the demo and the steps. Next, I built this code and I inserted in a container. I built an image and I inserted this binary to use it inside in a container. That's all. That's the reason that when you see in the demos, this demo main fd is because I built this code and I put it inside of my container. Next, I will start with Falco. This is the main architecture that you can find in the documentation of the project. The rules is in the user space. They have predefined rules, macros, this part of the rule engine that you can see is here is the rule that I wrote. By default, it doesn't detect exactly the main fd create, so you can customize with some other rules. That's the case. You can edit in the Kubernetes module, edit a config map. This is the print about the config map that I did. I tried to filter by basically the spawnet, exact cbe and exact bit. That is two ways that you can execute the system's calls. I tried to also filter by the path, the proc cell. This is the recording. I am running the main fd with only using ELF. It's not a malicious code. It's only a ELF that is printing the date, but it could be replaced with any malicious code so you can run it without problem in your house. It's like only to try to trigger this main fd create and simulate the process of a file's execution. I could fix this rule because I was trying to talk with some friends of Falco. I think I have some output that I could improve. I will try to improve and I will do the updates in my repository, but I think that is detected. You can see that is detected execution. I have some other runc execution that is appearing. Right now, the main fd create is the syscall itself is not supported. That's the reason that I am not using in this rule. Next, I will show you here in Tetragon. We have also, as you can see here, the collectors. They have the collector in the kernel space that it means that you have to write your rules or your filters that they can apply these filters to show you the events that you are looking. For example, in the before, you don't have some signatures by default, but you have to create in this collector. I think it will be more clear about this collector. Seeing the tracing policy is a custom restored definition. In this case, because I am trying to look at the main fd create, that is the main point, the system call, I define it in the rule that if some syscall, main fd create, and also another syscall, the sysclose. I think the main point of this rule, because they have this feature that is the sign here, that after I find my main fd create, here is in the execution cb, because they have the main fd, and the execution itself is malicious content. When he noticed that they have this match of main fd and execution cb, I will kill the process when it's matching the proc cell by the script. That is the execution of my program. If I will threat actor, I can see this rule and I could create another folder to apply my malicious code, like proc cell. I could bypass this rule. That's the reason that also I know that they are doing a pull request with a better approach that it's using iNodes. Also using my notes, because it's for mergers. But I think the most complex when you are trying to create your rules is about the security research knowledge. I don't know if I share my experience itself, but I work as a developer and next like as a cloud architect, DevOps, and going to security. It's different when you are security research, because you are dedicated to create this kind of information. You will see that it's very difficult when you try to search or dig information about the attacks in specific cases, because it's always a way to bypass this rule or another method to the threat actor try to create some malicious code. Here is the action that you can see that is killing the process. Next I will talk about Tracy. In the case of Tracy, the rule was already there. I didn't have to create it because security research already put the rule there. But I will explain a little about the rule. This architecture about how eBPF in Tracy works, as you can see also we have the eBPF Collector, but it's filtered by the events of the signatures that is preload, because when you run also in the next slide you will see that when you're running Tracy in the mode eBPF trace, they generate a lot of events. But in this case, there are a filter by only the events that is necessary for the signatures. The signatures is already all the rules preload that will detect some kind of security issues. So these signatures that will be like the rules, the filters that already created in Falco, that is trying to detect some malicious actions. You can see some default signatures are created there and also you have the reference. I only do this demo with some of the rules that is the files. And here this is the rule that is already there. I didn't write it. And the main is also trying to look in this case is using trace point to try to catch this eBPF, the kernel events using trace point with eBPF. And the first two rules it's trying to find, the main fd. And the others is also other patch that is also related with temporary folders that it's other way that you can create files. And here is the demo with Tracy. So here is the default output when you are running as a tool of the detections that it's detected some malicious code and then that's printed. And here it's, this is the mode that is running in mode that eBPF trace that you can use without filters and you will see all the events that it's producing or you can put some several filters that is relevant for you. In this case, I only put like how can you capture a binary that is a common thing that the forensic team, it's interesting that it's someone trying to execute something and you can capture this and try to analyze after. This is in the mode of the eBPF trace. And well, if you can see a complete attack, I only explain a little that will be running in memory and even is without encryptations because when the attack itself happened, they used some packer or encryption only to create the part of obfuscation, it would be more difficult to detect. And as you can see, when a really attacks happen in the wild, they are have a more complex and that's something that you can be aware of that. That's the reason that it's only, yeah, it's the end because in the other part we have running in memory and you have more root kids that is the security is very difficult. And I think my sharing and about this experience about searching about files is, yeah, it's really hard security when you try to create some rules or try to apply how can I detect files and I will try to put the rule because when you read, in this case, I only use main FD create but you can bypass with using other things and when you are reading, you see that in some other blocks, for example, they could use in another way is like, yeah, it's down on the rabbit hole because you are thinking that with this rule, you are catching that event but itself when it's happening or when you see in the blocks of the security people that is searching, it's, yeah, it's always another way you can bypass and I only, I think I want to give thank you for the three projects because these projects are in sharing their knowledge and security because you can see and I see I put in the reference but they already have some security default rules that you can try to catch and learn how they are doing and I think this is important. Yeah, here are my contacts and if you have any doubts or you also want to have some notes how can improve the rules or everything, yeah, I am available and yeah, thank you to all the projects that they helped me when I go to the slack of every project. No, I think it will be, that's all. Thank you.