update(rules): graduate fileless execution rule

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>

rules/falco-incubating_rules.yaml

@@ -1235,23 +1235,3 @@
   output: Exfiltrating Artifacts via Kubernetes Control Plane (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
   priority: NOTICE
   tags: [maturity_incubating, container, filesystem, mitre_exfiltration, TA0010]
-
-- list: known_memfd_execution_binaries
-  items: []
-
-- macro: known_memfd_execution_processes
-  condition: (proc.name in (known_memfd_execution_binaries))
-
-- rule: Fileless execution via memfd_create
-  desc: >
-    Detect if a binary is executed from memory using the memfd_create technique. This is a well-known defense evasion 
-    technique for executing malware on a victim machine without storing the payload on disk and to avoid leaving traces 
-    about what has been executed. Adopters can whitelist processes that may use fileless execution for benign purposes 
-    by adding items to the list known_memfd_execution_processes.
-  condition: >
-    spawned_process
-    and proc.is_exe_from_memfd=true
-    and not known_memfd_execution_processes
-  output: Fileless execution via memfd_create (container_start_ts=%container.start_ts proc_cwd=%proc.cwd evt_res=%evt.res proc_sname=%proc.sname gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
-  priority: CRITICAL
-  tags: [maturity_incubating, host, container, process, mitre_defense_evasion, T1620]

rules/falco_rules.yaml

@@ -24,7 +24,7 @@
 
 # Starting with version 8, the Falco engine supports exceptions.
 # However the Falco rules file does not use them by default.
-- required_engine_version: 17
+- required_engine_version: 26
 
 # Currently disabled as read/write are ignored syscalls. The nearly
 # similar open_write/open_read check for files being opened for
@@ -1223,3 +1223,23 @@
   output: Disallowed SSH Connection (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
   priority: NOTICE
   tags: [maturity_stable, host, container, network, process, mitre_execution, T1059]
+
+- list: known_memfd_execution_binaries
+  items: []
+
+- macro: known_memfd_execution_processes
+  condition: (proc.name in (known_memfd_execution_binaries))
+
+- rule: Fileless execution via memfd_create
+  desc: >
+    Detect if a binary is executed from memory using the memfd_create technique. This is a well-known defense evasion 
+    technique for executing malware on a victim machine without storing the payload on disk and to avoid leaving traces 
+    about what has been executed. Adopters can whitelist processes that may use fileless execution for benign purposes 
+    by adding items to the list known_memfd_execution_processes.
+  condition: >
+    spawned_process
+    and proc.is_exe_from_memfd=true
+    and not known_memfd_execution_processes
+  output: Fileless execution via memfd_create (container_start_ts=%container.start_ts proc_cwd=%proc.cwd evt_res=%evt.res proc_sname=%proc.sname gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
+  priority: CRITICAL
+  tags: [maturity_stable, host, container, process, mitre_defense_evasion, T1620]