Using Tracee to profile and detect common malware behavior

This demo was created to accompany the Kubecon session I was co-presenting: How This Innocent Image Had a Party in My Cluster. It is a demonstration of some malware techniques and how Tracee can be used to observe this behavior and detect it.

Notice: This demo is not necessarily in sync with the latest current version of Tracee

The techniques demonstrated are:

1. Contacting a bare IP with bad reputation
2. Drop and execute at runtime
3. File-less execution using memfd
4. File-less Drop
5. Unpacking an executable at runtime

TOC:

1. /helloworld - a simple hello world program used as a dummy executable
2. /spy - a simple executable that calls out to a bad reputation IP address
3. [/rottendate](rottendate]- a simple web service delivered as a Docker image that returns the current date and time, but it also hides the "spy" program using all of the discussed evasion techniques
4. /demo - scripts to excercise the discussed potentially malicious patterns, and to trace their behavior using Tracee.

Demos:

• Execute the run.sh script to run through the scenario unattended. The scripts expect certain arguments which are documented in each script.
• The scripts are meant to run as a regular user but they will sudo to run some commands.
• Each demo is self contained, sets up it's requirements and cleans it up after itself.
• The results are obtained under the /demo/*/out directory.