GLVSKiriti
commented
3 months ago /assign
Open GLVSKiriti opened 3 months ago
GLVSKiriti
commented
3 months ago /assign
GLVSKiriti
commented
3 months ago @FedeDP @leogr KIndly clarify my doubt! To generate this event conditions required are
spawned_process
and recon_binaries_procs
and proc.tty != 0
and proc.is_vpgid_leader=trueproc.is_vpgid_leader:
'true' if this process is the leader of the virtual process group, proc.vpgid == proc.vpid. For host
processes vpgid and vpid reflect pgid and pid. Can help to distinguish if the process was 'directly'
executed for instance in a tty (similar to bash history logging, is_vpgid_leader would be 'true') or
executed as descendent process in the same process group which for example is the case when
subprocesses are spawned from a script (is_vpgid_leader would be 'false').as mentioned in documentation proc.is_vpgid_leader will be true only if we enter command manually and it will be false when we execute a command by running a script or code.
Is there a way to implement this event in Go code, or is it not feasible?
poiana
commented
2 weeks ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
leogr
commented
2 weeks ago /remove-lifecycle stale
leogr
commented
2 weeks ago /remove-lifecycle stale
Motivation To add an event for default rule "Basic Interactive Reconnaissance" as mentioned here
Feature
Alternatives
Additional context