From 10a093177d7da48d4383b848858bc6aac75bb80d Mon Sep 17 00:00:00 2001
From: Yutong Sun <yutongsu@amazon.com>
Date: Wed, 22 Jan 2025 22:03:35 +0000
Subject: [PATCH] rules: add runc to known_memfd_execution_binaries

Signed-off-by: Yutong Sun <yutongsu@amazon.com>
---
 rules/falco_rules.yaml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index f5ea778f..ef5fa3c4 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1230,10 +1230,15 @@
   tags: [maturity_stable, host, container, network, process, mitre_execution, T1059]
 
 - list: known_memfd_execution_binaries
-  items: []
+  items: [runc]
 
 - macro: known_memfd_execution_processes
-  condition: (proc.name in (known_memfd_execution_binaries))
+  condition: > 
+    (proc.name in (known_memfd_execution_binaries))
+    or (proc.pname in (known_memfd_execution_binaries))
+    or (proc.exepath = "memfd:runc_cloned:/proc/self/exe")
+    or (proc.exe = "memfd:runc_cloned:/proc/self/exe")
+
 
 - rule: Fileless execution via memfd_create
   desc: >