new(rules): add rule for detecting fileless execution via memfd_create

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>

rules/falco_rules.yaml

@@ -3416,6 +3416,21 @@
   priority: CRITICAL 
   tags: [container, mitre_persistence, TA0003]
 
+- rule: Fileless execution via memfd_create
+  desc: 
+    Detect if a binary is executed from memory using the memfd_create technique.
+    This is a well-known defense evasion technique for executing malware on victim machine without storing payload on disk.
+  condition: >
+    spawned_process
+    and proc.is_exe_from_memfd=true
+  output: > 
+    Executing binary not part of base image (user=%user.name user_loginuid=%user.loginuid user_uid=%user.uid comm=%proc.cmdline exe=%proc.exe container_id=%container.id
+    image=%container.image.repository proc.name=%proc.name proc.sname=%proc.sname proc.pname=%proc.pname proc.aname[2]=%proc.aname[2] exe_flags=%evt.arg.flags
+    proc.exe_ino=%proc.exe_ino proc.exe_ino.ctime=%proc.exe_ino.ctime proc.exe_ino.mtime=%proc.exe_ino.mtime proc.exe_ino.ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start
+    proc.exepath=%proc.exepath proc.cwd=%proc.cwd proc.tty=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid evt.res=%evt.res)
+  priority: CRITICAL
+  tags: [mitre_defense_evasion, T1620]
+
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.