Small container runtime for threat detection

Overview

confine

Containers, but for dynamic malware analysis

Actions

confine is a container runtime for dynamically analyzing suspicious executables. Given a sample suspected of being malware, confine will create a container mount, dynamically trace it, and report back to you what threat indicators it has been able to find. No more clunky sandboxes and VMs!

Features

  • Threat Detection - identifies common malware capabilities and behaviors using dynamic tracing!
  • Automated Builds - use Confinement policies to quickly provision an environment, and share it with other threat analysts!
  • Syscall Filtering - enforce rules upon system call behaviors to log metrics or block malicious behavior!

Usage

Installing

To install confine, use cargo:

$ cargo install confine

Running an Analysis

To dynamically analyze a sample, we must first create a workspace with a Confinement policy to specify how our containerized environment will be provisioned. confine can automatically do that for us:

$ confine new workspace/

Having a workspace is good for compartmentalizing other necessary dependencies that is used in the container, whether its a locally built image, source code, configurations, etc.

A Confinement is confine's version of a Dockerfile, but for provisioning container environments for tracing an executable. See the example here for more details on how to configure it, and set up syscall filtering rules as well.

Once everything is set, we can now execute an analysis! confine will not only run a dynamic trace, but will also employ its set of detections during execution, outputting the behaviors it encoutners in the end:

$ confine exec workspace/
a.out  example.c
Caught the debugger!
intelligent-rest-5105
[2021-02-19T04:21:56Z ERROR confine::trace::subprocess] confine: [BLOCK] encountered syscall exit_group
{
  "syscalls": [
    "brk",
    "access",
    "mmap",
    "access",
    "open",
    "fstat",
    "mmap",
    "close",
    "access",
    "open",
    "read",
    "fstat",
    "mmap",
    "mprotect",
    "mmap",
    "mmap",
    "close",
    "mmap",
    "mmap",
    "arch_prctl",
    "mprotect",
    "mprotect",
    "mprotect",
    "munmap",
    "ptrace",
    "fstat",
    "mmap",
    "write",
    "uname",
    "write"
  ],
  "strings": [
    "Caught the debugger!\n",
    "intelligent-rest-5105\n"
  ],
  "networking": [],
  "file_io": {
    "/lib/x86_64-linux-gnu/libc.so.6": "524288",
    "/etc/ld.so.cache": "524288"
  },
  "commands": [],
  "capabilities": {
    "evasion": {
      "stalling": false,
      "antidebug": true,
      "antisandbox": false,
      "process_infect": false
    },
    "persistence": {
      "init_persistence": false,
      "time_persistence": false,
      "config_persistence": false
    },
    "deception": false
  }
}

License

MIT License

You might also like...
Super Fast Sub-domain Takeover Detection!
Super Fast Sub-domain Takeover Detection!

NtHiM - Super Fast Sub-domain Takeover Detection Installation Method 1: Using Pre-compiled Binaries The pre-compiled binaries for different systems ar

👄 The most accurate natural language detection library in the Rust ecosystem, suitable for long and short text alike
👄 The most accurate natural language detection library in the Rust ecosystem, suitable for long and short text alike

Table of Contents What does this library do? Why does this library exist? Which languages are supported? How good is it? Why is it better than other l

Semantic text segmentation. For sentence boundary detection, compound splitting and more.

NNSplit A tool to split text using a neural network. The main application is sentence boundary detection, but e. g. compound splitting for German is a

Face detection library for the Rust programming language
Face detection library for the Rust programming language

Rustface SeetaFace detection library for the Rust programming language Example of demo program output SEETAFACE C++ – Github repository for the origin

Super lightweight and dead-simple CI detection.

This crate tells you if you're in a CI environment or not. It does not tell you which you're in, but it makes a good effort to make sure to accurately

Time series anomaly detection for Rust

AnomalyDetection.rs Time series AnomalyDetection for Rust Learn how it works Installation Add this line to your application’s Cargo.toml under [depend

lingua-rs Python binding. An accurate natural language detection library, suitable for long and short text alike.

lingua-py lingua-rs Python binding. An accurate natural language detection library, suitable for long and short text alike. Installation pip install l

Rust Memory Safety & Undefined Behavior Detection

Rudra is a static analyzer to detect common undefined behaviors in Rust programs. It is capable of analyzing single Rust packages as well as all the packages on crates.io.

2 and 3-dimensional collision detection library in Rust.

2D Documentation | 3D Documentation | User Guide | Forum ⚠️ **This crate is now passively-maintained. It is being superseded by the Parry project.** ⚠

Rust port of the extended isolation forest algorithm for anomaly detection

Extended Isolation Forest This is a rust port of the anomaly detection algorithm described in Extended Isolation Forest and implemented in https://git

Motion detection & video recording software based on OpenCV, built for research on Bumblebees

BombusCV Motion detection & video recording software based on OpenCV, built for research on Bumblebees (hence the name). Index Use case Examples Insta

Plugins and helpful methods for using sepax2d with Bevy for 2d overlap detection and collision resolution.

bevy_sepax2d Plugins and helpful methods for using sepax2d with Bevy for 2d overlap detection and collision resolution. Compatible Versions bevy bevy_

Now, the Host is Mine! - Super Fast Sub-domain Takeover Detection!
Now, the Host is Mine! - Super Fast Sub-domain Takeover Detection!

NtH1M - Super Fast Sub-domain Takeover Detection Notice This is a sad notice that our Internet Hero (@TheBinitGhimire) had recent demise on 26th of Ju

Random Cut Forest anomaly detection for C/C++

Random Cut Forest C/C++ Random Cut Forest (RCF) anomaly detection for C/C++ 🌲 Also available for Ruby and PHP, and as a CLI Installation Download the

excss is a small, simple, zero-runtime CSS-in-JS library with just two APIs.

excss excss is a small, simple, zero-runtime CSS-in-JS library with just two APIs.

A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.)

Angea Naming from hydrangea(アジサイ) A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.) WSL1 is not s

netavark: A container network stack

netavark: A container network stack Netavark is a rust based network stack for containers. It is being designed to work with Podman but is also applic

A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.)

Angea Naming from hydrangea(アジサイ) A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.) WSL1 is not s

Container monitor in Rust

Conmon-rs A pod level OCI container runtime monitor. The goal of this project is to provide a container monitor in Rust. The scope of conmon-rs encomp

Comments
  • Plugin management

    Plugin management

    Enable developers to easily implement detections in forks to enable greater usability in excavating threats, rather than throwing everything in a single submodule and pattern matching on all syscalls.

    opened by ex0dus-0x 0
  • Enable various mount images

    Enable various mount images

    Our only options are to use an alpine rootfs image, or manually specify a path one. We should support efforts to enable different images to be used, such as remnux, or even full ideal distributions like Ubuntu.

    opened by ex0dus-0x 0
Owner
Alan
Security Engineer | NYU 2023
Alan
A small oscilloscope UI for the Owon HDS series portable oscilloscopes (Windows 10+, x86_64 only)

owowon - A small oscilloscope UI for the Owon HDS series portable oscilloscopes Screenshot of the program, reading a 10 MHz sinewave generated by the

Dennis Duda 7 Jan 22, 2023
Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

null 294 Dec 23, 2022
Shallow Container is a light-weight container tool written in Rust.

Shallow Container is a light-weight container tool written in Rust. It is totally for proof-of-concept and may not suit for production environment.

Rui Li 14 Apr 8, 2022
A tiny minimal container runtime written in Rust.

vas-quod A tiny minimal container runtime written in Rust. The idea is to support a minimal isolated containers without using existing runtimes, vas-q

flouthoc 438 Dec 26, 2022
A secure container runtime with OCI interface

Quark Container Welcome to Quark Container. This repository is the home of Quark Containers code. What's Quark Container Quark Container is high perfo

null 175 Dec 29, 2022
Easy to use, extendable, OCI-compliant container runtime written in pure Rust

PURA - Lightweight & OCI-compliant container runtime Pura is an experimental Linux container runtime written in pure and dependency-minimal Rust. The

Branimir Malesevic 73 Jan 9, 2023
dedock is a container runtime, with a particular focus on enabling embedded software development across all platforms

dedock is a container runtime, with a particular focus on enabling embedded software development across all platforms. It supports native "containers" on both Linux and macOS.

Daniel Mangum 12 May 27, 2023
VMM-based macOS Native Container Runtime

Akari: VMM-based macOS Native Container Runtime Akari is an experimental OCI runtime aims to run macOS native containers on macOS. This runtime works

Akira Moroo 29 Jul 15, 2024
Spine runtime for Rust (and wasm!) transpiled from the official C Runtime.

rusty_spine Spine runtime for Rust (and wasm!) transpiled from the official C Runtime. Supports Spine 4.1. [dependencies] rusty_spine = "0.4.0" Onlin

jabu 12 Dec 17, 2022
Natural language detection library for Rust. Try demo online: https://www.greyblake.com/whatlang/

Whatlang Natural language detection for Rust with focus on simplicity and performance. Content Features Get started Documentation Supported languages

Sergey Potapov 805 Dec 28, 2022