Project Freta is a newly announced offer from Microsoft, which aims at discovering any malware or rootkit running on Linux systems, by conducting memory forensic analysis automatically. The analysis is conducted at no cost and is very easy to extrapolate the data, democratizing the forensic process.
Project Freta was designed and built with survivor bias at its core. It is a security project designed from first principles to drive the cost of sensor evasion as high as possible and in many cases render evasion technically infeasible.
Mike Walker
https://www.microsoft.com/en-us/research/blog/toward-trusted-sensing-for-the-cloud-introducing-project-freta/
At the moment there are more than 4,000 supported kernel versions.
The process is very useful because the malware cannot “hide” himself, since the image processing system is non-intrusive to the VM, giving analysts a complete view on what’s running and potentially bad for the server.
The supported memory images formats are the following:
- vmrs
- lime
- core
- raw
The memory can be captured using various tools, such as:
- vmss2core (VMware)
- Hyper-V Manager
- AVML
The tool works by analyzing an image uploaded on the cloud. Once the image has been acquired, you can let the program scan it.
Please refer to this guide to extract the images: https://docs.microsoft.com/en-us/security/research/project-freta/how-to-capture-an-image
Read the full announcement: https://www.microsoft.com/en-us/research/blog/toward-trusted-sensing-for-the-cloud-introducing-project-freta/
Documentation: https://docs.microsoft.com/it-it/security/research/project-freta/
Azvise 