Bypassing Network Detection with Graftcp

Graftcp is a newly discovered open-source tool that allows threat actors to conceal network connections by rerouting traffic from specific processes through a local proxy without altering global network configurations, enhancing its stealthiness compared to similar tools like SOCKS or proxychains. Unlike previous methods that are easily detected due to changes in system configurations, graftcp uses the fork and ptrace system calls to intercept and redirect connections, making it applicable to any process type. The Sysdig Threat Research Team has identified graftcp's utility in evading detection and its potential use in maintaining hidden connections, such as during cryptomining activities on remote hosts. To counter this, they developed Falco rules that detect graftcp's behavior by monitoring the ptrace syscall and connections to localhost, thereby providing a crucial layer of runtime detection to safeguard cloud-native environments against such sophisticated threats.