Excited for @hack_lu! In addition to my planned talk, I'll conduct a 90-min workshop to introduce Kunai: your new Linux threat-hunting tool (an alternative to #SysmonForLinux). See you there! More info: github.com/0xrawsec/kunai

If you are looking for a #SysmonForLinux alternative or if you are just curious ! Take a look to kunai: why.kunai.rocks If you want to try the stuff out, there is a pre-compiled binary on GitHub: github.com/0xrawsec/kunai… #ebpf #linux #threathunting #dfir

#Encoding is hard, exhibit no.2368474 #SysmonForLinux // ht @timb_machine github.com/Sysinternals/S…

I should probably take a look at auditd logs that are available and compare the telemetry to Sysmon, seeing if it's better at filling in the missing info in Sysmon. #Sysmonforlinux #Wine #Linux

A sigma rule for file permission setting using chmod github.com/exeronn/Linux-… #SysmonforLinux #SIGMA

The decompiled interpretation from ghidra of the main function. This is a link to the sample executed - bazaar.abuse.ch/sample/990628a… #SysmonforLinux

#SysmonforLinux #LinuxMalware #LinuxTTP #TTP

#SysmonforLinux #PyInstaller #PYC #PYZ

A fairly crude, yet relatively well functioned perl implant. Supports Scanning, log cleanup, DOS and arbitary command execution. Whilst it was simple it was good for 8 new sigma rules! #Sigma #SysmonforLinux #Perl #Malware 1/

Analysis of a multi platform coin miner & generic RAT. Has persistence via crontab & systemctl, can execute shell commands & DOS certain protocols. #SysmonforLinux #RAT #CoinMiner 1/

Running a sample which is a pyInstaller compiled ELF. The Python code is multi OS (Linux & Windows). Will post more detail on it after I've some time to look at it properly. #SysmonforLinux #PyInstaller #malware

As I forgot - #SysmonforLinux #LinuxMalware #Coinminer

An attempt to visualise the process tree using Networkx & Pyvis in Jupyter, keyed on ProcessGuid & ParentProcessGuid. #Python #Jupyter #SysmonforLinux

Still need to do some work to show process graphs. This was interesting, several GTFOBins & utilises a tool to rename the binary so tools such as "ps" show something else. Also sets up a cronjob to run every 5 minutes. It uses a pid file to deduplicate runs. #sysmonforlinux

Sysmon for Linux setup to start testing running payloads from the honeypots and other public sources. Currently collecting & processing; *process start/stop *network connections *file create/delete #Linux #Sysmonforlinux

Unfortunately, SysmonForLinux is still limited to a few events and they can not log all activities such as DNSEvent (EventID 22). Let me know what you're using for Linux. #Sysmon #SysmonForLinux #cybersecurity

Its been a while I did not posted on my #SysmonForLinux kind of project ! It is because it takes a lot of time to develop, here is where I am. Example, executing dig command: - we see execve event with hashes #ThreatHunting 1/6

I think I got bored waiting after #SysmonForLinux so I decided to start my own BPF based Linux monitoring project. Roadmap: - shared object loading - driver loading - dns queries - network connections Tell me if you want other stuffs for a first release ! #ThreatHunting