ebpf-edr

command module
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 6, 2022 License: AGPL-3.0 Imports: 17 Imported by: 0

README

Huakiwi

Huwkiwi is an EDR powered by eBPF and Sigma.

Name

Huakiwi is named after Leioproctus huakiwi, a species of bee Endemic to New Zealand.

credit: hasherezade

Requirements

Build

Simply run make after cloning the repo. it should generate a portable statically-linked binary.

git clone https://github.com/bm9w/huakiwi
cd huakiwi
make

Rules

current rules (almost all of them are borrowed from Elastic's public repo on SIEM rules)

  • Potential Protocol Tunneling via EarthWorm
  • Compression of Sensitive Files
  • Potential OpenSSH Backdoor Logging Activity
  • Attempt to Disable IPTables or Firewall
  • Attempt to Disable Syslog Service
  • Tampering of Bash Command-Line History
  • Potential Disabling of SELinux
  • File Deletion via Shred
  • Removing a kernel module
  • System Log File Deletion
  • Interactive Terminal Spawned via Perl
  • Interactive Terminal Spawned via Python
  • Modification of Dynamic Linker Preload Shared Object

Contributions welcome!

Documentation

Overview

This program demonstrates attaching an eBPF program to a kernel symbol. The eBPF program will be attached to the start of the sys_execve kernel function and prints out the number of times it has been called every second.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.