📄️ Event Layout and Info Section
Every kunai event gets a set of common fields shared between all the events. These fields give various information which might be used for advanced purposes such as event identification, grouping or correlation.
📄️ Execve
Execve events are generated whenever an execve syscall happens on the system. It provides information about the current binary currently running.
📄️ Execve script
This event is generated under the same conditions as execve event. The only difference is that it provides additional information about the interpreter when the file being executed is a script.
📄️ Exit
Exit events get generated when a single task (process or thread) exits.
📄️ Exit group
Event generated when a thread-group (process and all its threads) exits.
📄️ Clone
A task is being cloned/forked. This means that a new task will be created
📄️ Prctl
A prctl event is generated when a process makes a call to the prctl syscall. As you can
📄️ Init module
This kind of event is generated when a kernel module is loaded into the kernel.
📄️ Bpf prog load
This event is generated every time a BPF program is loaded into the kernel.
📄️ Bpf Socket Filter Attached
A socket filter attachement has been made (for instance via getsockopt syscall).
📄️ Mprotect exec
This kind of event is generated when memory protection is turned to executable.
📄️ Mmap exec
This events is generated whenever the mmap syscall is used to map an executable file in memory, with memory execution protection.
📄️ Connect
This event gets generated every time a connect attempt is made to a remote IP.
📄️ Dns query
This event is generated when the a DNS response is received on the host and gives insight both on the query, the response and the DNS resolver.
📄️ Send data
This events gets generated when data is sent to a remote IP address.
📄️ Read
This event gets generated whenever a file is read.
📄️ Read config
This file is generated whenever a file located in /etc is being read.
📄️ Write
This event gets generated whenever a file is write.
📄️ Write config
This file is generated whenever a file located in /etc is being written.
📄️ File rename
This event gets generated whenever a file is being renamed.
📄️ File unlink
Event generated when a file gets unlinked