Skip to main content
Version: 0.6.0

Execve

This event is generated when a new process is created using one of the execve system calls. execve system calls are used to execute a program within the context of an existing process, replacing the current process image with a new one. This event is crucial for monitoring process execution and understanding the lineage and behavior of processes on a Linux system.

Example JSON

Below is a sample JSON payload for an execve event:

{
"data": {
"ancestors": "/usr/lib/systemd/systemd|/usr/bin/login|/usr/bin/zsh|/usr/bin/bash|/usr/bin/xinit|/usr/bin/i3|/usr/bin/bash|/usr/bin/urxvt|/usr/bin/zsh|/usr/bin/bash|/usr/bin/timeout|/usr/bin/bash",
"parent_command_line": "bash -ec \"trash=/tmp/trash; mkdir -p $trash; while [ true ]; do t=$(mktemp -d -p $trash); for i in {0..100000}; do echo \\\"AHHHH\\\" > $t/test$i.txt; done && rm -rf $t; done\"",
"parent_exe": "/usr/bin/bash",
"command_line": "mktemp -d -p /tmp/trash",
"exe": {
"path": "/usr/bin/mktemp",
"md5": "0d7660dac3bffd6b76d3054da0fa1216",
"sha1": "817329148a765bc2dc82baa230638d1987d7a284",
"sha256": "f32938cf25ddd6f6800a8e9b406595534d0eb27993587bbdeee2e83dd97d8406",
"sha512": "22d716d4e16492928ec90380d8c6d4749a0082ffa04630355a1d9a59bd3d196e83169223354a1edd28c5bbec137da96ccc6f42558e30cfe2a4d456a0b4c50fba",
"size": 39144,
"error": null
}
},
"info": {
"host": "...",
"event": {
"source": "kunai",
"id": 1,
"name": "execve",
"uuid": "b8e4bb6c-6048-b9e9-6c50-514888182958",
"batch": 922
},
"task": "...",
"parent_task": "...",
"utc_time": "2025-06-10T14:00:42.814301638Z"
}
}

Additional Details

Why This Event Matters

The execve event is significant for several reasons:

  1. Process Monitoring: It provides visibility into process creation and execution, which is essential for security monitoring and incident response.
  2. Behavioral Analysis: Understanding the lineage and command-line arguments of processes helps in analyzing system behavior and detecting anomalies.
  3. Security: Monitoring execve events can help detect unauthorized or malicious process executions, which is critical for maintaining system security.

Key Fields Explained

.data.ancestors

  • A pipe-separated list of the executable paths of the process ancestors.

.data.parent_command_line

  • The command line used to start the parent process.

.data.parent_exe

  • The path to the executable of the parent process.

.data.command_line

  • The command line used to start the current process.

.data.exe.path

  • The path to the executable being run.

.data.exe.md5

  • The MD5 hash of the executable file.

.data.exe.sha1

  • The SHA1 hash of the executable file.

.data.exe.sha256

  • The SHA256 hash of the executable file.

.data.exe.sha512

  • The SHA512 hash of the executable file.

.data.exe.size

  • The size of the executable file in bytes.

.data.exe.error

  • Any error associated with the executable file, if applicable.
tip

The ancestors field provides a complete lineage of the process, which can be crucial for tracing the origin and understanding the context of process execution.