Execve

Execve events are generated whenever an execve syscall happens on the system. It provides information about the current binary currently running.

tip

This event gets generated only when execve syscall is successful

{
  "data": {
    "ancestors": "kernel|kernel",
    "parent_exe": "kernel",
    "command_line": "/sbin/modprobe -q -- net-pf-10",
    "exe": {
      "path": "/usr/bin/kmod",
      "md5": "08220eec2f1a1f3690a2d6b2a634d255",
      "sha1": "4dd4f7a269c9d18d755176bcf44bcef86abe2633",
      "sha256": "cc064683b03c958347f2a7d13ee9d4523434674e2599c2ca710f923dc44b0a5b",
      "sha512": "87d3057d6881b5256bf1ae93386d9b615f1afe11c3c90ae2e71eb68d9cf4f550205135ffd5cf24ca6fa72e08edf56110bd70a9ca5c5448283b5939384ff64813",
      "size": 166080,
      "error": null
    }
  },
  "info": {
    "host": "...",
    "event": {
      "source": "kunai",
      "id": 1,
      "name": "execve",
      "uuid": "e97b8ca5-f6bd-c206-afbd-701c0d61a9d9",
      "batch": 605
    },
    "task": "...",
    "parent_task": "...",
    "utc_time": "2024-10-29T12:47:58.834535124Z"
  }
}