Explore Kunai Events
Info section has changed since previous version. Make sure you have updated your tooling and rules depending on kunai to reflect those changes.
๐๏ธ Event Layout and Info Section
Every kunai event gets a set of common fields shared between all the events. These fields give various information which might be used for advanced purposes such as event identification, grouping or correlation.
๐๏ธ Execve
Execve events are generated whenever an execve syscall happens on the system. It provides information about the current binary currently running.
๐๏ธ Execve Script
This event is generated under the same conditions as execve event. The only difference is that it provides additional information about the interpreter when the file being executed is a script.
๐๏ธ Exit
Exit events get generated when a single task (process or thread) exits.
๐๏ธ Exit Group
Event generated when a thread-group (process and all its threads) exits.
๐๏ธ Clone
A task is being cloned/forked. This means that a new task will be created
๐๏ธ Prctl
A prctl event is generated when a process makes a call to the prctl syscall. As you can
๐๏ธ Kill
This event is generated when kill signal is send to a foreign process.
๐๏ธ Ptrace
Event generated when a ptrace syscall is issued. .data.mode reflects the ptrace mode as defined in Linux Kernel headers
๐๏ธ Init Module
This kind of event is generated when a kernel module is loaded into the kernel.
๐๏ธ Bpf Prog Load
This event is generated every time a BPFย program is loaded into the kernel.
๐๏ธ Bpf Socket Filter Attached
A socket filter attachement has been made (for instance via getsockopt syscall).
๐๏ธ Mprotect Exec
This kind of event is generated when memory protection is turned to executable.
๐๏ธ Mmap Exec
This events is generated whenever the mmap syscall is used to map an executable file in memory, with memory execution protection.
๐๏ธ Connect
This event gets generated every time a connect attempt is made to a remote IP.
๐๏ธ Dns Query
This event is generated when the a DNS response is received on the host and gives insight both on the query, the response and the DNSย resolver.
๐๏ธ Send Data
This events gets generated when data is sent to a remote IP address.
๐๏ธ Read
This event gets generated whenever a file is read.
๐๏ธ Read Config
This file is generated whenever a file located in /etc is being read.
๐๏ธ Write
This event gets generated whenever a file is write.
๐๏ธ Write Config
This file is generated whenever a file located in /etc is being written.
๐๏ธ File Rename
This event gets generated whenever a file is being renamed.
๐๏ธ File Unlink
Event generated when a file gets unlinked
๐๏ธ Write and Close
An event generated when a file that has been written is just being closed. This is a great hook event to trigger a file scan as the file is not supposed to be written again.
๐๏ธ File Scan
Such events are generated when a scan-files action is requested. This event is a bit particular compared to other because it is triggered from another event. You can find the **cross-reference** to the **triggering event** in .data.sourceevent field.