๐ฆ Built-in Recipes
๐ Pre-configured Detection Patterns
Jibril ships with a comprehensive set of built-in detection recipes ready to use out of the box.
๐ Public Detection Recipesโ
The following public detection recipes are available:
- binary_self_deletion
- capabilities_modification
- code_modification_through_procfs
- core_pattern_access
- cpu_fingerprint
- data_encoder_exec
- filesystem_fingerprint
- global_shlib_modification
- hidden_elf_exec
- java_debug_lib_load
- java_instrument_lib_load
- machine_fingerprint
- os_fingerprint
- os_network_fingerprint
- os_status_fingerprint
- package_repo_config_modification
- pam_config_modification
- passwd_usage
- sched_debug_access
- shell_config_modification
- sysrq_access
- unprivileged_bpf_config_access
๐ก Public Detection Recipes Repository: GitHub - garnet-org/jibril-recipes
You may use public detection recipes as examples to create your own recipe. The public recipes include recipes translated from open-source projects.
๐ Private Recipesโ
The following private detection recipes are available:
- adult_domain_access
- auth_logs_tamper
- badware_domain_access
- binary_executed_by_loader
- cloud_metadata_access
- code_on_the_fly
- credentials_files_access
- credentials_text_lookup
- crypto_miner_execution
- crypto_miner_files
- denial_of_service_tools
- dyndns_domain_access
- environ_read_from_procfs
- exec_from_unusual_dir
- fake_domain_access
- file_attribute_change
- gambling_domain_access
- interpreter_shell_spawn
- net_filecopy_tool_exec
- net_mitm_tool_exec
- net_scan_tool_exec
- net_sniff_tool_exec
- net_suspicious_tool_exec
- net_suspicious_tool_shell
- piracy_domain_access
- plaintext_communication
- runc_suspicious_exec
- ssl_certificate_access
- sudoers_modification
- threat_domain_access
- tracking_domain_access
- vpnlike_domain_access
- webserver_exec
- webserver_shell_exec
๐ก Note: Some signatures are private-only for now.