⚡ Execution & Detection
Jibril's execution engine is the core of its runtime security capabilities. Built on efficient eBPF-based monitoring, it collects behavioral data from the Linux kernel with minimal overhead while maintaining complete visibility into system activity.
🎯 Continuous Threat Detection
Jibril monitors file access, process execution, network activity,
and other security-relevant events in real-time.
The result? Immediate threat detection with actionable alerts,
zero performance impact, and comprehensive coverage.
🎯 What You'll Learn
This section covers how Jibril executes runtime monitoring and detection, including the mechanisms used to collect data, the components involved, and the detection capabilities.
🧩 Components
The modular building blocks that power Jibril's execution engine, from modular features to output printers.
🔧 Mechanisms
Technical deep-dive into eBPF probes, file access tracking, network monitoring, and loader interception techniques.
🔍 Detections
Comprehensive catalog of built-in detection recipes for file access, process execution, and network threats.
🌐 Network Policy
Real-time network policy enforcement to block malicious IPs and domains based on CIDR blocks and DNS queries.
📊 Detection Mechanisms
Jibril provides comprehensive detection coverage across three main categories:
📁 File Access
Monitor suspicious file system activities and access patterns:
- 🔐 Credential and SSH key access
- 🔧 Configuration file modifications (PAM, sudoers, shell configs)
- 💾 System file tampering (auth logs, shared libraries)
- 🖥️ System fingerprinting attempts
- ☕ Java instrumentation and debugging
Total: 30+ detection recipes covering critical file access patterns
⚙️ Execution
Identify suspicious process execution patterns and behaviors:
- 🔗 ELF loader abuse and hidden executions
- ⚡ Dynamic code generation and injection
- 🔍 In-memory credential scanning
- 🌐 Network tool execution (scanning, sniffing, MitM)
- 🐳 Container runtime suspicious activity
- ⛏️ Crypto miner detection
- 🐚 Webserver shell spawning
Total: 25+ detection recipes tracking malicious execution patterns
🌍 Network Peers
Detect malicious network connections and suspicious domain access:
- 🦠 Malware C2 and threat domains
- 🎣 Phishing and fake domains
- 🔀 Algorithmically generated domains (DGA)
- ☁️ Cloud metadata service access
- 🆕 Newly registered domains
- 📡 Plaintext communication detection
- 🔄 Dynamic DNS and VPN-like services
Total: 15+ detection recipes for network threat identification
🚀 Quick Navigation
Components
Extensions, plugins, and printers
Mechanisms
How eBPF monitoring works
Detections
Built-in detection recipes
Network Policy
Block IPs and domains
💡 Key Concepts
Query-Driven Architecture
Unlike traditional event streaming, Jibril stores events in kernel memory and queries them on demand. This eliminates ring buffer overflows and event loss.
Benefits:
- Zero event loss under load
- Consistent CPU usage
- Efficient memory utilization
In-Kernel Detection
Detection logic runs inside the kernel using eBPF, enabling real-time pattern matching without user-space round trips.
Benefits:
- Sub-millisecond detection latency
- Minimal performance overhead
- Synchronous policy enforcement
Resource Correlation
Jibril tracks relationships between processes, files, network connections, and users, providing rich context for every detection.
Benefits:
- Attack chain visibility
- Root cause analysis
- Reduced false positives
Modular Detection
Detection recipes are modular and can be enabled/disabled individually, allowing fine-grained control over monitoring scope.
Benefits:
- Tailored security posture
- Reduced alert noise
- Performance optimization