🔍 Detection Recipes
Jibril includes a comprehensive library of 70+ built-in detection recipes designed to identify security threats and suspicious behaviors across different attack vectors. Each recipe is carefully crafted to detect specific MITRE ATT&CK techniques with minimal false positives.
🎯 Production-Ready Detections
All detection recipes include detailed threat descriptions, MITRE ATT&CK mappings, and recommended response actions. Enable only what you need for tailored security coverage with minimal alert fatigue.
📊 Detection Categories
Jibril's detection recipes are organized by attack vector for easy navigation and configuration:
📁 File Access Detections
Monitor and detect suspicious filesystem activities:
- 🔒 Unauthorized access to sensitive files
- ⚙️ Modification of system configurations
- 🔑 Credential file access
- 🗑️ Binary self-deletion
- 🐚 Shell configuration tampering
- 🖥️ System fingerprinting attempts
30+ detection recipes covering file-based threats
⚙️ Execution Detections
Identify suspicious process execution patterns:
- 🔗 Binaries executed through loaders
- ⚡ Code execution on-the-fly
- 📍 Unusual execution directories
- 👻 Hidden ELF executables
- 🌐 Web server shell spawning
- ⛏️ Cryptocurrency miner execution
- 🔧 Network tool abuse
25+ detection recipes tracking malicious execution
🌍 Network Peer Detections
Detect malicious network connections:
- 🚨 Threat domain access
- 🎣 Phishing domains
- 🔀 Algorithmic domain generation (DGA)
- ☁️ Cloud metadata access
- 🔐 VPN-like domain access
- 🆕 Newly registered domains
- 📡 Plaintext communication
15+ detection recipes for network threats
🎯 Detection Mechanisms
Each detection category leverages specialized monitoring mechanisms:
📁 File Access Monitoring
Complete visibility into filesystem interactions, capturing every file access across your infrastructure.
The system tracks which processes access specific files, monitors operations performed (read, write, execute, modify), and preserves full context including user identity, timing, and execution environment.
Key Features:
- Advanced kernel-level instrumentation
- Negligible performance overhead
- Full visibility into privileged processes
- Real-time detection
⚙️ Execution Monitoring
Comprehensive visibility into program execution, capturing detailed information about every binary that runs on your system.
The engine analyzes command-line arguments for malicious patterns, tracks execution chains through parent-child relationships, and evaluates critical context including user privileges, timing patterns, and environmental variables.
Key Features:
- Intercepts execution events at the source
- Captures short-lived processes
- Complete process ancestry
- Argument pattern analysis
🌍 Network Peer Monitoring
Comprehensive visibility into network communications, capturing every connection and building a complete picture of network activity.
The system maintains detailed records of all network flows, constructs sophisticated relationship graphs linking processes to connections, preserves complete DNS resolution chains, and analyzes network peer relationships to identify suspicious patterns.
Key Features:
- Minimal latency and zero packet loss
- Real-time connection visibility
- Encrypted traffic metadata analysis
- DNS resolution tracking
🛡️ MITRE ATT&CK Coverage
Jibril's detection recipes map to numerous MITRE ATT&CK techniques across multiple tactics:
File Access Detections
Tactics Covered:
- Credential Access
- Discovery
- Defense Evasion
- Persistence
- Privilege Escalation
Example Techniques:
- T1003 - OS Credential Dumping
- T1082 - System Information Discovery
- T1547 - Boot or Logon Autostart
- T1574 - Hijack Execution Flow
Execution Detections
Tactics Covered:
- Execution
- Defense Evasion
- Discovery
- Impact
Example Techniques:
- T1059 - Command and Scripting Interpreter
- T1055 - Process Injection
- T1496 - Resource Hijacking
- T1569 - System Services
Network Peer Detections
Tactics Covered:
- Command and Control
- Exfiltration
- Discovery
- Collection
Example Techniques:
- T1071 - Application Layer Protocol
- T1568 - Dynamic Resolution
- T1573 - Encrypted Channel
- T1048 - Exfiltration Over Alternative Protocol
📦 Detection Recipe Structure
Each built-in detection recipe includes comprehensive metadata:
📝 Description
Detailed explanation of:
- What the detection monitors
- Why it's a security concern
- Attack scenarios it detects
⚠️ Severity
Importance level:
- Critical - Immediate action required
- High - Prompt investigation
- Medium - Monitor and investigate
- Low - Informational
🔧 Custom Detection Recipes
Beyond the built-in library, you can create custom detection recipes tailored to your environment:
⚗️ Alchemies Framework
The Alchemies feature enables you to:
- Define custom detection logic using YAML
- Combine multiple conditions and patterns
- Leverage JavaScript for complex logic
- Create environment-specific detections
- Share recipes across teams