Built-in Alchemies

Alchemies is just a name for Detection Recipes in YAML format.

Public Alchemies Repository

Public Alchemies Repository

Why Public Alchemies ?

• Reference Examples: Learn how to write custom alchemies
• Starting Templates: Modify existing recipes for your environment
• Direct Deployment: Deploy recipes as-is in your Jibril configuration
• Community Contributions: Submit your own recipes to help others

Why Private Alchemies?

The reason private alchemies are private is to:

• maintain competitive advantage in threat detection
• protect proprietary threat intelligence sources
• prevent adversaries from ingesting detection logic

End users are free to use all private alchemies, despite the fact that their YAML source code is not publicly available.

File Access Mechanism

Public Recipes

• binary_self_deletion - Binary deleting itself after execution
• capabilities_modification - Linux capabilities changes
• code_modification_through_procfs - Process memory manipulation via /proc
• core_pattern_access - Core dump pattern configuration access
• cpu_fingerprint - CPU information enumeration
• filesystem_fingerprint - Filesystem enumeration and discovery
• global_shlib_modification - System-wide shared library tampering
• java_debug_lib_load - Java debugging library loading
• java_instrument_lib_load - Java instrumentation library loading
• machine_fingerprint - Hardware and machine identification
• os_fingerprint - Operating system enumeration
• os_network_fingerprint - Network configuration discovery
• os_status_fingerprint - System status information gathering
• package_repo_config_modification - Package repository configuration changes
• pam_config_modification - PAM authentication configuration tampering
• sched_debug_access - Kernel scheduler debugging interface access
• shell_config_modification - Shell configuration file changes
• sysrq_access - SysRq kernel interface access
• unprivileged_bpf_config_access - Unprivileged BPF configuration access

Private Recipes

• auth_logs_tamper - Authentication log tampering
• credentials_files_access - Credential file access (SSH keys, passwords)
• crypto_miner_files - Cryptocurrency miner file operations
• environ_read_from_procfs - Environment variable extraction from /proc
• ssl_certificate_access - SSL/TLS certificate and private key access
• sudoers_modification - Sudoers privilege configuration changes

Execution Mechanism

Public Recipes

• data_encoder_exec - Data encoding tool execution (base64, etc.)
• hidden_elf_exec - Execution of hidden ELF binaries
• passwd_usage - Password utility execution

Private Recipes

• binary_executed_by_loader - Binary executed through system loader
• code_on_the_fly - Dynamic code generation and execution
• credentials_text_lookup - Credential search utilities
• crypto_miner_execution - Cryptocurrency miner execution
• denial_of_service_tools - DoS/DDoS tool execution
• exec_from_unusual_dir - Execution from /tmp or hidden directories
• file_attribute_change - File attribute modification utilities
• interpreter_shell_spawn - Shell spawned from interpreter (PHP, Python, etc.)
• net_filecopy_tool_exec - Network file copy tool execution
• net_mitm_tool_exec - Man-in-the-middle tool execution
• net_scan_tool_exec - Network scanning tool execution (nmap, masscan)
• net_sniff_tool_exec - Network sniffing tool execution (tcpdump, wireshark)
• net_suspicious_tool_exec - Suspicious network tool execution
• net_suspicious_tool_shell - Shell spawned by network tools
• runc_suspicious_exec - Suspicious runc container runtime execution
• webserver_exec - Web server executing suspicious commands
• webserver_shell_exec - Web server spawning shell

Network Peer Mechanism

Public Recipes

Currently, all network peer alchemies are private to maintain competitive advantage in threat intelligence.

Private Recipes

• adult_domain_access - Adult content domain access
• badware_domain_access - Malware distribution domain access
• cloud_metadata_access - Cloud metadata service queries (169.254.169.254)
• dyndns_domain_access - Dynamic DNS domain access
• fake_domain_access - Fake or impersonation domain access
• gambling_domain_access - Gambling website access
• piracy_domain_access - Piracy domain access
• plaintext_communication - Unencrypted protocol usage (HTTP, FTP, Telnet)
• threat_domain_access - Known threat actor infrastructure
• tracking_domain_access - Tracking and analytics domain access
• vpnlike_domain_access - VPN/proxy service domain access

Env Variables Mechanism

Public Recipes

Currently, all environment variable alchemies are private.

Private Recipes

• dynamic_linker_attacks - Dynamic linker attacks