Jibril Docs

Appearance

Create Alchemies

YAML Recipe Definition

Learn how to create custom alchemies (detection recipes) in YAML format by following the examples below.

YAML Alchemy Structure

Detection recipes are defined in YAML files with the following structure:

yaml
# Recipe definition
- kind: unique_recipe_identifier
  name: recipe_name
  enabled: true|false
  version: 1.0
  description: Brief description of what this detects
  documentation: |
    https://link.to.documentation

  # Classification fields
  breed: file_access|execution|remote_domains|...
  mechanism: file_access|execution|network_peers|...
  tactic: MITRE_ATTACK_tactic
  technique: MITRE_ATTACK_technique
  subtechnique: MITRE_ATTACK_subtechnique
  importance: low|medium|high|critical

  # Noise reduction
  times:
    - kind: times_per_proc|times_per_exe|times_per_full_ancestry|...
      max: number

  # Additional filters
  arbitrary: [] # Advanced filtering rules

  # Type-specific fields (see below)
File Access Detection Mechanism Example

For detecting file access patterns:

Full Example: Package Repository File Modification

yaml
- kind: sensitive_file_access
  name: sensitive_file_access
  enabled: true
  version: 1.0
  description: Detects access to sensitive system files
  documentation: |
    https://docs.example.com/sensitive_file_access
  breed: file_access
  mechanism: file_access
  tactic: credential_access
  technique: credentials_from_password_stores
  subtechnique: credentials_from_files
  importance: high

  # Noise reduction
  times:
    - kind: times_per_proc
      max: 5
    - kind: times_per_exe
      max: 10

  # File actions to monitor
  file_actions: read_related|write_related|modify_related
  file_actions_how: any|all
  file_actions_excl: mmap # Optional: exclude specific actions

  # File patterns (can use one or multiple)
  base: shadow # Simple filename
  dir: /etc # Directory path
  regex: .*\.key$ # Regex pattern

  # Or multiple file patterns
  bases:
    - base: passwd
      dir: /etc
    - base: shadow
      dir: /etc
    - regex: /home/.*/.ssh/id_rsa$
    - regex: /root/.ssh/.*$
Execution Detection Mechanism Example

For detecting process execution patterns:

Full Example: Binary Executed Self Deletion

yaml
- kind: suspicious_tool_execution
  name: suspicious_tool_execution
  enabled: true
  version: 1.0
  description: Detects execution of suspicious tools
  documentation: |
    https://docs.example.com/suspicious_tools
  breed: file_access
  mechanism: execution
  tactic: discovery
  technique: system_network_configuration_discovery
  subtechnique: ""
  importance: medium

  times:
    - kind: times_per_parent_proc
      max: 3

  # Must include execve for execution detection
  file_actions: execve
  file_actions_how: any

  # Executables to monitor
  bases:
    - base: nmap
    - base: masscan
    - base: zmap
    - base: nikto
    - base: dirb
    - base: gobuster
Network Peer Detection Mechanism Example

For detecting network communication patterns:

yaml
#
# Plaintext communication.
#

# Plaintext communication (suffix).

- kind: plaintext_communication
  name: plaintext_communication_suffix
  enabled: false
  version: 1.0
  description: Access to pastebin services
  documentation: |
    https://garnet.gitbook.io/jibril/detections/network-peers/plaintext_communication
  breed: remote_domains
  mechanism: network_peers
  tactic: command_and_control
  technique: application_layer_protocol
  subtechnique: web_protocols
  importance: critical
  times:
    - kind: times_per_proc
      max: 2
    - kind: times_per_exe
      max: 4
    - kind: times_per_full_ancestry
      max: 4
  arbitrary: []
  flow_actions:
    - ingress
    - egress
  flow_actions_how: any
  remote_domains_type: suffix
  remote_domains:
    - pastebin.com

# Plaintext communication (prefix).
- kind: plaintext_communication
  name: plaintext_communication_prefix
  enabled: false
  version: 1.0
  description: Access to pastebin services
  documentation: |
    https://garnet.gitbook.io/jibril/detections/network-peers/plaintext_communication
  breed: remote_domains
  mechanism: network_peers
  tactic: command_and_control
  technique: application_layer_protocol
  subtechnique: web_protocols
  importance: critical
  times:
    - kind: times_per_proc
      max: 2
    - kind: times_per_exe
      max: 4
    - kind: times_per_full_ancestry
      max: 4
  arbitrary: []
  flow_actions:
    - ingress
    - egress
  flow_actions_how: any
  remote_domains_type: prefix
  remote_domains:
    - www.paste

Advanced Filtering with Arbitrary Rules

The arbitrary field allows complex filtering based on process attributes:

Full Example: OS Fingerprint

Quick Reference
yaml
arbitrary:
  - how: AND|OR
    which: pertinent|irrelevant
    items:
      - what: exe|comm|cmd|args|uid|pid|parent_exe|...
        which: pertinent|irrelevant
        pattern: "regex_pattern"
        number: 1000
        numbers: [1000, 1001, 1002]
        time: "2024-01-01T00:00:00Z"
        cidr: "192.168.1.0/24"
        when: smaller|bigger|equal