Jibril Docs

Appearance

Execution Mechanism

Monitor and analyze all program execution activity on your system in real time, with full visibility into every process creation and command invocation.

Overview

Jibril records every executable run, capturing process lineage, arguments, and environment details, enabling deep, high-fidelity analysis to detect malicious activity early.

How It Works

Track Program Executions

Jibril monitors every execution event in the system, gathering rich details:

  • Executable path and name
  • Command-line arguments
  • Parent and child process information
  • Execution directory
  • Timestamp
  • User identity and privileges
  • Environment variables (for execution context)
Pattern and Contextual Analysis

All execution data is analyzed within the context of:

  • Historical process ancestry and chain of execution
  • Known-good and baseline behaviors
  • Threat intelligence for malicious patterns
  • Timing and frequency anomalies
  • Unusual or suspicious directory and invocation patterns

This approach enables identification of:

  • Unexpected launches of interpreters or shells
  • Execution from rarely used or temporary directories
  • Abnormal privilege escalations
  • Multi-stage attacks and living-off-the-land behavior
In-Kernel Processing

Utilizing eBPF technology, Jibril embeds itself directly into the kernel:

  • Hooks execution syscalls (e.g., execve)
  • Collects and processes data in kernel space
  • Ensures no event is missed, even for transient or evasive processes
  • Maintains high performance with negligible overhead

Use Cases

Detection Capabilities

Execution Control

  • Unauthorized or anomalous binary executions
  • Detection of hidden or memory-only executables
  • Prevention of execution from suspicious or temporary locations

Abuse of Security/Networking Tools

  • Network scanners (e.g., nmap, masscan)
  • Packet capture utilities (e.g., tcpdump, wireshark)
  • Offensive security frameworks (e.g., Metasploit, Cobalt Strike)
  • Man-in-the-middle tools (e.g., ettercap)

Credential Access and Abuse

  • Password utility usage (e.g., passwd, john, hashcat)
  • Credential dumping (e.g., mimikatz, lazagne)
  • Memory scanning and brute-forcing tools

Container and Runtime Attacks

  • Suspicious activity in container runtimes (e.g., runc)
  • Kubernetes administration tool abuse
  • Container escape attempts

Malicious Software

  • Cryptocurrency miners
  • DDoS and DoS tools
  • Backdoors and rootkits
Example Attack Detection

Examples of threats detected by execution monitoring:

  • Binaries executed through system loaders or memory without disk persistence
  • Obfuscated or encoded argument usage
  • Rapid or unusual process spawning
  • SUID/SGID binary execution for privilege escalation
  • Interpreter or shell spawning by unusual parents
  • Execution from hidden or nonstandard directories

Detections