Jibril Docs

Appearance

File Access Mechanism

Monitor and analyze all file access operations across the system in real-time with comprehensive visibility into every filesystem interaction.

Overview

Jibril tracks which processes access which files, monitors operations performed (read, write, execute, modify), and preserves full context including user identity, timing, and execution environment.

How It Works

Track File Operations

Jibril intercepts and logs every file operation in the system:

  • Opens, reads, writes, modifications, deletions
  • Permission changes
  • Exact file path and name
  • Timestamp of access
  • Process ID and name performing operation
  • User context
  • Type of operation
  • Amount of data read or written
Long-Tail Information

Jibril constructs complete historical record of all file interactions. This "long tail" of information enables:

  • Temporal analysis of access patterns over time
  • Correlation between seemingly unrelated file operations
  • Detection of slow-moving or distributed attacks
  • Complete forensic reconstruction

Rather than sampling or filtering events, every file interaction is captured and stored.

Contextual Analysis Engine

File access patterns analyzed within full operational context:

  • Compare current access against historical baselines
  • Evaluate legitimacy based on process lineage and behavior
  • Correlate file operations with other system activities (network connections, process creations)
  • Identify anomalous access patterns deviating from normal behavior

Use Cases

Detection Capabilities

Access Control

  • Unauthorized access to sensitive files
  • Credential file monitoring
  • Authentication system access

Configuration Changes

  • System configuration tampering
  • Security policy modifications
  • Package manager changes

Reconnaissance

  • Fingerprinting activities
  • System enumeration
  • Information gathering

Malicious Activity

  • Malware persistence mechanisms
  • Binary self-deletion
  • Code manipulation
Use Cases

Privilege Escalation Detection

Monitor access to privilege-granting files:

  • Sudoers modifications
  • SUID/SGID binary creation
  • Capability modifications

Credential Theft Prevention

Detect unauthorized access to:

  • Credential stores
  • SSH keys and certificates
  • Authentication tokens
  • API keys and secrets

Compliance and Audit

Track access to sensitive data:

  • Complete audit trail
  • User attribution
  • Temporal analysis
  • Forensic investigation support

Malware Detection

Identify malicious filesystem activity:

  • Self-deletion attempts
  • Persistence mechanism installation
  • Code injection attempts
  • Hidden file creation

Detections