π§ Detection Mechanisms
Jibril employs sophisticated eBPF-based mechanisms to monitor system behavior and collect security-relevant data from the Linux kernel. These mechanisms work together to provide comprehensive visibility into file access, process execution, and network activityβall with minimal performance impact.
π§ In-Kernel Intelligence
All monitoring logic runs inside the kernel using eBPF,
eliminating expensive context switches and enabling real-time detection.
The result? Sub-microsecond detection latency and
consistent sub-2% CPU usage regardless of workload.
π― Core Mechanismsβ
Jibril's detection engine is built on several specialized monitoring mechanisms:
π§ eBPF Foundationβ
Kernel-level monitoring using eBPF programs to collect data with minimal performance impact.
Key Features:
- Query-driven architecture
- In-kernel data storage
- Zero event loss
- Efficient memory usage
π File Access Monitoringβ
Track filesystem operations including reads, writes, modifications, and deletions.
Detection Capabilities:
- Suspicious file access patterns
- Unauthorized access attempts
- Configuration file tampering
- Credential file monitoring
βοΈ Execution Trackingβ
Monitor process creation, execution, and termination with full ancestry tracking.
Detection Capabilities:
- Unusual execution patterns
- Hidden process execution
- Code injection attempts
- Malicious tool execution
π Loader Interceptionβ
Intercept and monitor dynamic loader activities to detect execution path bypasses.
Detection Capabilities:
- Direct loader execution
- Hidden ELF execution
- Library injection
- Code-on-the-fly
π Network Monitoringβ
Track network connections, DNS resolutions, and data flows with complete context.
Detection Capabilities:
- Malicious domain access
- C2 communication
- Data exfiltration
- Network policy enforcement
π Probes and Tracesβ
Monitor kernel introspection tools to detect sophisticated attacks and rootkits.
Detection Capabilities:
- eBPF program loading
- Perf event monitoring
- Ftrace usage detection
- Kernel modification attempts
π Detection Coverageβ
Jibril's mechanisms enable comprehensive detection across three main categories:
π File Access Detection Recipesβ
Security Files:
- Capabilities modification
- Credentials access
- SSL certificates
- SSH key access
System Configuration:
- PAM configuration
- Sudoers files
- Shell configuration
- Package repositories
Fingerprinting:
- CPU detection
- Filesystem analysis
- Machine identification
- OS fingerprinting
Code Modification:
- Procfs manipulation
- Core pattern access
- Shared library tampering
- Binary self-deletion
Java Security:
- Debug library loading
- Instrument library loading
βοΈ Execution Detection Recipesβ
Binary Execution:
- Loader-based execution
- Hidden ELF files
- Unusual directory execution
Code Execution:
- Code-on-the-fly
- Interpreter shell spawning
- Code injection
Network Tools:
- File copy tools
- MITM tools
- Scanning tools
- Sniffing tools
Credential Access:
- Text-based lookup
- Password usage
- Memory scanning
Suspicious Activity:
- DoS tool execution
- Crypto miners
- Container runtime abuse
- Webserver shells
π Network Peer Detection Recipesβ
Threat Intelligence:
- Badware domains
- Phishing domains
- Threat domains
- C2 servers
Content Categories:
- Adult content
- Gambling sites
- Piracy domains
Algorithmic Detection:
- Dynamic DNS
- Algorithmically generated domains (DGA)
- Fake domains
New Threats:
- Newly registered domains
- Suspicious TLDs
Security Risks:
- Plaintext communication
- Cloud metadata access
- VPN-like services
- Tracking domains
π¬ Technical Deep Divesβ
Explore the technical implementation of each mechanism:
eBPF Logic
Query-driven architecture
File Access
Filesystem monitoring
Execution
Process tracking
Loader Interception
Dynamic loader monitoring
Network Logic
Connection tracking
Network Peers
Domain analysis
Probes & Traces
Introspection detection
Combined Detection
File + Execution correlation