The Alchemies feature introduces a powerful dynamic recipe generation system for Jibril!
New Feature!
Jibril
DiscordGarnet🐈‍⬛
  • Jibril
    • Jibril
      • New Era
      • Theory Behind
      • Architecture
      • Agent Dashboard
      • Compare
    • Install and Run
      • Requirements
      • Repositories
      • Systemd Service
        • Systemd Config
      • Command Line
      • Docker Container
      • Kubernetes
        • Kubernetes Script
      • Configuration File
        • Cache Configuration
        • Cadence Configuration
        • Network Policy File
    • Components
      • Features
      • Extensions
      • Plugins
      • Printers
      • Events
      • Alchemies
        • Overview
        • Enable Alchemies
        • Create Recipes
        • Recipes Reference
        • Builtin Recipes
      • Network Policy
      • Attenuator
    • Mechanisms
      • File Access
      • Execution
      • File Access And Execution
      • Network Peers
      • Network eBPF Logic
      • Probes and Traces
      • Bigger eBPF Logic
      • Loader Interception
    • Detections
      • File Access
        • Auth Logs Tamper
        • Binary Self Deletion
        • Capabilities Modification
        • Code Modification Through Procfs
        • Core Pattern Access
        • CPU Fingerprint
        • Credentials Files Access
        • Crypto Miner Files
        • Environment Read From ProcFS
        • File Example
        • Filesystem Fingerprint
        • Global Shlib Modification
        • Java Debug Lib Load
        • Java Instrument Lib Load
        • Machine Fingerprint
        • OS Fingerprint
        • OS Network Fingerprint
        • OS Status Fingerprint
        • Package Repo Config Modification
        • PAM Config Modification
        • Sched Debug Access
        • Shell Config Modification
        • SSL Certificate Access
        • Sudoers Modification
        • Sysrq Access
        • Unprivileged Bpf Config Access
      • Execution
        • Binary Executed By Loader
        • Code On The Fly
        • Crypto Miner Execution
        • Data Encoder Exec
        • Denial Of Service Tools
        • Exec Example
        • Exec From Unusual Dir
        • File Attribute Change
        • Hidden Elf Exec
        • Interpreter Shell Spawn
        • Net Filecopy Tool Exec
        • Net MitM Tool Exec
        • Net Scan Tool Exec
        • Net Sniff Tool Exec
        • Net Suspicious Tool Exec
        • Net Suspicious Tool Shell
        • Passwd Usage
        • Runc Suspicious Exec
        • Webserver Exec
        • Webserver Shell Exec
      • Network Peers
        • Adult Domain Access
        • Badware Domain Access
        • Dynamic DNS Domain Access
        • Fake Domain Access
        • Gambling Domain Access
        • Peer Example
        • Piracy Domain Access
        • Plaintext Communication
        • Threat Domain Access
        • Tracking Domain Access
        • VPN Domain Access
    • Bugs and Requests
    • Banner
    • License
  • Research
    • Runtime Security
      • Valkyrie Response
  • MITRE
    • Mitre Attack
      • Initial Access
        • Valid Accounts
          • Default Accounts
          • Domain Accounts
          • Local Accounts
          • Cloud Accounts
        • Replication Through Removable Media
        • External Remote Services
        • Drive-by Compromise
        • Exploit Public-Facing Application
        • Supply Chain Compromise
          • Compromise Software Dependencies and Development Tools
          • Compromise Software Supply Chain
          • Compromise Hardware Supply Chain
        • Trusted Relationship
        • Hardware Additions
        • Phishing
          • Spearphishing Attachment
          • Spearphishing Link
          • Spearphishing via Service
          • Spearphishing Voice
      • Execution
        • Windows Management Instrumentation
        • Scheduled Task/Job
          • At
          • Cron
          • Scheduled Task
          • Systemd Timers
          • Container Orchestration Job
        • Command and Scripting Interpreter
          • PowerShell
          • AppleScript
          • Windows Command Shell
          • Unix Shell
          • Visual Basic
          • Python
          • JavaScript
          • Network Device CLI
          • Cloud API
          • AutoHotKey & AutoIT
          • Lua
        • Software Deployment Tools
        • Native API
        • Shared Modules
        • Exploitation for Client Execution
        • User Execution
          • Malicious Link
          • Malicious File
          • Malicious Image
        • Inter-Process Communication
          • Component Object Model
          • Dynamic Data Exchange
          • XPC Services
        • System Services
          • Launchctl
          • Service Execution
        • Container Administration Command
          • Deploy Container
        • Serverless Execution
        • Cloud Administration Command
      • Persistence
        • Boot or Logon Initialization Scripts
          • Logon Script (Windows)
          • Login Hook
          • Network Logon Script
          • RC Scripts
          • Startup Items
        • Scheduled Task/Job
          • At
          • Cron
          • Scheduled Task
          • Systemd Timers
          • Container Orchestration Job
        • Valid Accounts
          • Default Accounts
          • Domain Accounts
          • Local Accounts
          • Cloud Accounts
        • Account Manipulation
          • Additional Cloud Credentials
          • Additional Email Delegate Permissions
          • Additional Cloud Roles
          • SSH Authorized Keys
          • Device Registration
          • Additional Container Cluster Roles
          • Additional Local or Domain Groups
        • External Remote Services
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Office Application Startup
          • Office Template Macros
          • Office Test
          • Outlook Forms
          • Outlook Home Page
          • Outlook Rules
          • Add-ins
        • Browser Extensions
        • BITS Jobs
        • Traffic Signaling
          • Port Knocking
          • Socket Filters
        • Server Software Component
          • SQL Stored Procedures
          • Transport Agent
          • Web Shell
          • IIS Components
          • Terminal Services DLL
        • Implant Internal Image
        • Pre-OS Boot
          • System Firmware
          • Component Firmware
          • Bootkit
          • ROMMONkit
          • TFTP Boot
        • Create or Modify System Process
          • Launch Agent
          • Systemd Service
          • Windows Service
          • Launch Daemon
          • Container Service
        • Event Triggered Execution
          • Change Default File Association
          • Screensaver
          • Windows Management Instrumentation Event Subscription
          • Unix Shell Configuration Modification
          • Trap
          • LC_LOAD_DYLIB Addition
          • Netsh Helper DLL
          • Accessibility Features
          • AppCert DLLs
          • AppInit DLLs
          • Application Shimming
          • Image File Execution Options Injection
          • PowerShell Profile
          • Emond
          • Component Object Model Hijacking
          • Installer Packages
          • Udev Rules
        • Boot or Logon Autostart Execution
          • Registry Run Keys / Startup Folder
          • Authentication Package
          • Time Providers
          • Winlogon Helper DLL
          • Security Support Provider
          • Kernel Modules and Extensions
          • Re-opened Applications
          • LSASS Driver
          • Shortcut Modification
          • Port Monitors
          • Plist Modification
          • XDG Autostart Entries
          • Active Setup
          • Login Items
        • Compromise Host Software Binary
        • Modify Authentication Process
          • Domain Controller Authentication
          • Password Filter DLL
          • Pluggable Authentication Modules
          • Network Device Authentication
          • Reversible Encryption
          • Multi-Factor Authentication
          • Hybrid Identity
          • Network Provider DLL
          • Conditional Access Policies
        • Hijack Execution Flow
          • DLL Search Order Hijacking
          • DLL Side-Loading
          • Dylib Hijacking
          • Executable Installer File Permissions Weakness
          • Dynamic Linker Hijacking
          • Path Interception by PATH Environment Variable
          • Path Interception by Search Order Hijacking
          • Path Interception by Unquoted Path
          • Services File Permissions Weakness
          • Services Registry Permissions Weakness
          • COR_PROFILER
          • KernelCallbackTable
          • AppDomainManager
      • Privilege Escalation
        • Boot or Logon Initialization Scripts
          • Logon Script (Windows)
          • Login Hook
          • Network Logon Script
          • RC Scripts
          • Startup Items
        • Scheduled Task/Job
          • At
          • Cron
          • Scheduled Task
          • Systemd Timers
          • Container Orchestration Job
        • Process Injection
          • Dynamic-link Library Injection
          • Portable Executable Injection
          • Thread Execution Hijacking
          • Asynchronous Procedure Call
          • Thread Local Storage
          • Ptrace System Calls
          • Proc Memory
          • Extra Window Memory Injection
          • Process Hollowing
          • Process Doppelgänging
          • VDSO Hijacking
          • ListPlanting
        • Exploitation for Privilege Escalation
        • Valid Accounts
          • Default Accounts
          • Domain Accounts
          • Local Accounts
          • Cloud Accounts
        • Account Manipulation
          • Additional Cloud Credentials
          • Additional Email Delegate Permissions
          • Additional Cloud Roles
          • SSH Authorized Keys
          • Device Registration
          • Additional Container Cluster Roles
          • Additional Local or Domain Groups
        • Access Token Manipulation
          • Token Impersonation/Theft
          • Create Process with Token
          • Make and Impersonate Token
          • Parent PID Spoofing
          • SID-History Injection
        • Domain or Tenant Policy Modification
          • Group Policy Modification
          • Trust Modification
        • Create or Modify System Process
          • Launch Agent
          • Systemd Service
          • Windows Service
          • Launch Daemon
          • Container Service
        • Event Triggered Execution
          • Change Default File Association
          • Screensaver
          • Windows Management Instrumentation Event Subscription
          • Unix Shell Configuration Modification
          • Trap
          • LC_LOAD_DYLIB Addition
          • Netsh Helper DLL
          • Accessibility Features
          • AppCert DLLs
          • AppInit DLLs
          • Application Shimming
          • Image File Execution Options Injection
          • PowerShell Profile
          • Emond
          • Component Object Model Hijacking
          • Installer Packages
          • Udev Rules
        • Boot or Logon Autostart Execution
          • Registry Run Keys / Startup Folder
          • Authentication Package
          • Time Providers
          • Winlogon Helper DLL
          • Security Support Provider
          • Kernel Modules and Extensions
          • Re-opened Applications
          • LSASS Driver
          • Shortcut Modification
          • Port Monitors
          • Plist Modification
          • XDG Autostart Entries
          • Active Setup
          • Login Items
        • Abuse Elevation Control Mechanism
          • Setuid and Setgid
          • Bypass User Account Control
          • Sudo and Sudo Caching
          • Elevated Execution with Prompt
          • Temporary Elevated Cloud Access
          • TCC Manipulation
        • Hijack Execution Flow
          • DLL Search Order Hijacking
          • DLL Side-Loading
          • Dylib Hijacking
          • Executable Installer File Permissions Weakness
          • Dynamic Linker Hijacking
          • Path Interception by PATH Environment Variable
          • Path Interception by Search Order Hijacking
          • Path Interception by Unquoted Path
          • Services File Permissions Weakness
          • Services Registry Permissions Weakness
          • COR_PROFILER
          • KernelCallbackTable
          • AppDomainManager
        • Escape to Host
      • Defense Evasion
        • Direct Volume Access
        • Rootkit
        • Obfuscated Files or Information
          • Binary Padding
          • Software Packing
          • Steganography
          • Compile After Delivery
          • HTML Smuggling
        • Masquerading
          • Right-to-Left Override
          • Rename System Utilities
          • Masquerade Task or Service
          • Match Legitimate Name or Location
          • Space after Filename
          • Double File Extension
          • Masquerade File Type
        • Process Injection
          • Dynamic-link Library Injection
          • Portable Executable Injection
          • Thread Execution Hijacking
          • Asynchronous Procedure Call
          • Thread Local Storage
          • Ptrace System Calls
          • Proc Memory
          • Extra Window Memory Injection
          • Process Hollowing
          • Process Doppelgänging
          • VDSO Hijacking
          • ListPlanting
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Timestomp
          • Clear Network Connection History and Configurations
        • Valid Accounts
          • Default Accounts
          • Domain Accounts
          • Local Accounts
          • Cloud Accounts
        • Modify Registry
        • Access Token Manipulation
          • Token Impersonation/Theft
          • Create Process with Token
          • Make and Impersonate Token
          • Parent PID Spoofing
          • SID-History Injection
        • Deobfuscate/Decode Files or Information
        • BITS Jobs
        • Indirect Command Execution
        • Traffic Signaling
          • Port Knocking
          • Socket Filters
        • Rogue Domain Controller
        • Exploitation for Defense Evasion
        • System Script Proxy Execution
          • PubPrn
        • System Binary Proxy Execution
          • Compiled HTML File
          • Control Panel
          • CMSTP
          • InstallUtil
          • Mshta
          • Msiexec
          • Odbcconf
          • Regsvcs/Regasm
          • Regsvr32
          • Rundll32
          • Verclsid
          • Mavinject
          • MMC
        • XSL Script Processing
        • Template Injection
        • File and Directory Permissions Modification
          • Windows File and Directory Permissions Modification
          • Linux and Mac File and Directory Permissions Modification
        • Execution Guardrails
          • Environmental Keying
          • Mutual Exclusion
          • Time Based Evasion
        • Domain or Tenant Policy Modification
          • Group Policy Modification
          • Trust Modification
        • Virtualization/Sandbox Evasion
          • System Checks
          • User Activity Based Checks
          • Time Based Evasion
        • Pre-OS Boot
          • System Firmware
          • Component Firmware
          • Bootkit
          • ROMMONkit
          • TFTP Boot
        • Abuse Elevation Control Mechanism
          • Setuid and Setgid
          • Bypass User Account Control
          • Sudo and Sudo Caching
          • Elevated Execution with Prompt
          • Temporary Elevated Cloud Access
          • TCC Manipulation
        • Use Alternate Authentication Material
          • Application Access Token
          • Pass the Hash
          • Pass the Ticket
          • Web Session Cookie
        • Subvert Trust Controls
          • Gatekeeper Bypass
          • Code Signing
          • SIP and Trust Provider Hijacking
          • Install Root Certificate
          • Mark-of-the-Web Bypass
        • Modify Authentication Process
          • Domain Controller Authentication
          • Password Filter DLL
          • Pluggable Authentication Modules
          • Network Device Authentication
          • Reversible Encryption
          • Multi-Factor Authentication
          • Hybrid Identity
          • Network Provider DLL
          • Conditional Access Policies
        • Impair Defenses
          • Disable or Modify Tools
          • Disable Windows Event Logging
          • Disable or Modify System Firewall
          • Disable or Modify Cloud Logs
        • Hide Artifacts
          • Hidden Files and Directories
          • Hidden Users
          • Hidden Window
          • NTFS File Attributes
          • Hidden File System
        • Hijack Execution Flow
          • DLL Search Order Hijacking
          • DLL Side-Loading
          • Dylib Hijacking
          • Executable Installer File Permissions Weakness
          • Dynamic Linker Hijacking
          • Path Interception by PATH Environment Variable
          • Path Interception by Search Order Hijacking
          • Path Interception by Unquoted Path
          • Services File Permissions Weakness
          • Services Registry Permissions Weakness
          • COR_PROFILER
          • KernelCallbackTable
          • AppDomainManager
        • Modify Cloud Compute Infrastructure
          • Create Snapshot
          • Create Cloud Instance
        • Network Boundary Bridging
          • Network Address Translation Traversal
        • Weaken Encryption
          • Reduce Key Space
          • Disable Crypto Hardware
        • Modify System Image
          • Patch System Image
          • Downgrade System Image
        • Build Image on Host
        • Reflective Code Loading
      • Credential Access
        • OS Credential Dumping
          • LSASS Memory
          • Security Account Manager
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
          • Proc Filesystem
        • Network Sniffing
        • Input Capture
          • Keylogging
          • GUI Input Capture
          • Web Portal Capture
        • Brute Force
          • Password Guessing
          • Password Cracking
          • Password Spraying
          • Credential Stuffing
        • Multi-Factor Authentication Interception
        • Forced Authentication
        • Exploitation for Credential Access
        • Cloud Instance Metadata API
        • Steal Application Access Token
        • Steal Web Session Cookie
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Bash History
          • Group Policy Preferences
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
          • Password Managers
        • Modify Authentication Process
          • Domain Controller Authentication
          • Password Filter DLL
          • Pluggable Authentication Modules
          • Network Device Authentication
          • Reversible Encryption
          • Multi-Factor Authentication
          • Hybrid Identity
          • Network Provider DLL
          • Conditional Access Policies
        • Adversary-in-the-Middle
          • LLMNR/NBT-NS Poisoning and SMB Relay
          • ARP Cache Poisoning
          • DHCP Spoofing
          • Evil Twin
        • Steal or Forge Kerberos Tickets
          • Golden Ticket
          • Silver Ticket
          • Kerberoasting
        • Forge Web Credentials
          • Web Cookies
          • SAML Tokens
        • Multi-Factor Authentication Request Generation
        • Steal or Forge Authentication Certificates
      • Discovery
        • System Service Discovery
        • Application Window Discovery
        • Query Registry
        • System Network Configuration Discovery
          • Internet Connection Discovery
        • Remote System Discovery
        • System Owner/User Discovery
        • Network Sniffing
        • Network Service Discovery
        • System Network Connections Discovery
        • Process Discovery
        • Permission Groups Discovery
          • Local Groups
          • Domain Groups
          • Cloud Groups
        • System Information Discovery
        • File and Directory Discovery
        • Account Discovery
          • Local Account
          • Domain Account
          • Cloud Account
        • Peripheral Device Discovery
        • System Time Discovery
        • Network Share Discovery
        • Password Policy Discovery
        • Browser Information Discovery
        • Domain Trust Discovery
        • Virtualization/Sandbox Evasion
          • System Checks
          • User Activity Based Checks
          • Time Based Evasion
        • Software Discovery
          • Security Software Discovery
          • Installed Services Discovery
        • Cloud Service Discovery
        • Cloud Service Dashboard
        • Cloud Infrastructure Discovery
        • Container and Resource Discovery
        • System Location Discovery
          • System Language Discovery
        • Group Policy Discovery
        • Cloud Storage Object Discovery
      • Lateral Movement
        • Remote Services
          • Remote Desktop Protocol
          • SMB/Windows Admin Shares
          • Distributed Component Object Model
          • SSH
          • VNC
          • Windows Remote Management
          • Cloud Services
        • Software Deployment Tools
        • Taint Shared Content
        • Replication Through Removable Media
        • Exploitation of Remote Services
        • Internal Spearphishing
        • Use Alternate Authentication Material
          • Application Access Token
          • Pass the Hash
          • Pass the Ticket
          • Web Session Cookie
        • Remote Service Session Hijacking
          • RDP Hijacking
        • Lateral Tool Transfer
      • Collection
        • Data from Local System
        • Data from Removable Media
        • Data from Network Shared Drive
        • Input Capture
          • Keylogging
          • GUI Input Capture
          • Web Portal Capture
        • Data Staged
          • Local Data Staging
          • Remote Data Staging
        • Screen Capture
        • Email Collection
          • Local Email Collection
          • Remote Email Collection
          • Email Forwarding Rule
        • Clipboard Data
        • Automated Collection
        • Audio Capture
        • Video Capture
        • Browser Session Hijacking
        • Data from Information Repositories
          • Confluence
          • Sharepoint
          • Code Repositories
          • Customer Relationship Management Software
        • Data from Cloud Storage
          • Cloud Storage Object
        • Adversary-in-the-Middle
          • LLMNR/NBT-NS Poisoning and SMB Relay
          • ARP Cache Poisoning
          • DHCP Spoofing
          • Evil Twin
        • Archive Collected Data
          • Archive via Utility
          • Archive via Library
          • Archive via Custom Method
        • Data from Configuration Repository
          • SNMP (MIB Dump)
          • Network Device Configuration Dump
      • Exfiltration
        • Exfiltration Over Other Network Medium
          • Exfiltration Over Bluetooth
        • Automated Exfiltration
          • Traffic Duplication
        • Scheduled Transfer
        • Data Transfer Size Limits
        • Exfiltration Over C2 Channel
        • Exfiltration Over Alternative Protocol
          • Exfiltration Over Symmetric Encrypted Non-C2 Protocol
          • Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
          • Exfiltration Over Unencrypted Non-C2 Protocol
        • Exfiltration Over Physical Medium
          • Exfiltration over USB
        • Exfiltration Over Web Service
          • Exfiltration to Code Repository
          • Exfiltration to Cloud Storage
          • Exfiltration to Text Storage Sites
          • Exfiltration Over Webhook
      • Command and Control
        • Data Obfuscation
          • Junk Data
          • Steganography
          • Protocol or Service Impersonation
        • Fallback Channels
        • Application Layer Protocol
          • Web Protocols
          • File Transfer Protocols
          • Mail Protocols
          • DNS
        • Proxy
          • Internal Proxy
          • External Proxy
          • Multi-hop Proxy
          • Domain Fronting
        • Communication Through Removable Media
        • Non-Application Layer Protocol
        • Web Service
          • Dead Drop Resolver
          • Bidirectional Communication
          • One-Way Communication
        • Multi-Stage Channels
        • Ingress Tool Transfer
        • Data Encoding
          • Standard Encoding
          • Non-Standard Encoding
        • Traffic Signaling
          • Port Knocking
          • Socket Filters
        • Remote Access Software
        • Dynamic Resolution
          • Fast Flux DNS
          • Domain Generation Algorithms
          • DNS Calculation
        • Non-Standard Port
        • Protocol Tunneling
        • Encrypted Channel
          • Symmetric Cryptography
          • Asymmetric Cryptography
      • Impact
        • Data Destruction
          • Lifecycle-Triggered Deletion
        • Data Encrypted for Impact
        • Service Stop
        • Inhibit System Recovery
        • Defacement
          • Internal Defacement
          • External Defacement
        • Firmware Corruption
        • Resource Hijacking
          • Compute Hijacking
        • Network Denial of Service
          • Direct Network Flood
          • Reflection Amplification
        • Endpoint Denial of Service
          • OS Exhaustion Flood
          • Service Exhaustion Flood
          • Application Exhaustion Flood
          • Application or System Exploitation
        • System Shutdown/Reboot
        • Account Access Removal
        • Disk Wipe
          • Disk Content Wipe
          • Disk Structure Wipe
        • Data Manipulation
          • Stored Data Manipulation
          • Transmitted Data Manipulation
          • Runtime Data Manipulation
      • Resource Development
        • Acquire Infrastructure
          • Domains
          • DNS Server
          • Virtual Private Server
          • Server
          • Botnet
          • Web Services
          • Serverless
          • Malvertising
        • Compromise Infrastructure
          • Domains
          • DNS Server
          • Virtual Private Server
          • Server
          • Botnet
          • Web Services
          • Serverless
          • Network Devices
        • Establish Accounts
          • Social Media Accounts
          • Email Accounts
          • Cloud Accounts
        • Compromise Accounts
          • Social Media Accounts
          • Email Accounts
          • Cloud Accounts
        • Develop Capabilities
          • Malware
          • Code Signing Certificates
          • Digital Certificates
          • Exploits
        • Obtain Capabilities
          • Malware
          • Tool
          • Code Signing Certificates
          • Digital Certificates
          • Exploits
          • Vulnerabilities
          • Artificial Intelligence
        • Stage Capabilities
          • Upload Malware
          • Upload Tool
          • Install Digital Certificate
          • Drive-by Target
          • Link Target
          • SEO Poisoning
        • Acquire Access
      • Reconnaissance
        • Gather Victim Identity Information
          • Credentials
          • Email Addresses
          • Employee Names
        • Gather Victim Network Information
          • Domain Properties
          • DNS
          • Network Trust Dependencies
          • Network Topology
          • IP Addresses
          • Network Security Appliances
        • Gather Victim Org Information
          • Determine Physical Locations
          • Business Relationships
          • Identify Business Tempo
          • Identify Roles
        • Gather Victim Host Information
          • Hardware
          • Software
          • Firmware
          • Client Configurations
        • Search Open Websites/Domains
          • Social Media
          • Search Engines
          • Code Repositories
        • Search Victim-Owned Websites
        • Active Scanning
          • Scanning IP Blocks
          • Vulnerability Scanning
          • Wordlist Scanning
        • Search Open Technical Databases
          • DNS/Passive DNS
          • WHOIS
          • Digital Certificates
          • CDNs
          • Scan Databases
        • Search Closed Sources
          • Threat Intel Vendors
          • Purchase Technical Data
        • Phishing for Information
          • Spearphishing Service
          • Spearphishing Attachment
          • Spearphishing Link
          • Spearphishing Voice
Powered by GitBook

© 2025 • Jibril • by Garnet Labs

On this page
  • Quick Explanation
  • More Information
  • Information
  • Analysis of the Event
  • Implications
  • Recommended Actions
  1. Jibril
  2. Detections
  3. Execution

Net Scan Tool Exec

Last updated 20 days ago

Quick Explanation

The net_scan_tool_exec recipe identifies the execution of network scanning tools used for discovering network services and open ports. This detection is critical as it indicates potential reconnaissance activities that could lead to identifying vulnerabilities for exploitation. The presence of such tools in pull requests poses significant risks to CI/CD pipelines and production systems, including unauthorized scans that can expose sensitive infrastructure information.

More Information

Information

Description: Network scan tool execution Tactic: Technique: Importance: Critical

Analysis of the Event

This detection event identifies the execution of a network scanning tool within the monitored environment. Tools such as nmap, masscan, and zenmap are often used for discovering network services, open ports, and other critical information that can be leveraged for further exploitation or reconnaissance activities.

The MITRE ATT&CK framework classifies this activity under the Discovery category with the method being Network Service Scanning. This indicates an attempt to map out the network structure or identify active services, which could precede more targeted attacks. Attackers often use these tools to gather information on reachable hosts and open ports, enabling them to craft tailored exploits based on known vulnerabilities associated with specific software versions.

The detection mechanism relies on monitoring specific file executions using eBPF (Extended Berkeley Packet Filter) and other tracing techniques provided by Jibril. These methods allow for real-time analysis of system calls that are characteristic of network scanning activities. This level of visibility is crucial for identifying both legitimate and malicious usage patterns, particularly in environments where such tools may be used legitimately but require strict controls.

The implications of such detections are significant as they point towards potential reconnaissance activities within your environment. Unauthorized entities performing these scans can identify vulnerabilities that may be exploited later. Even if conducted by internal actors, it might indicate non-compliance with security policies or unintended security risks. Historical attack patterns show that attackers often use network scanning tools to perform initial reconnaissance before moving on to more sophisticated attacks such as lateral movement and data exfiltration.

Implications

Implications for CI/CD Pipelines

Risks related to build process compromise, dependency poisoning, and artifact integrity include unauthorized scans that can expose sensitive infrastructure information. Attackers might exploit these vulnerabilities by injecting malicious dependencies or modifying build artifacts, leading to compromised production environments.

Implications for Staging

Adversarial testing, data leakage, insider threats, and unauthorized access risks before production deployment are heightened when network scanning tools are present in staging environments. These risks include the potential for internal actors to misuse their privileges, leading to data breaches or other security incidents that could compromise sensitive information prior to full-scale deployment.

Implications for Production

Long-term persistence risks, lateral movement, credential theft, data exfiltration, and advanced persistent threats (APT) are significantly increased in production environments where network scanning tools have been detected. Attackers can use this reconnaissance phase to establish a foothold within the network, move laterally across systems, steal credentials, and exfiltrate sensitive data without being detected.

Recommended Actions

Actions for CI/CD Pipelines

  1. Audit and Review: Immediately audit the logs and artifacts related to the detected network scan tool execution. Identify the source and review the changes made in the pull request or during the build process that led to this execution.

  2. Security Training: Conduct security training for developers to reinforce the importance of secure coding practices and the risks associated with unauthorized tool usage in the CI/CD pipeline.

  3. Update Security Policies: Review and update security policies to include explicit guidelines on the use of network scanning tools and the consequences of non-compliance.

Actions for Staging

  1. Conduct a Security Audit: Perform a thorough security audit of the staging environment to check for any anomalies or unauthorized changes that could have been introduced by the network scanning tool.

  2. Restrict Tool Usage: Implement strict access controls and usage policies for network scanning tools in the staging environment to prevent misuse by internal actors.

  3. Simulate Attack Scenarios: Run controlled attack simulations to understand potential vulnerabilities and assess the effectiveness of current security measures.

  4. Review Access Logs: Regularly review access logs and patterns to detect any unauthorized or suspicious activities that could indicate insider threats or data leakage.

Actions for Production

  1. Immediate Isolation: Isolate any systems where the network scanning tool was executed to prevent any potential lateral movement or further unauthorized activities.

  2. Incident Response: Activate the incident response team to assess the scope of the potential breach or unauthorized access, and to implement containment and mitigation strategies.

  3. Review and Harden Security Posture: Review the overall security posture of the production environment and harden defenses by updating firewalls, intrusion detection systems, and implementing stricter access controls.

Discovery
Network Service Discovery