Skip to content

Jibril Detection Documentation

Categories

Categories in Jibril classify broad types of security detections, akin to frameworks like MITRE ATT&CK. Each category represents a high-level class of security events that the tool is designed to monitor and analyze. These categories are designed to provide a structured taxonomy for organizing security issues.

Examples of categories include:

  • Collection: Techniques used to gather information or data from the target environment.
  • Execution: Running malicious code to achieve an attacker’s objective.
  • Credential Access: Attempts to steal or extract credentials from a system.
  • Discovery: Actions aimed at identifying the layout and details of the target system or network.
  • Lateral Movement: Techniques enabling an attacker to move through a network to access additional systems.
  • Defense Evasion: Methods to avoid detection by security tools.
  • Exfiltration: Transferring stolen data from the victim’s environment.
  • Impact: Techniques used to disrupt or destroy data or systems deliberately.

Categories serve as the broad classifications for security detections in Jibril. They provide a high-level overview of the nature of detected events, simplifying the organization and analysis of security incidents.

Mechanisms

Mechanisms in Jibril represent the technical means or tools used to detect specific security events. These are the foundational approaches that Jibril employs in its detection recipes to identify potential threats.

Example of mechanisms include:

  • eBPF Integration: Using eBPF hooks to capture kernel-level data for behavioral analysis.
  • Loader Interception: Capturing and analyzing binary loads at the ELF loader time.
  • File Monitoring: Observing and recording file access, modification, or execution.
  • Process Monitoring: Tracking the execution and behavior of processes.
  • Network Flow Analysis: Capturing and evaluating network traffic flows for anomalies.
  • Memory Analysis: Monitoring and analyzing memory states for suspicious patterns.
  • Binary Execution Monitoring: Logging and analyzing all executed binaries and their arguments.

Mechanisms define the technical implementation of Jibril’s detection recipes. They focus on gathering relevant data through precise and efficient means, such as eBPF-based kernel hooks, to ensure comprehensive monitoring with minimal overhead.

Methods

Methods describe the specific techniques employed by attackers that Jibril detects. These methods fall within the broader classification of categories but provide more granularity about how an attack is executed or operates.

Examples of methods include:

  • Abnormal Execution of Dynamic Loader: Exploiting the dynamic loader to manipulate library paths or symbols for malicious purposes.
  • Credential Dumping: Extracting stored credentials using tools like Mimikatz.
  • Input Capture: Techniques such as keylogging to capture user inputs.
  • Exploitation for Privilege Escalation: Exploiting vulnerabilities to gain higher privileges within the target system.
  • Fileless Malware: Operating in memory to avoid file-based detection.
  • Phishing: Deceptive communication to obtain sensitive credentials.
  • Network Sniffing: Capturing network traffic to extract unencrypted credentials or sensitive data.
  • Obfuscation: Using encoding or encryption to hide malicious payloads from detection.

Methods provide a descriptive classification of how specific attacks operate. They bridge the gap between high-level categories and the underlying mechanisms, offering detailed insights into attacker behavior and strategies.