Threatseer is a lightweight agent-based security telemetry solution for Linux.
The agent collects security telemetry which is offloaded to a server for behavioral analysis and the rest.
The server component uses several behavioral analysis engines for scoring events and has several JSON telemetry output methods available:
successful blind remote code execution (RCE) callback
{
"@timestamp":"2018-05-26T15:06:14.397Z",
"src_ip":"127.0.0.1",
"event":{
"id":"714966143a853b3bf55ccb2683a3b6bcfcbf731f9318705485609d8ef7711b13",
"container_name": "/cranky_kowalevski",
"image_id": "3fd9065eaf02feaf94d68376da52541925650b81698c53c6824d92ff63f98353",
"image_name": "alpine",
"process_pid":3789,
"sensor_id":"49c921bc827b2aa9b5f20b0e65af9c3126c79221bac4f2b2a7edd7db7e3774aa",
"Event":{
"Process":{
"type":2,
"exec_filename":"/usr/bin/dig",
"exec_command_line":[
"dig",
"+short",
"ifjeow0234f90iwefo2odj.wat.lol"
]
}
}
},
"indicators":[
{
"Engine":"static",
"RuleName":"",
"IndicatorType":"risky_process",
"Description":"dig is a risky process often used for exfil / callback",
"ExtraInfo":"",
"Score":70
},
{
"Engine":"dynamic",
"RuleName":"insider_threat",
"IndicatorType":"custom",
"Description":"it's coming from inside the house!",
"ExtraInfo":"origin was 127.0.0.1",
"Score":60
},
{
"Engine":"profile",
"RuleName":"",
"IndicatorType":"abnormal_behavior",
"Description":"subject is behaving outside of its profile",
"ExtraInfo":"",
"Score":50
}
]
}
See docs/ARCHITECTURE.md for more info.
Docs are sparse at the moment. Threatseer is still under heavy development.