In this article, learn more about using Auditd and Auditd Manager for detection engineering.

Introduction

Introduction to Auditd

Auditd setup

Auditd rules

Control type rules

File System Rules

System call rules

Introduction to Auditd Manager and setup

Auditd rule file troubleshooting

Analyzing Auditd Manager events

Auditd Manager detection rule examples

Potential reverse shell via UDP

Potential Meterpreter reverse shell

Linux FTP/RDP brute force attack detected

Network connection from binary with RWX memory region

Conclusion

Linux detection engineering with Auditd

This research reveals insights into some of the large-scale malware analysis performed by Elastic Security Labs, and complements research related to the Detonate framework.

Overview

Ingest pipelines

Normalization

Fingerprint calculation

Enrichment process

Ingest pipeline chaining

Component templates

Automating the process

Creating the gsub ingest pipelines

Create Custom Pipelines

Generate Enrichment Processors

Results and limitations

Visualizing results

Beyond Dynamic Malware Analysis

An Elastic approach to large-scale dynamic malware analysis

Author

Ruben Groenewoud

Articles

Linux detection engineering with Auditd

An Elastic approach to large-scale dynamic malware analysis