Syscall Logging

Goal: Technical solution to Tactical to Functional

Bypasses:

• io_uring Rootkit Bypasses Linux Security Tools - ARMO

Linux

• eBPF + Kprobes + LSM (Linux Security Module) + KRSI (Kernel Runtime Security Instrumentation)
  • Tracing System Calls Using eBPF - Part 1 | Falco
• auditd
  • strace
    • https://man7.org/linux/man-pages/man1/strace.1.html
  • go-audit
    • slackhq/go-audit: go-audit is an alternative to the auditd daemon that ships with many distros
    • Syscall Auditing at Scale - Engineering at Slack
    • Searchable Linux Syscall Table for x86_64

Windows

• Kernel ETW
  • Kernel ETW is the best ETW - Elastic Security Labs
• Custom Kernel Driver
• eBPF
  • eBPF for Windows: Main Page
• Sense Service / SEC Provider
  • https://www.youtube.com/watch?v=tuoA3KGKf7o
  • https://github.com/threathunters-io/bluekrabsetw
• fibratus

macOS

• eBPF
  • Think eBPF for Kernel Security Monitoring - Eric Sage & Melissa Kilby, Apple

---

Relevant Note(s):