eBPF Canarytoken trigger.
CLI tool which triggers DNS based Canarytokens when execve syscalls are invoked for programs at specified paths.
- go 1.18/1.19
- Linux 4.9+
- clang-11/clang-14
First, generate a DNS Canarytoken at https://canarytokens.org/generate.
Afterwards:
$ make generate
$ go build
$ sudo ./ectg -hostname 6j4n7c2flo71qa0r9g0simq2r.canarytokens.com -paths /usr/bin/id,/usr/bin/whoami,/usr/bin/hostnameWith ectg running, execute whoami in a separate shell session — the Canarytoken will trigger and an email will be sent to the address you entered when creating the token.
- https://github.com/cilium/ebpf
- https://blog.thinkst.com/2020/06/canarytokens-org-quick-free-detection-for-the-masses-2.html
- https://ebpf.io/
- https://github.com/thinkst/canaryfy
- https://blog.thinkst.com/2022/08/canaries-as-network-motion-sensors.html
- https://github.com/redcanaryco/redcanary-ebpf-sensor