Custom Sandfly Operation

How to create custom Sandflies for Linux intrusion detection and incident response.

Custom Sandflies Operation

Custom sandflies are small JSON modules that are passed to the Sandfly agentless forensic engines to investigate remote systems.

Custom sandflies can be quickly created to leverage the file, directory, log, process, user and other incident response analysis that the full Sandfly system has to offer.

Basics of Custom Sandflies

Custom sandflies look like the JSON below. We'll go over what each section means.

{
  "active": true,
  "custom": true,
  "date_added": "2021-03-14T22:33:52Z",
  "description": "Searches for generic shell commands that may be operating as a backdoor on the system (variant 1).",
  "format": "3.0",
  "max_cpu_load": 1,
  "max_disk_load": 1,
  "max_timeout": 360,
  "severity": 3,
  "name": "process_backdoor_bindshell_generic_1_test",
  "options": {
    "engines": [
      "sandfly_engine_process"
    ],
    "explanation": "The process name '{process.name}' with PID '{process.pid}' may be operating as a generic shell backdoor based on the command line contents. Check this process and any open network ports to be sure it is not malicious as it could allow remote access or exfiltration of data.",
    "process": {
      "cmdline": [
        ".*>& \\/dev\\/tcp\\/.*0>&1",
        ".*>& \\/dev\\/udp\\/.*0>&1",
        "nohup.*exec.*<>.*\\/dev\\/tcp\\/.*",
        "nohup.*exec.*<>.*\\/dev\\/udp\\/.*"
      ],
      "name": [
        ".*"
      ],
      "name_ignore": [],
      "network_ports": {
        "operating": true
      }
    },
    "response": {
      "process": {
        "kill": false,
        "suspend": false
      }
    }
  },
  "os_compat": {
    "linux": []
  },
  "tags": [
    "attack.tactic.execution",
    "attack.id.T1059",
    "attack.id.T1100",
    "process"
  ],
  "type": "process",
  "version": "2021-03-11T12:14:09"
}

Custom Sandfly Header

The header of the custom Sandfly describes what it is to the system. This is used to organize and display the Sandfly to the UI and database. The default values consist of:

name - Name of the Sandfly using lower case and underscores (_) only in the values.
description - A short description of what the sandfly does which is shown in the UI listing.
version - Version format for the sandfly. Please use the default and don't alter this or the Sandfly will be rejected.
type - This is either file, directory, user, process, incident or recon. Any other value is rejected.
max_timeout - Maximum number of seconds this Sandfly can run before it is stopped by the system. Maximum timeout value allowed is 1800 seconds (30 minutes). The minimum allowed is 1 second.
max_cpu_load - The relative loading this sandfly may cause on the remote host. A value of 1 is lowest, and value of 3 the highest.
max_disk_load - The relative disk loading this sandfly may cause on the remote host. A value of 1 is lowest and value of 3 the highest.
options - The options to pass to the forensic engine. This will be discussed below.

Custom Sandfly Options

The options area of the custom sandfly is where the parameters for searching are passed to the agentless forensic engines. See the next section on how this works.


Did this page help you?