Sandfly Security

Sandfly Security Documentation

Welcome to the Sandfly Security documentation hub. Sandfly is an agentless compromise and intrusion detection system for Linux.

Sandfly automates security investigation and forensic evidence collection on Linux. Sandfly constantly searches for intruders 24 hours a day on your network without needing to load any agents on your endpoints.

Get Started

Sandfly Threats Detected

This is the full list of Linux threats Sandfly can detect.

Sandfly Threats Detected

Below are the sandflies that run against hosts and a brief description of what attacks they detect. Note that each sandfly can check for many related problems so the list below is many times larger in actual practice.

The random scheduler will pull from this pool of sandflies and run them at unpredictable times and quantities. This ensures you get full coverage of threats many times a day but won't overwhelm your system with heavy scan activity.

Sandfly can detect many kinds of Linux attacks and post-compromise activity automatically with full forensic information supplied when a problem is found.

Sandfly Name
Sandfly Description

sandfly_dirs_hidden_bin

Looks for hidden directories in /bin, /sbin, /usr/bin, and /usr/sbin.

sandfly_dirs_hidden_dev

Looks for hidden directories in the /dev directory

sandfly_dirs_hidden_dev_shm

Looks for hidden directories in the /dev/shm directory

sandfly_dirs_hidden_lib

Looks for hidden directories in /lib, /var/lib, etc.

sandfly_dirs_hidden_suspicious_anywhere

Looks for hidden directory names that are extremely suspicious anywhere on the file system.

sandfly_dirs_hidden_suspicious_bin

Looks for hidden directory names that are extremely suspicious under /bin directories.

sandfly_dirs_hidden_suspicious_dev

Looks for hidden directory names that are extremely suspicious under /dev directories.

sandfly_dirs_hidden_suspicious_etc

Looks for hidden directory names that are extremely suspicious under /etc directories.

sandfly_dirs_hidden_suspicious_lib

Looks for hidden directory names that are extremely suspicious under /lib directories.

sandfly_dirs_hidden_suspicious_root

Looks for hidden directory names that are extremely suspicious under the / top-level directory.

sandfly_dirs_hidden_suspicious_run

Looks for hidden directory names that are extremely suspicious under /run and /var/run directories.

sandfly_dirs_hidden_suspicious_system

Looks for hidden directory names that are extremely suspicious under /boot, /sys, and /lost+found directories.

sandfly_dirs_hidden_suspicious_tmp

Looks for hidden directory names that are extremely suspicious under /tmp directories.

sandfly_dirs_hidden_suspicious_user_home_dir

Looks for hidden directory names that are extremely suspicious under a user's home directory.

sandfly_dirs_hidden_suspicious_usr_games

Looks for hidden directory names that are extremely suspicious under /usr/games and /usr/share/games directories.

sandfly_dirs_hidden_suspicious_usr_include

Looks for hidden directory names that are extremely suspicious under /usr/include

sandfly_dirs_hidden_suspicious_usr_local

Looks for hidden directory names that are extremely suspicious under /usr/local directories.

sandfly_dirs_hidden_suspicious_usr_share

Looks for hidden directory names that are extremely suspicious under /usr/share directories.

sandfly_dirs_hidden_suspicious_var

Looks for hidden directory names that are extremely suspicious under /var directories.

sandfly_dirs_hidden_system

Looks for hidden directories in various system directories (/boot, /lost+found)

sandfly_dirs_hidden_usr_games

Looks for hidden directories under /usr/games or /usr/share/games

sandfly_dirs_hidden_usr_share_man

Looks for hidden directories under /usr/share/man

sandfly_dirs_link_count_wrong_anywhere

Looks for an inconsistent link count anywhere on the file system. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

sandfly_dirs_link_count_wrong_bin

Looks for an inconsistent link count for bin directories. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

sandfly_dirs_link_count_wrong_dev

Looks for an inconsistent link count for dev directories. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

sandfly_dirs_link_count_wrong_etc

Looks for an inconsistent link count for /etc. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

sandfly_dirs_link_count_wrong_lib

Looks for an inconsistent link count for top level system lib directories. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

sandfly_dirs_link_count_wrong_root

Looks for an inconsistent link count for the top level / directory. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

sandfly_dirs_link_count_wrong_system

Looks for an inconsistent link count for top level system directories. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

sandfly_dirs_link_count_wrong_usr

Looks for an inconsistent link count for the top level /usr directory. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

sandfly_dirs_link_count_wrong_usr_games

Looks for an inconsistent link count for /usr/games, /usr/share/games. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

sandfly_dirs_link_count_wrongusr
local

Looks for an inconsistent link count for /usr/local. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

sandfly_dirs_link_count_wrong_usr_share

Looks for an inconsistent link count for /usr/share. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

sandfly_dirs_link_count_wrong_var

Looks for an inconsistent link count for the top level /var directory. This means there is a directory present, but it is being hidden from view likely by a stealth rootkit.

sandfly_file_bin_false_shell

Looks to see if a system shell has been renamed to /bin/false to hide the fact that an account can login.

sandfly_file_binary_encrypted_anywhere

Looks if there is an encrypted or packed binary anywhere on the file system.

sandfly_file_binary_encrypted_in_cron_dir

Looks if there is an encrypted or packed binary in system cron directories.

sandfly_file_binary_encrypted_in_dev_dir

Looks if there is an encrypted or packed binary in system dev directories.

sandfly_file_binary_encrypted_in_etc_dir

Looks if there is an encrypted or packed binary in system etc directories.

sandfly_file_binary_encrypted_in_run_dir

Looks if there is an encrypted or packed binary in system run directories.

sandfly_file_binary_encrypted_in_system_dir

Looks if there is an encrypted or packed binary in system /boot, /lost+found, and similar directories.

sandfly_file_binary_encrypted_in_tmp_dir

Looks if there is an encrypted or packed binary in system temp directories.

sandfly_file_binary_hidden_anywhere

Looks for executable files hidden anywhere on the file system.

sandfly_file_binary_hidden_in_bin_dir

Looks for executable files hidden in system binary directories.

sandfly_file_binary_hidden_in_dev_dir

Looks for executable files hidden in system /dev directory.

sandfly_file_binary_hidden_in_etc_dir

Looks for executable files hidden in the /etc directory.

sandfly_file_binary_hidden_in_lib_dir

Looks for executable files hidden in system lib directories.

sandfly_file_binary_hidden_in_root_dir

Looks for executable files hidden in the top level directory.

sandfly_file_binary_hidden_in_run_dir

Looks for executable files hidden in system /run directory.

sandfly_file_binary_hidden_in_tmp_dir

Looks for executable files hidden in system temp directories.

sandfly_file_binary_in_cron_dir

Looks for executable files in system cron directories.

sandfly_file_binary_in_dev_dir

Looks for executable files in system /dev directory.

sandfly_file_binary_in_etc_dir

Looks for executable files in system /etc directory.

sandfly_file_binary_in_run_dir

Looks for executable files in system run directories.

sandfly_file_binary_in_tmp_dir

Looks for executable files in system temp directories.

sandfly_file_binary_masquerade_type_mismatch_anywhere

Looks for Linux executables named as a common non-executable extension to masquerade their presence anywhere on the file system.

sandfly_file_binary_masquerade_type_mismatch_in_dev_dir

Looks for Linux executables named as a common non-executable extension to masquerade their presence in a system device directory.

sandfly_file_binary_masquerade_type_mismatch_in_etc_dir

Looks for Linux executables named as a common non-executable extension to masquerade their presence in the /etc directory.

sandfly_file_binary_masquerade_type_mismatch_in_lib_dir

Looks for Linux executables named as a common non-executable extension to masquerade their presence in a system library directory.

sandfly_file_binary_masquerade_type_mismatch_in_root_dir

Looks for Linux executables named as a common non-executable extension to masquerade their presence in the top level root directory.

sandfly_file_binary_masquerade_type_mismatch_in_run_dir

Looks for Linux executables named as a common non-executable extension to masquerade their presence in the /run directory.

sandfly_file_binary_masquerade_type_mismatch_in_system_dir

Looks for Linux executables named as a common non-executable extension to masquerade their presence in the /boot or /lost+found directories.

sandfly_file_binary_masquerade_type_mismatch_in_tmp_dir

Looks for Linux executables named as a common non-executable extension to masquerade their presence in a system temp directory.

sandfly_file_binary_system_in_dev_dir

Looks to see if a system binary is in /dev where it shouldn't be.

sandfly_file_binary_system_in_etc_dir

Looks to see if a system binary is in /etc where it shouldn't be.

sandfly_file_binary_system_in_root_dir

Looks to see if a system binary is in the top level directory where it shouldn't be.

sandfly_file_binary_system_in_run_dir

Looks to see if a system binary is in /run or /var/run where it shouldn't be.

sandfly_file_binary_system_in_system_dir

Looks to see if a system binary is in a system dir like /boot, /lost+found, and similar where it shouldn't be.

sandfly_file_binary_system_in_tmp_dir

Looks to see if a system binary is in /tmp where it shouldn't be.

sandfly_file_binary_system_in_usr_games_dir

Looks to see if a system binary is in /usr/games or /usr/share/games where it shouldn't be.

sandfly_file_binary_system_in_usr_share_man_dir

Looks to see if a system binary is in /usr/share/man where it shouldn't be.

sandfly_file_binary_system_in_var_dir

Looks to see if a system binary is in /var where it shouldn't be.

sandfly_file_binary_system_link_in_dev_dir

Looks to see if a system binary is linked from dev directories.

sandfly_file_binary_system_link_in_tmp_dir

Looks to see if a system binary is linked from temp directories.

sandfly_file_binary_system_poisoned

Looks for system commands that have been poisoned to run malicious code when executed.

sandfly_file_binary_system_renamed_hidden

Looks to see if a system binary has been renamed to a hidden file that still resides in system bin directories.

sandfly_file_masquerade_type_mismatch_anywhere

Looks for common files masquerading as one type when they are really another type anywhere on the file system.

sandfly_file_modules_size_mismatch

Looks for loadable kernel module config files that are being altered by a stealth rootkit to hide entries.

sandfly_file_pcap_anywhere

Looks for packet capture pcap files anywhere on the file system.

sandfly_file_pcap_hidden_anywhere

Looks for hidden packet capture pcap files anywhere on the file system.

sandfly_file_pcap_in_bin_dir

Looks for packet capture pcap files in the system binary directories.

sandfly_file_pcap_in_cron_dir

Looks for packet capture pcap files in the system cron directories.

sandfly_file_pcap_in_dev_dir

Looks for packet capture pcap files in the /dev directory.

sandfly_file_pcap_in_etc_dir

Looks for packet capture pcap files in the system /etc directory.

sandfly_file_pcap_in_lib_dir

Looks for packet capture pcap files in the system library directories.

sandfly_file_pcap_in_root_dir

Looks for packet capture pcap files in the top-level system root directory.

sandfly_file_pcap_in_run_dir

Looks for packet capture pcap files in the system run directories.

sandfly_file_pcap_in_tmp_dir

Looks for packet capture pcap files in the system temp directories.

sandfly_file_pcap_in_var_dir

Looks for packet capture pcap files in the system /var directories.

sandfly_file_rootkit_generic

Looks for a variety of common Linux rootkit files and directories present on a system.

sandfly_file_sbin_nologin_shell

Looks to see if a system shell has been renamed to /sbin/nologin or /usr/sbin/nologin to hide the fact that an account can login.

sandfly_file_shell_renamed_anywhere

Looks to see if a system shell has been renamed to something else and put anywhere on the file system.

sandfly_file_shell_renamed_bin_dir

Looks to see if a system shell has been renamed to something else and put in the system binary directories.

sandfly_file_startup_script_cloaked

Looks for common start-up scripts that have cloaked entries from a stealth rootkit.

sandfly_file_suid_root_binary_indev
dir

Looks to see if a SUID root binary is present in /dev directories.

sandfly_file_suid_root_binary_inetc
dir

Looks to see if a SUID root binary is present in /etc directories.

sandfly_file_suid_root_binary_in_run_dir

Looks to see if a SUID root binary is present in /run directories.

sandfly_file_suid_root_binary_in_system_dir

Looks to see if a SUID root binary is present in /boot, /sys and /lost+found.

sandfly_file_suid_root_binary_in_tmp_dir

Looks to see if a SUID root binary is present in /tmp directories.

sandfly_file_suid_root_binary_in_usr_games_dir

Looks to see if a SUID root binary is present in /usr/games or /usr/share/games directories.

sandfly_file_suid_root_binary_in_usr_share_dir

Looks to see if a SUID root binary is present in /usr/share directories.

sandfly_file_suid_root_binary_in_usr_share_man_dir

Looks to see if a SUID root binary is present in /usr/share/man directories.

sandfly_file_suid_sgid_binary_anywhere

This sandfly will look for all SUID or SGID for any user binaries on the disk

sandfly_file_suid_sgid_editor

Looks to see if a common system editor like vi or nano is set SUID or SGID for any user to enable privilege escalation.

sandfly_file_suid_sgid_root_binary_anywhere

This sandfly will look for all SUID or SGID root binaries on the disk

sandfly_file_suid_sgid_shell

Looks to see if a common system shells have been SUID or SGID to any user.

sandfly_file_suspicious_named_pipe_in_bin_dir

Looks for suspicious named pipe device files under system binary directories. This is common with some kinds of backdoors.

sandfly_file_suspicious_named_pipe_in_dev_dir

Looks for suspicious named pipe device files under /dev directories. This is common with some kinds of backdoors.

sandfly_file_suspicious_named_pipe_in_etc_dir

Looks for suspicious named pipe device files under /etc directories. This is common with some kinds of backdoors.

sandfly_file_suspicious_named_pipe_in_lib_dir

Looks for suspicious named pipe device files system library directories. This is common with some kinds of backdoors.

sandfly_file_suspicious_named_pipe_in_run_dir

Looks for suspicious named pipe device files under /run directories. This is common with some kinds of backdoors.

sandfly_file_suspicious_named_pipe_in_system_dir

Looks for suspicious named pipe device in system directories /boot, /sys and /lost+found. This is common with some kinds of backdoors.

sandfly_file_suspicious_named_pipe_in_tmp_dir

Looks for suspicious named pipe device files in /tmp. This is common with some kinds of backdoors.

sandfly_file_suspicious_run_pid_binary

Looks for process PID files that are really binary executable files in disguise.

sandfly_file_suspicious_run_pid_encrypted

Looks for process PID files that appear to be encrypted data and not process information.

sandfly_file_suspicious_run_pid_not_integer

Looks for process PID files that contain more than just a standard integer value.

sandfly_file_suspicious_run_pid_too_big

Looks for process PID files that are too big to contain only running process data.

sandfly_log_tampering_btmp_zeroed_record

Looks for evidence that user entries were zeroed out from the btmp file to hide login activity.

sandfly_log_tampering_dropper_in_tmp_dir

Looks for log cleaning dropper files left behind in /tmp.

sandfly_log_tampering_lastlog_wtmp_missing_record

Compares lastlog entries against wtmp entries to see if any have been removed to conceal login activity.

sandfly_log_tampering_mig

Looks for signs the MIG logcleaning tool has been run on the host.

sandfly_log_tampering_sloppy

Looks for sloppy log tampering such as deleting system logs and replacing with files 0 bytes long.

sandfly_log_tampering_utmp_zeroed_record

Looks for evidence that user entries were zeroed out from the utmp file to hide login activity.

sandfly_log_tampering_wtmp_lastlog_zero_size

Looks to see if the system wtmp and lastlog audit records have been erased and made zero bytes long

sandfly_log_tampering_wtmp_utmp_lastlog_missing

Looks to see if the system wtmp, utmp, and lastlog files are missing. Deleting these files disables login accounting on the system to hide activity.

sandfly_log_tampering_wtmp_zeroed_record

Looks for evidence that user entries were zeroed out from the wtmp file to hide login activity.

sandfly_os_identify

This sandfly returns remote OS version information.

sandfly_process_backdoor_bindshell_generic

Looks for system shells operating as a reverse or standard bindshell backdoor.

sandfly_process_backdoor_bindshell_netcat

Looks for netcat running as a reverse or standard bindshell backdoor on the system.

sandfly_process_backdoor_bindshell_perl

Looks for perl scripts running as a reverse or standard bindshell backdoor on the system.

sandfly_process_backdoor_bindshell_php

Looks for php scripts running as a reverse or standard bindshell backdoor on the system.

sandfly_process_backdoor_bindshell_python

Looks for python scripts running as a reverse or standard bindshell backdoor on the system.

sandfly_process_backdoor_bindshell_ruby

Looks for ruby scripts running as a reverse or standard bindshell backdoor on the system.

sandfly_process_backdoor_bindshell_telnet

Looks for telnet running as a reverse or standard bindshell backdoor on the system.

sandfly_process_deleted_listening_network_port

Looks for any process that is running with a listening network port, but has been deleted from the disk.

sandfly_process_deleted_listening_raw_socket

Looks for any process that is running with a raw socket, but has been deleted from the disk.

sandfly_process_deleted_outbound_network_port

Looks for process that is running with a connected outbound port, but has been deleted from the disk.

sandfly_process_deleted_running

Looks for processes that are running, but the executable has been deleted from the disk.

sandfly_process_history_anti_forensics

Checks any running process for signs that history file anti-forensics are in use.

sandfly_process_listening_network_port_running_from_dev_dir

Looks for processes listening on a network port running out of dev directories.

sandfly_process_listening_network_port_running_from_proc_dir

Looks for processes listening on a network port running out of the /proc directory.

sandfly_process_listening_network_port_running_from_tmp_dir

Looks for processes listening on a network port running out of tmp directories.

sandfly_process_listening_raw_socket

Looks for any process that is running with a raw socket listening. This could be a backdoor or other malicious program.

sandfly_process_listening_raw_socket_icmp

This sandfly looks for any process that is running with raw sockets listening for ICMP packets. This could be a sniffer or backdoor.

sandfly_process_listening_raw_socket_tcp

This sandfly looks for any process that is running with raw sockets listening for TCP packets. This could be a sniffer or backdoor.

sandfly_process_listening_raw_socket_udp

This sandfly looks for any process that is running with raw sockets listening for UDP packets. This could be a sniffer or backdoor.

sandfly_process_listening_raw_socket_unknown_protocol

This sandfly looks for any process that is running with raw sockets listening for unknown protocols. This could be a sniffer or backdoor.

sandfly_process_masquerade_any

Looks for any process that is identical to another running process but has a different name.

sandfly_process_masquerade_mixed_case

Looks for any process that is using mixed case in the name to masquerade as another process.

sandfly_process_masquerade_netcat

Looks for a process that is really netcat, but is masquerading under a different name.

sandfly_process_masquerade_shell

Looks for a process that is really a shell, but is masquerading under a different name.

sandfly_process_masquerade_socat

Looks for a process that is really socat, but is masquerading under a different name.

sandfly_process_masquerade_strace

sandfly_process_masquerade_strace

sandfly_process_masquerade_tcpdump

Looks for a process that is really tcpdump, but is masquerading under a different name.

sandfly_process_module_hidden

Looks for loadable kernel modules that are hiding from view by a stealth rootkit.

sandfly_process_pcap_file_open

Looks for processes running with a pcap packet capture file open on the disk operating as a sniffer.

sandfly_process_persistence_at_job_malicious

Looks for scheduled at jobs that are suspicious or malicious.

sandfly_process_persistence_cron_malicious

Looks for scheduled cron tasks that are suspicious or malicious.

sandfly_process_running_dot_hidden

Looks for processes that are named as a Unix hidden file that are running (e.g. period as start of name)

sandfly_process_running_from_dev_dir

Looks for processes that are running out of /dev.

sandfly_process_running_from_hidden_bin_dir

Looks for processes that are running out of a hidden directory under a system binary directory.

sandfly_process_running_from_hidden_dev_dir

Looks for processes that are running out of a hidden directory under the /dev directory.

sandfly_process_running_from_hidden_dir_anywhere

Looks for processes that are running out of a hidden directory anywhere in their path.

sandfly_process_running_from_hidden_etc_dir

Looks for processes that are running out of a hidden directory under the /etc directory.

sandfly_process_running_from_hidden_lib_dir

Looks for processes that are running out of a hidden directory under a system library directory.

sandfly_process_running_from_hidden_root_dir

Looks for processes that are running out of a hidden directory under the root (/) level directory.

sandfly_process_running_from_hidden_run_dir

Looks for processes that are running out of a hidden directory under the /run directory.

sandfly_process_running_from_hidden_system_dir

Looks for processes that are running out of a hidden directory under a system directory such as /boot, /lost+found or /sys.

sandfly_process_running_from_hidden_tmp_dir

Looks for processes that are running out of a hidden directory under a system temp directory.

sandfly_process_running_from_hidden_usr_dir

Looks for processes that are running out of a hidden directory under the /usr directory.

sandfly_process_running_from_hidden_var_dir

Looks for processes that are running out of a hidden directory under the /var directory.

sandfly_process_running_from_proc_dir

Looks for processes that are running out of /proc.

sandfly_process_running_from_root_homedir

Looks for processes that are running out the root user's home directory.

sandfly_process_running_from_suspicious_dir

Looks for processes that are running from a suspiciously named directory.

sandfly_process_running_from_system_dir

Looks for processes that are running out of /boot, /sys and /lost+found directories.

sandfly_process_running_from_tmp_dir

Looks for processes that are running out of /tmp directories.

sandfly_process_running_single_char

Looks for processes that are named as just one character which is commonly done with malware.

sandfly_process_script_perl_in_dev_dir

Looks for perl scripts running out of dev directories.

sandfly_process_script_perl_in_tmp_dir

Looks for perl scripts running out of tmp directories.

sandfly_process_script_php_in_dev_dir

Looks for php scripts running out of dev directories.

sandfly_process_script_php_in_tmp_dir

Looks for php scripts running out of tmp directories.

sandfly_process_script_python_in_dev_dir

Looks for python scripts running out of dev directories.

sandfly_process_script_python_in_tmp_dir

Looks for python scripts running out of tmp directories.

sandfly_process_shell_history_anti_forensics

Checks running shell processes for signs that history file anti-forensics are in use.

sandfly_process_strace_running

Looks for the strace command running on the remote host for an extended period.

sandfly_process_strace_ssh_keylogger

Looks for the strace command being used as a keylogger against SSH.

sandfly_process_suspicious_whitespace_as_name

Looks for processes with a whitespace as a name. This can conceal a malicious process name as one that looks legitimate.

sandfly_process_suspicious_whitespace_in_name

Looks for processes with a whitespace at the beginning or end of a name. This can conceal a malicious process name as one that looks legitimate.

sandfly_user_history_dev_null

Looks to see if the user's history is linked to /dev/null which will conceal command history.

sandfly_user_history_file_for_inactive_user

Looks for inactive accounts with a valid shell history file in their home directories indicating a login has happened.

sandfly_user_homedir_dev_null

Checks if a user's home directory is /dev/null which sometimes is done by attackers to conceal activity.

sandfly_user_list_root_users_not_root

Lists root UID 0 users that are not named root which is done to hide superuser accounts.

sandfly_user_no_password

Looks for any user with no password set.

sandfly_user_scripts_history_anti_forensics

Checks user login and logout scripts for anti-forensic tactics to prevent logging their command history.

sandfly_user_scripts_login_malicious

Checks user login scripts for malicious commands that can compromise the system.

sandfly_user_ssh_authorized_keys_inactive_user

Looks for inactive accounts with valid ssh login keys in their home directory.

Sandfly Threats Detected


This is the full list of Linux threats Sandfly can detect.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.