Huwkiwi is an EDR powered by eBPF and Sigma.
Huakiwi is named after Leioproctus huakiwi, a species of bee Endemic to New Zealand.
credit: hasherezade
- kernel 4.4+ go-ebf requirement
- LLVM/Clang
Simply run make after cloning the repo. it should generate a portable statically-linked binary.
git clone https://github.com/bm9w/huakiwi
cd huakiwi
makecurrent rules (almost all of them are borrowed from Elastic's public repo on SIEM rules)
- Potential Protocol Tunneling via EarthWorm
- Compression of Sensitive Files
- Potential OpenSSH Backdoor Logging Activity
- Attempt to Disable IPTables or Firewall
- Attempt to Disable Logging
- Base16 or Base32 Encoding/Decoding Activity
- Tampering of Bash Command-Line History
- Potential Disabling of SELinux
- File Deletion via Shred
- Removing a kernel module
- System Log File Deletion
- Interactive Terminal Spawned via Perl
- Interactive Terminal Spawned via Python
- Modification of Dynamic Linker Preload Shared Object
- Use of raw networking tools
- Use of iodine DNS tunnel
- Modification of Dynamic Linker Preload Shared Object
Contributions welcome!