Linux Threats Detected
Sandfly Hunts for the Common and Uncommon Threats Against Linux
Sandfly hunts for the building blocks that make an attack work, not on static signatures. Instead of getting on a hamster wheel of constantly outdated signature updates, Sandfly looks for specific indicators of compromise that are common with attacks that never go out of date.
Our unique focus gives us the industry leading threat coverage for Linux exploits and compromise detection. Sandfly can easily find common and not-so-common rootkits, malware and suspicious activity lurking on your Linux infrastructure without the risk of loading agents on any endpoint.
Hunting for Linux Threats
Sandfly has a large and growing list of threats it can detect.
Want to see Sandfly hunt for Linux attacks?Protect Hosts Now
Modular Intrusion Detection and Response
Sandfly is an agentless Linux security platform that constantly hunts for intruders. When threats are found, Sandfly becomes an expert forensic investigator providing specific information on what is happening.
For security and incident response teams, we allow you to write your own custom sandfly checks in an easy to learn syntax. You can custom craft your own threat hunting checks and deploy them instantly without loading any software or updates across your Linux systems.
The modular approach we use means that more detection methods are being added all the time to enhance our capability.
We currently have over 1,000 security and incident response modules designed specifically for Linux, and the list grows each day. Below is a list of just some of the threats we hunt for on Linux.
Linux Intrusion, Compromise & Malware Threats Detected
- Loadable Kernel Module stealth rootkit detection
- Standard rootkit detection
- Cryptocurrency and cryptominer detection
- Hidden and suspicious directories
- Hidden and suspicious processes
- Processes performing suspicious network activity
- Process masquerading
- File masquerading and hiding
- Poisoned system commands
- Cloaked data from stealth rootkits
- Tampered system start-up scripts
- Encrypted and suspicious executable files
- Unusual system binaries
- Suspicious users and permissions
- Hidden executables
- System shells being used or concealed in suspicious ways
- Process injection
- Reverse bindshell exploits
- Standard bindshell exploits
- Compromised websites
- Tampered audit records
- Destroyed audit records
- Webshells and backdoors
- Anti-forensics activity
- Cloaked backdoors
- Privilege escalation backdoors
- Malware persistence mechanisms
- SSH keys being misused or orphaned
- Suspicious user login and logout activities
- Suspicious cron job and other scheduled tasks
- Linux malware and Advanced Persistent Threat activity
- Distributed Denial of Service (DDoS) agents
- Password and network sniffers
- Many others!
An Expanding Detection Net
Sandfly is constantly looking for anything that is suspicious on your Linux hosts. With new sandflies being added all the time, Sandfly is able to provide a thorough detection net for your computers without the hassle of agents or piles of false alarms.