https://github.com/ursachec/ectg
eBPF Canarytoken trigger
https://github.com/ursachec/ectg
canarytokens ebpf
Last synced: 4 months ago
JSON representation
eBPF Canarytoken trigger
- Host: GitHub
- URL: https://github.com/ursachec/ectg
- Owner: ursachec
- License: mit
- Created: 2023-01-08T15:54:19.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2023-01-15T19:30:32.000Z (over 3 years ago)
- Last Synced: 2025-05-03T10:42:22.406Z (about 1 year ago)
- Topics: canarytokens, ebpf
- Language: C
- Homepage:
- Size: 54.7 KB
- Stars: 4
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# ectg
_eBPF Canarytoken trigger_.
CLI tool which triggers DNS based Canarytokens when `execve` syscalls are invoked for programs at specified paths.
### Requirements
- go 1.18/1.19
- Linux 4.9+
- clang-11/clang-14
### Build & Run
First, generate a DNS Canarytoken at https://canarytokens.org/generate.
Afterwards:
```shell
$ make generate
$ go build
$ sudo ./ectg -hostname 6j4n7c2flo71qa0r9g0simq2r.canarytokens.com -paths /usr/bin/id,/usr/bin/whoami,/usr/bin/hostname
```
With `ectg` running, execute `whoami` in a separate shell session — the Canarytoken will trigger and an email will be sent to the address you entered when creating the token.
### References
- https://github.com/cilium/ebpf
- https://blog.thinkst.com/2020/06/canarytokens-org-quick-free-detection-for-the-masses-2.html
- https://ebpf.io/
- https://github.com/thinkst/canaryfy
- https://blog.thinkst.com/2022/08/canaries-as-network-motion-sensors.html
- https://github.com/redcanaryco/redcanary-ebpf-sensor