Shell Command Monitoring with eBPF

Product Category

Endpoint Detection and Response (EDR)

Objective

Capture detailed telemetry for shell commands executed on Linux systems, including internal commands and piped commands, to enhance endpoint detection and response (EDR) capabilitieswithout associated executable binaries

Details

Shells Monitored:sh, bash, dash, zsh, and pwsh (PowerShell).

Data Captured:

  • Command executed, including arguments
  • I/O redirection details
  • Connection between piped commands
  • User initiating the command and the context in which it was run
Use Case

This implementation improves the ability to detect and respond to potentially malicious activities performed via shell commands, such as unauthorized access, privilege escalation, and lateral movement within the network, by providing comprehensive visibility into all shell activity.