Fennec: Artifact collection tool for *nix systems

by Nam Phong · May 4, 2025

Fennec

fennec is an artifact collection tool written in Rust to be used during an incident response on *nix based systems. fennec allows you to write a configuration file that contains how to collect artifacts.

Features ?

? A single statically compiled binary
? Execute any osquery SQL query
? Execute system commands
? Parse any text file using regex
? Ability to collect system logs and files
? Return data in a structured manner
? Support multiple output formats (JSONL, CSV, and KJSON)
?‍♀️ Flexible configuration file
? Directly write to ZIP file to safe space
⚡ Very fast!

Use

fennec_x86_64–unknown–linux–gnu [OPTIONS]

-c, --config : Use the specified configuration file instead of the embedded configuration
-f, --log-file : Change the default name for the log file (default: fennec.log)
-h, --help : Print help message
-l, --log-level : Change the default log level (default: info)
-o, --output : Change the default output file name for the zip file (default: {HOSTNAME}.zip, where hostname is the runtime evaluated machine hostname)
--osquery-path : Path to osquery executable, This value will be used based on these conditions:
- If osquery binary is embedded into fennec then extract it and dump it to --osquery-path
- If osquery is not embedded into fennec then use the osquery binary in the path --osquery-path
--output-format : Choose the output format, Supported formats:
- jsonl : A new line separated JSON objects (default)
- csv: Comma separated values
- kjson: Use this format if you want to upload the resulting file to Kuiper analysis platform.
-q, --quiet : Do not print logs to stdout
--show-config : Print the embedded configuration then exit
-V, --version : Print fennec version then exit

Install

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal