kunai: Threat hunting tool for Linux


The goal behind this project is to bring relevant events to achieve various monitoring tasks ranging from security monitoring to Threat Hunting on Linux-based systems. If you are familiar with Sysmon on Windows, you can think of Kunai as being a Sysmon equivalent for Linux.

What makes Kunai special?

  • events arrive sorted in chronological order
  • benefits from on-host correlation and events enrichment
  • works well with Linux namespaces and container technologies (you can trace all the activity happening inside your containers)

How it works

All the kernel components of this project are running as eBPF programs (also called probes). Kunai embeds a number of probes to monitor relevant information for security monitoring. When the job is done on the eBPF side, information is passed on to a userland program which is responsible for various things, such as re-ordering, enriching, and correlating events.

On the implementation side, Kunai is written for 99% in Rust, leveraging the awesome Aya library so everything you’ll need to run is a standalone binary embedding both all the eBPF probes and the userland program.

Install & Use

Copyright © 2023 RawSec