Tracee has a unique feature that lets you capture interesting artifacts from running applications, using the
All captured artifacts are saved in Tracee's "output directory" which can be configured using
Tracee can capture the following types of artifacts:
- Written files: Anytime a file is being written to, the contents of the file will be captured. Written files can be filtered using an optional path prefix.
- Executed files: Anytime a binary is being executed, the binary file will be captured. If the same binary is executed multiple times, it will be captured just once.
- Memory files: Anytime a "memory unpacker" is detected, the suspicious memory region will be captured. This is triggered when memory protection changes from Write+Execute to Write.
- Network pcap files: Anytime a packet goes through the network interface, the packet is captured into the pcap file. only packets that are generated by traced processes are being captured.
||capture written files. A filter can be given to only capture file writes whose path starts with some prefix (up to 50 characters). Up to 3 filters can be given.|
||capture executed files.|
||capture memory regions that had write+execute (w+x) protection, and then changed to execute (x) only.|
||capture network packets generated by traced processes, that goes through
||capture all of the above artifacts.|
||path where tracee will save produced artifacts. the artifact will be saved into an 'out' subdirectory. (default: /tmp/tracee).|
||clear the captured artifacts output dir before starting (default: false).|
(Use this flag multiple times to choose multiple capture options)
Capture executed files into the default output directory
Delete /my/dir/out and then capture all supported artifacts into it
--capture all --capture dir:/my/dir --capture clear-dir
Capture files that were written into anywhere under
--capture write=/usr/bin/* --capture write=/etc/*
Capture pcap files