Capturing Artifacts¶
Tracee has a unique feature that lets you capture interesting artifacts from running applications, using the --capture flag.
All captured artifacts are saved in Tracee's "output directory" which can be configured using --capture dir:/path/to/dir.
Tracee can capture the following types of artifacts:
- Written files: Anytime a file is being written to, the contents of the file will be captured. Written files can be filtered using an optional path prefix.
- Executed files: Anytime a binary is being executed, the binary file will be captured. If the same binary is executed multiple times, it will be captured just once.
- Memory files: Anytime a "memory unpacker" is detected, the suspicious memory region will be captured. This is triggered when memory protection changes from Write+Execute to Write.
- Network pcap files: Anytime a packet goes through the network interface, the packet is captured into the pcap file. only packets that are generated by traced processes are being captured.
- Loaded kernel modules: Anytime a kernel module is being loaded, the binary file will be captured. If the same binary is executed multiple times, it will be captured just once.
CLI Options¶
| CLI Option | Description |
|---|---|
[artifact:]write[=/path/prefix*] |
capture written files. A filter can be given to only capture file writes whose path starts with some prefix (up to 50 characters). Up to 3 filters can be given. |
[artifact:]exec |
capture executed files. |
[artifact:]mem |
capture memory regions that had write+execute (w+x) protection, and then changed to execute (x) only. |
[artifact:]net=<network_interface> |
capture network packets generated by traced processes, that goes through |
profile |
creates a runtime profile of program executions and their metadata for forensics use. |
dir:/path/to/dir |
path where tracee will save produced artifacts. the artifact will be saved into an 'out' subdirectory. (default: /tmp/tracee). |
clear-dir |
clear the captured artifacts output dir before starting (default: false). |
pcap:per-container |
when capturing network packets, save pcap per container |
pcap:per-process |
when capturing network packets, save pcap per process |
(Use this flag multiple times to choose multiple capture options)
Examples¶
Capture executed files into the default output directory
--capture exec
Capture kernel modules into the default output directory
--capture module
Delete /my/dir/out and then capture executed files into it
--capture exec --capture dir:/my/dir --capture clear-dir
Capture files that were written into anywhere under /usr/bin/ or /etc/
--capture write=/usr/bin/* --capture write=/etc/*
Capture pcap files
--capture net=enp0s3
--capture net=enp0s3 --capture pcap:per-container
Creates a runtime profile of program executions and their metadata for forensics use. The profiles created can be compared among executions to identify if there is any difference. For example, use it as a github action to identify if any new process was executed since the last pipeline, useful for supply chain security.
--capture profile