8 attack patterns in 9 bits. Kernel-level kill chain detection using syscall bitmasks and eBPF.
Each syscall category maps to a bit flag. As a process executes syscalls, flags accumulate per PID. When the accumulated flags match a known attack pattern, we have a detection.
Bit 0: socket() — network setup
Bit 1: dup2(stdin) — FD redirection
Bit 2: dup2(stdout) — FD redirection
Bit 3: dup2(stderr) — FD redirection
Bit 4: execve(/bin/sh) — shell spawn
Bit 5: connect() — outbound connection
Bit 6: ptrace() — process injection
Bit 7: mprotect(RWX) — memory manipulation
Bit 8: memfd_create() — fileless execution
| Pattern | Bits | MITRE ATT&CK |
|---|---|---|
| Reverse Shell | socket + dup2(0,1,2) + execve | T1059 |
| Bind Shell | socket + bind + listen + execve | T1059 |
| Code Injection | ptrace + mprotect(RWX) | T1055 |
| Exploit → Shell | mprotect(RWX) + execve | T1203 |
| Inject → Shell | ptrace + execve | T1055 |
| Exploit → C2 | mprotect(RWX) + socket + connect | T1071 |
| Full Exploit | mprotect(RWX) + socket + dup2 + execve | T1203+T1059 |
| Data Exfiltration | open + socket + connect (large reads) | T1041 |
The tracker also emits pre-chain warnings when a process accumulates 2+ bits without completing a full pattern. This catches attacks in progress before they finish executing.
[dependencies]
killchain = { git = "https://github.com/InnerWarden/killchain" }eBPF (kernel) → PID_CHAIN bitmap per process
↓ events via Redis Streams
killchain (userspace) → pattern matching + enrichment → incidents
Part of the InnerWarden security ecosystem.