Linux Threats Detected

Sandfly Hunts for the Common and Uncommon Threats Against Linux

Sandfly hunts for the building blocks that make an attack work, not on static signatures. Instead of getting on a hamster wheel of constantly outdated signature updates, Sandfly looks for Linux attack tactics and techniques that never go out of date.

Our unique focus gives us the industry leading threat coverage for Linux exploits and compromise detection. Sandfly can easily find common and not-so-common rootkits, malware, and suspicious activity lurking on your Linux infrastructure without the risk of loading agents on any endpoint.

Sandfly Alert Detail

Are your Linux hosts compromised? Find out now.

Protect Hosts Now

Modular Intrusion Detection and Response

Sandfly is an agentless Linux security platform that constantly hunts for intruders. When threats are found, Sandfly becomes an expert forensic investigator providing specific information on what is happening.

For security and incident response teams, we allow you to write your own custom sandfly checks in an easy to learn syntax. You can custom craft your own threat hunting checks and deploy them instantly without loading any software or updates across your Linux systems.

The modular approach we use means that more detection methods are being added all the time to enhance our capability.

We currently have over 1,100 security and incident response modules designed specifically for Linux, and the list grows each day. Below is a list of just some of the threats we hunt for on Linux.

Sandflies List 4.0

Linux Intrusion, Compromise & Malware Threats Detected

  • Loadable Kernel Module and eBPF stealth rootkit detection

  • Standard rootkit detection

  • Cryptocurrency and cryptominer detection

  • Hidden and suspicious directories

  • Hidden and suspicious processes

  • Processes performing suspicious network activity

  • Process masquerading

  • File masquerading and hiding

  • Poisoned system commands

  • Cloaked data from stealth rootkits

  • Tampered system start-up scripts

  • Encrypted and suspicious executable files

  • Unusual system binaries

  • Suspicious users and permissions

  • Hidden executables

  • System shells being used or concealed in suspicious ways

  • Process injection

  • Reverse bindshell exploits

  • Standard bindshell exploits

  • Compromised websites

  • Tampered audit records

  • Destroyed audit records

  • Webshells and backdoors

  • Anti-forensics activity

  • Cloaked backdoors

  • Privilege escalation backdoors

  • Malware persistence mechanisms

  • SSH keys being misused or orphaned

  • Suspicious user login and logout activities

  • Suspicious cron job and other scheduled tasks

  • Linux malware and Advanced Persistent Threat activity

  • Distributed Denial of Service (DDoS) agents

  • Password and network sniffers

  • Many others!

Want to see Sandfly in action?

Protect Hosts Now