Description
Hi,
I’m currently running malware samples in an isolated VM and using Tracee to capture events. However, I’ve encountered an issue where I’m not able to capture certain IOCs, such as file drops, network connections, and process-related events, in the Tracee logs.
The IOCs are detected when I analyze the samples using Joe Sandbox, but I cannot see them in the Tracee logs.
Here are the filters I’m using for Tracee:
- --events net,fs,proc
- --events open,openat,openat2,read,write,unlink,unlinkat,rename,renameat2,chmod,chown,faccessat,faccessat2,execve,execveat,fork,vfork,clone,clone3,exit,pidfd_open,pidfd_send_signal,net_packet_dns_request,net_tcp_connect,sendmsg,recvmsg,io_uring_setup
Despite using these filters, I’m not getting the expected events. I’m not sure what I might be doing wrong or if I need to adjust the filters in some way.
Would anyone have suggestions or advice on how to ensure I capture all possible IOCs, specifically those related to file drops, network connections, and processes? For now, I’d like to start with a comprehensive set of filters, and once I have more data, I can optimize further.
I’d appreciate any help or guidance.
Thank you!