Kunai: Open-source threat hunting tool for Linux
Kunai is an open-source tool that provides deep and precise event monitoring for Linux environments.
“What sets Kunai apart is its ability to go beyond simple event generation. While most security monitoring tools rely on syscalls or kernel function hooking, Kunai takes a more advanced approach by correlating events on the host and providing enriched insights. This means fewer but more meaningful events, reducing noise and the strain on log ingestion while delivering deeper visibility into system activity,” Quentin Jerome, the creator of Kunai, told Help Net Security.
Key features
Kunai distinguishes itself through its advanced event processing and monitoring capabilities. Here are some of its key strengths:
- Chronologically ordered events: Unlike many other monitoring tools, Kunai ensures that events are processed and delivered precisely in the order they occur, preventing inconsistencies and improving forensic accuracy.
- On-host correlation: The tool incorporates built-in enrichment and correlation mechanisms, allowing security teams to gain context into events happening across the system.
- Container-aware monitoring: With support for Linux namespaces and container technologies, Kunai enables tracking of container activities, a critical feature for modern cloud-native environments.
“Kunai is designed with correlation at its core, making it easy to trace full process activity from a single event. It’s built for malware detection, threat hunting, and DFIR use cases, with an open detection rule engine that allows users to create custom detection scenarios. Plus, it seamlessly integrates with other open-source tools, supporting YARA rules for file scanning and connecting to MISP for real-time IoC scanning: ensuring security teams have the flexibility and power they need,” Jerome explained.
How Kunai works
The tool leverages eBPF (Extended Berkeley Packet Filter) technology, utilizing kernel-level probes to capture and analyze critical security events in real-time. These probes feed data into a userland program responsible for reordering, enriching, and correlating the collected information.
A standout aspect of the tool’s implementation is its reliance on Rust and the Aya library. This architecture ensures a self-contained, standalone binary that embeds the eBPF probes and the userland processing logic, simplifying deployment and integration into existing security workflows.
Future plans and download
“We’re actively planning the next steps for Kunai, with several key improvements on the horizon. We’re exploring a central server to streamline detection rule deployment, manage IoCs, and handle logs efficiently, potentially integrating with log storage backends. Keeping our eBPF code in sync with the latest Linux kernel changes is a priority, ensuring continued stability and performance. We’re also researching new event types to enhance malware detection and expanding our community-driven detection rules to strengthen threat visibility,” Jerome concluded.
Kunai is available for free on GitHub.
The team behind Kunai wants the entire project – not just the detection rules – to be community-driven. Any feedback, issue, or feature request is highly appreciated.
Must read:
- GitHub CISO on security strategy and collaborating with the open-source community
- Don’t let these open-source cybersecurity tools slip under your radar
- 33 open-source cybersecurity solutions you didn’t know you needed