runfrom

Every exec on your box, live. Catch the ones that shouldn't be running.

runfrom is a live exec-provenance monitor that catches every process launch system-wide and flags code running from scratch directories, binaries with no name on disk, and setuid privilege jumps — all caught in-kernel before the process gets a chance to run. One tp_btf/sched_process_exec probe captures the full {parent, program, path, identity, inode} tuple with no polling, no ptrace, no audit daemon.

Running

yeet run github:yeet-src/runfrom

Pipe for a one-shot snapshot, or stream raw JSON:

yeet run github:yeet-src/runfrom | less -R
yeet run github:yeet-src/runfrom/dump.js | jq -c 'select(.ephemeral or .fileless)'

Source

yeet-src/runfrom on GitHub.

Running​

Source​

Running

Source