[HELP] Unable to capture certain IOCs (file drop, network connections) with Tracee

[MxResearch]

Hi,
I’m currently running malware samples in an isolated VM and using Tracee to capture events. However, I’ve encountered an issue where I’m not able to capture certain IOCs, such as file drops, network connections, and process-related events, in the Tracee logs.
The IOCs are detected when I analyze the samples using Joe Sandbox, but I cannot see them in the Tracee logs.
Here are the filters I’m using for Tracee:

• --events net,fs,proc
• --events open,openat,openat2,read,write,unlink,unlinkat,rename,renameat2,chmod,chown,faccessat,faccessat2,execve,execveat,fork,vfork,clone,clone3,exit,pidfd_open,pidfd_send_signal,net_packet_dns_request,net_tcp_connect,sendmsg,recvmsg,io_uring_setup

Despite using these filters, I’m not getting the expected events. I’m not sure what I might be doing wrong or if I need to adjust the filters in some way.
Would anyone have suggestions or advice on how to ensure I capture all possible IOCs, specifically those related to file drops, network connections, and processes? For now, I’d like to start with a comprehensive set of filters, and once I have more data, I can optimize further.
I’d appreciate any help or guidance.

Thank you!

[geyslan]

Hello @MxResearch. First, thanks for using Tracee, that's awesome.

Could you provide us a proper command line or policy used and what you did (ran) to trigger the events?

Meanwhile, take a look at https://aquasecurity.github.io/tracee/latest/docs/advanced/forensics and https://aquasecurity.github.io/tracee/latest/docs/flags/capture.1 and let us know if there's something not covered by those.