Yes you can -send-sigstop to SIGSTOP the process and then do whatever you’d like on your -on-touched-exe such as attach via ptrace, dump all memory, etc. My current one will send a notification and dump the memory of the offending process.

Definitely pay attention to the warning about running this on a server. With a KVM attached in a home lab you should be able to easily recover I guess. I think you could also set yourself up a little UDP service to SIGUSR1 the daemon since incoming packets are not dropped, but I haven’t tested that.

Right it’s just for things you don’t use but a credential harvester would find interesting.

I’ve been working a lot on containing the blast radius with some careful LXC usage, but this was a quick way to get some real value without a ton of thought.

There is a very high chance there are files you will never use that a credential harvester would be interested in. For example some look for certain wallets that I definitely don’t have, so I create a canary file for that. You can also add $HOME/.ssh/id_rsa and $HOME/.ssh/id_ed25519 and then use nonstandard key names for your typical key usage etc.

I’ve been running this for a week now with no lost connections yet :)