Advanced threat detection rules. Powered by Sysdig threat research.
Detection rules define the behaviors that indicate potential threats in cloud-native environments. Sysdig’s Threat Research Team (TRT) continuously curates and enhances these rules to protect against the latest cloud-native attacks. Get precision-tuned detections mapped to MITRE ATT&CK® and leading compliance frameworks.
Abuse Sudo for Privilege Escalation
This rule detects and warns against the exploitation of CVE-2019-14287, which allows privilege escalation through abusing the sudo command.
Priority:
Critical
Tags:
BPF Command Executed by Fileless Program
This rule detects the execution of a bpf syscall with potentially dangerous commands from a fileless process. eBPF programs are extremely powerful, and as long as they conform to the constraints imposed by the eBPF verifier (ex: they don't cause a kernel panic), give near-arbitrary control over a target system.
Priority:
Critical
Tags:
Backdoored library loaded into SSHD (CVE-2024-3094)
This rule detects possible CVE-2024-3094 exploitation when the SSH daemon process loads a vulnerable version of the liblzma library. An attacker could exploit this to interfere with authentication in sshd via systemd, potentially compromising sensitive data or escalating their privileges.
Priority:
Critical
Tags:
Base64'd ELF file on Command Line
This rule detects base64 encoded ELF executables in command line arguments. Base64 can be used to encode binary data for transfer to ASCII-only command lines. Attackers can leverage this technique in various exploits to load shellcode and evade detection.
Priority:
Critical
Tags:
Base64-encoded Python Script Execution
This rule detects base64-encoded Python scripts on command line arguments. Base64 can be used to encode binary data for transfer to ASCII-only command lines. Attackers can leverage this technique in various exploits to load shellcode and evade detection.
Priority:
Critical
Tags:
Base64-encoded Shell Script Execution
This rule detects base64-encoded Shell scripts as part of a set of command line arguments. Base64 can be used to encode binary data for transfer to ASCII-only command lines. Attackers can leverage this technique in various exploits to load shellcode and evade detection.
Priority:
Critical
Tags:
Connection with Suspicious User Agent Detected
Detects connection with suspicious user agent, commonly used by threat actors for accessing command and control servers.
Priority:
Critical
Tags:
Container escape via discretionary access control
This rule detects unauthorized attempts to access host files from a container using the "open_by_handle_at" and DAC_READ_SEARCH capability. An attacker could potentially escape the container and escalate privileges by reading sensitive host files.
Priority:
Critical
Tags:
Create Hardlink Over Sensitive Files
This rule detects the creation of hardlinks over sensitive files, such as '/etc/shadow' or '/etc/sudoers', potentially allowing an attacker to gain unauthorized access to critical system information. An attacker could escalate their privileges by manipulating critical configuration files.
Priority:
Critical
Tags:
Create Symlink Over Sensitive Files
This rule detects the creation of symbolic links over sensitive files, alerting on potential unauthorized access to critical system configuration files like /etc/shadow and /etc/sudoers. An attacker could leverage this technique to escalate privileges or conceal malicious activities by manipulating system configurations using symbolic links.
Priority:
Critical
Tags:
Debugfs Launched in Privileged Container
This rule detects the launch of debugfs within a privileged container, which can facilitate an escape to the host system. An attacker could leverage this to breach the container's isolated environment, potentially leading to unauthorized access or malicious activities on the host itself.
Priority:
Critical
Tags:
Debugfs Launched on Host
This rule detects the launch of debugfs on the host system, which could be used to bypass detection mechanisms. An attacker could utilize debugfs to hide malicious activities, such as altering or removing sensitive information on the file system, evading detection by security tools.
Priority:
Critical
Tags:
Detect cloned process by PRoot
This rule detects cloned processes spawned using the PRoot tool, indicating potential privilege escalation. An attacker could use this technique to gain elevated permissions and perform malicious activities undetected in the system. This could lead to unauthorized access to sensitive data or the compromise of critical system components.
Priority:
Critical
Tags:
Detect curl Using Socks Proxy
This rule detects the use of curl with a socks proxy, potentially indicating command and control activity or data exfiltration over alternative protocols. An attacker could establish covert communication channels or evade network detection by tunneling their traffic through the socks proxy while leveraging the curl command-line tool.
Priority:
Critical
Tags:
Detect malicious cmdlines
This rule detects potentially malicious command lines, such as attempts to delete critical system files or modify password-related files. An attacker could delete essential system files like or manipulate password files to gain unauthorized access or impede system recovery processes.
Priority:
Critical
Tags:
Detect reconnaissance scripts
This rule detects reconnaissance scripts executed on systems, aiming to identify malicious activities. An attacker could use reconnaissance scripts to gather sensitive information about the target network, potentially leading to further exploits or data breaches.
Priority:
Critical
Tags:
Detect release_agent File Container Escapes
This rule detects an attempt to exploit a container escape using release_agent file. By running a container with certain capabilities, a privileged user can modify release_agent file and escape from the container
Priority:
Critical
Tags:
Diamorphine Rootkit Activity
This rule detects potential Diamorphine rootkit activity on the system by monitoring specific signals and process executions, aiming to identify malicious kernel-level modifications and unauthorized privilege escalations. An attacker could use the Diamorphine rootkit to stealthily gain persistent access to the system, evade detection mechanisms, and potentially perform unauthorized privilege escalations.
Priority:
Critical
Tags:
Discovery Security Service Activity Detected
Adversaries may try to discover running security services/programs to disable or corrupt them.
Priority:
Critical
Tags:
Execute Process from Masqueraded Directory
This rule detects usage of "..." instead of the canonical ".." in a directory traversal attack. Adversaries can execute a process from a directory while masquerading as the current parent directory. If an application is vulnerable to this manipulation, an attacker could navigate to sensitive directories or execute malicious code from unexpected locations, bypassing intended security measures. This could lead to unauthorized access, data breaches, or other security compromises within the system.
Priority:
Critical
Tags:
Execution from /dev/shm
This rule detects file execution from the /dev/shm directory, a tactic used by threat actors to hide malicious scripts and binaries. An attacker could execute malicious code from this directory to evade detection by security tools, allowing them to carry out privilege escalation or process injection attacks.
Priority:
Critical
Tags:
Fileless Malware Detected (memfd)
This rule detects the loading and execution of a fileless ELF malware, indicating potential memory-based attacks. An attacker could leverage this technique to bypass traditional file-based detection methods and evade detection by executing malicious code directly in memory.
Priority:
Critical
Tags:
Find AWS Credentials
This rule detects attempts to find or extract AWS credentials, potentially leading to unauthorized access to sensitive AWS resources. An attacker could use the extracted credentials to compromise AWS infrastructure, steal sensitive data, or launch further attacks leveraging the privileges associated with the compromised AWS account.
Priority:
Critical
Tags:
Find Azure Credentials
This rule detects attempts to steal Azure Credentials using find or grep commands. An attacker could obtain sensitive Azure data, such as private keys, leading to unauthorized access to critical resources.
Priority:
Critical
Tags:
Find GCP Credentials
This rule detects attempts to steal GCP Credentials using find or grep commands, aiming to prevent unauthorized access to confidential information stored on the Google Cloud Platform. An attacker could use stolen GCP Credentials to gain illegitimate access to sensitive data or resources within the targeted Google Cloud environment.
Priority:
Critical
Tags:
GLIBC "Looney Tunables" Local Privilege Escalation (CVE-2023-4911)
detect the exploitation of the CVE-2023-4911. Attackers can inject payloads in the GLIBC_TUNABLES environment variable when running executables with the SUID permission to execute code with elevated privileges.
Priority:
Critical
Tags:
GPG Key Reconnaissance
This rule detects reconnaissance attempts that try to locate GPG security keys using 'find' or 'grep' commands. An attacker could potentially identify and steal GPG security keys to gain unauthorized access to encrypted communications or files.
Priority:
Critical
Tags:
Hexadecimal string detected
This rule detects the presence of hexadecimal string decoding within command lines a technique used by attackers to obfuscate their activities. An attacker could use this technique to evade detection mechanisms while attempting to decode and execute malicious commands such as extracting and executing hidden payloads or commands within hexadecimal strings."
Priority:
Critical
Tags:
Hide Process with Mount
Utilities like top or ps check the /proc folder to list the running processes and their information. This can be exploited for hiding malicious processes threat actors can mount something else (such as another directory with mount --bind) to /proc/[pid] to hide a given process."
Priority:
Critical
Tags:
Known Malicious eBPF Program Detected
This rule detects known malicious eBPF programs doing runtime loading of eBPF programs into the kernel. eBPF programs are extremely powerful, and as long as they conform to the constraints imposed by the eBPF verifier (ex: they don't cause a kernel panic), give near-arbitrary control over a target system.
Priority:
Critical
Tags:
Log File Symlink to Null
This rule detects the creation of symbolic links over critical log files, such as auth.log and wtmp, to the NULL device. An attacker could leverage this technique to conceal malicious activities by removing signs of their intrusion. By redirecting the log file to /dev/null, no log entries will be recorded.
Priority:
Critical
Tags:
Malicious Process Reaching K8S API Server Detected
Detect malicious process reaching the K8S API Server. Processes like peirates can be abused by attackers to send GET and POST requests to the K8s api server in order to move laterally within the cluster or exfiltrate sensitive data, such as secrets.
Priority:
Critical
Tags:
Memory Manipulation by Fileless Program
Detects the allocation of large, anonymous memory regions (64 MB or more) by a process, where the memory is initially unused (PROT_NONE) and not linked to any file descriptor. The process utilizes this memory space for execution entirely within memory, without writing to disk, which is a common characteristic of fileless malware. This behavior indicates that the allocated memory is reserved for later use, often involving fileless payloads or malicious code that resides and executes solely in memory, thus evading traditional file-based detection methods.
Priority:
Critical
Tags:
Modify Grub Configuration Files
This rule detects changes to GRUB configuration files that may be subjected to the set of vulnerabilities affecting image parser at DXE runtime known as LogoFail.
Priority:
Critical
Tags:
Mount Launched in Privileged Container
This rule detects mounting within privileged containers, allowing an attacker to potentially escape the container. An attacker could exploit this to gain access to the host system, bypassing container isolation. This could lead to privilege escalation and lateral movement within the environment.
Priority:
Critical
Tags:
Mount on Container Path Detected
This rule detects mounting custom resources in a container path, which adversaries may exploit to inject malicious code into runtime environments. An attacker could deploy a backdoor by mounting a custom resource in the container path, gaining unauthorized access to the system.
Priority:
Critical
Tags:
Offensive Security Tool Detected
Detects spawning of security tools and suspicious tools often used during penetration testing activities. Attackers commonly employ these tools as well to search for vulnerabilities, exploits and execute malicious payloads on a targeted system.
Priority:
Critical
Tags:
PTRACE anti-debug attempt
Detect usage of the PTRACE system call with the PTRACE_TRACEME argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity.
Priority:
Critical
Tags:
Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
This rule detects an attempt to exploit a privilege escalation vulnerability in Polkit's pkexec. By running specially crafted code, a local user can leverage this flaw to gain root privileges on a compromised system
Priority:
Critical
Tags:
Possible Arbitrary Command Execution through CUPS
This rule detects foomatic-rip process executing common shell programs, which may indicate that an attacker has exploited CVE-2024-47176, combined with CVE-2024-47076 and CVE-2024-47175. The combination of these vulnerabilities may be leveraged by attackers to execute arbitrary commands remotely on the target machine without authentication. Ensure that this is expected behavior and CUPS has been patched for this vulnerability.
Priority:
Critical
Tags:
Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)
DEPRECATED. This rule, previously created to detect a possible arbitrary command execution through CUPS, has been now deprecated as it will be replaced by the new generic rule Possible Arbitrary Command Execution through CUPS rule.
Priority:
Critical
Tags:
Possible Jynx Rootkit Detected
This rule identifies a critical installation step of the 'Jynx' rootkit, where the group ID of the /etc/ld.so.preload file is modified. This file is often exploited to load malicious libraries, thus changes to its permissions may be an indicator of potential rootkit activity.
Priority:
Critical
Tags:
Potential IRC connection detected
This rule detects potential IRC connections based on suspicious network activity, providing visibility into possible command and control communications. An attacker could establish covert communication channels through IRC to remotely control compromised systems and exfiltrate sensitive data, evading detection through common web protocols.
Priority:
Critical
Tags:
Potential IngressNightmare Vulnerability Exploitation
This rule detects a possible exploitation of IngressNightmare vulnerability (CVE-2025-1974), where the NGINX process loads a shared library from the ProcFS. This execution may indicate a malicious actor attempting to exploit the vulnerability before executing other arbitrary code in the ingress controller container.
Priority:
Critical
Tags:
Steganography Tool Detected
This rule detects usage of steganography tools available in Unix-like distributions. An adversary may utilize such tools in order to hide C2 traffic and obfuscate data in digital messages transferred between a compromised system and an attacker-controlled one.
Priority:
Critical
Tags:
Sudo Potential Privilege Escalation
Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root.
Priority:
Critical
Tags:
Suspicious Chdir Event Detected
This rule detects chdir events using file descriptors in the /proc file system executed by the Docker CRI processes. It specifically focuses on the CVE-2024-21626 related to the "Leaky Vessels" vulnerability.
Priority:
Critical
Tags:
Suspicious Home Directory Creation
This rule detects suspicious attempts to create a home directory in non-standard locations, potentially indicating an attacker trying to create a stealthy user for a backdoor on a compromised system. An attacker could use this technique to maintain unauthorized access, hide their activities, and evade detection.
Priority:
Critical
Tags:
Suspicious OpenSSL Shared Object Loaded
This rule detects suspicious loading of custom OpenSSL shared objects, which could indicate an attempt to compromise the system. An attacker could execute malicious code by replacing legitimate OpenSSL libraries with malicious ones.
Priority:
Critical
Tags:
Suspicious RC Script Modification
Adversaries can establish persistence or escalate privileges by adding a malicious binary path or shell commands to RC scripts specific to the Unix-like distribution, which, upon reboot, will be executed with root privileges.
Priority:
Critical
Tags: