Advanced threat detection rules. Powered by Sysdig threat research.
Detection rules define the behaviors that indicate potential threats in cloud-native environments. Sysdig’s Threat Research Team (TRT) continuously curates and enhances these rules to protect against the latest cloud-native attacks. Get precision-tuned detections mapped to MITRE ATT&CK® and leading compliance frameworks.
Tampering with Security Software in Container
This rule detects attempts to disable security software within a container, a common tactic used by threat actors to evade detection and carry out malicious activities within a compromised environment. An attacker could potentially disable runtime security measures, allowing for the execution of malware or unauthorized code with reduced risk of detection, enhancing their ability to maintain persistence and further compromise the system.
Priority:
Critical
Tags:
Unexpected Connection from legitimate Process/Port
This rule detects suspicious network connections initiated from legitimate processes or non-standard ports, potentially indicating unauthorized activity. An attacker could establish a covert communication channel for command and control operations, enabling data exfiltration or persistence mechanisms to evade detection and escalate privileges.
Priority:
Critical
Tags:
Unexpected Unshare event in Container
This rule detects unexpected unshare events in containers, indicating a potential container escape attempt by exploiting the "CAP_SYS_ADMIN" capability, allowing unauthorized access to the host system. An attacker could leverage this to escalate privileges, gain access to sensitive data, or launch further attacks on the host environment.
Priority:
Critical
Tags:
Unprivileged Delegation of Page Faults Handling to a Userspace Process
This rule detects a successful attempt to delegate the handling of page faults to an unprivileged userspace process, potentially exposing the system to exploitation. An attacker could leverage this to execute malicious code, bypass security restrictions, and escalate privileges on the system.
Priority:
Critical
Tags:
AWS CLI used with endpoint url parameter
Detect AWS CLI used with the endpoint-url parameter, this may be used to exfiltrate data or download malicious resources from a remote bucket. Furthermore, with this parameter it's possible to avoid Cloudtrail logging requests
Priority:
Warning
Tags:
Brute-force Tool Detected
Detects spawning of brute forcing tools or suspicious executions often used during brute forcing activities. Attackers commonly employ these tools and techniques to gain access to a targeted system.
Priority:
Warning
Tags:
Cgroup Filesystem Mounted in Container
This rule detects when a cgroup filesystem is mounted within a container, which can indicate an attempt by an attacker to manipulate control groups for resource management or in preparation for the known release_agent escaping technique.
Priority:
Warning
Tags:
Change memory swap options
This rule detects changes to memory swapping options. Memory swapping is a process in which the OS moves data from RAM to disk when physical RAM is full. Upon executing a 'swapon' command, an adversary may be able to increase the available virtual memory, potentially enabling memory-based attacks, such as process injection. Upon executing a 'swapoff' command, an attacker could disable the swap space, thus leading to system instability and data loss.
Priority:
Warning
Tags:
Clear Log Activities
This rule detects any attempt at deleting or truncating log files contained within the system, a technique often associated with defense evasion as an adversary may be able to cover their tracks manipulating critical log files. For instance, an attacker might attempt to erase evidence of unauthorized access or malicious activities by targeting essential system logs like syslog or auth.log.
Priority:
Warning
Tags:
Code compiler downloaded and launched in container
This rule detects the downloading and execution of code compilers in containers, a behavior often associated with malicious attempts to compile and run unauthorized code within a system. An attacker could potentially exploit this to introduce and execute malicious code in a container, bypassing normal application deployment controls and potentially compromising the host system or other resources.
Priority:
Warning
Tags:
Connection to Instance Metadata through AWS SSM
This rule detects connections to the AWS metadata endpoint by processes executed through AWS SSM Commands. An attacker could leverage this to exfiltrate sensitive credentials from instance metadata or directly invoke AWS API if the machine is bound to a role potentially escalating privileges or gaining unauthorized access to cloud resources."
Priority:
Warning
Tags:
Connection to TOR Domain Detected
This rule detects connections to TOR domains, which can be used for evading traditional content monitoring and censorship mechanisms. An attacker could leverage this to access and distribute illicit or sensitive content without detection, potentially violating regulatory requirements and compromising data security.
Priority:
Warning
Tags:
Contact Azure Instance Metadata Service from Container
This rule detects unauthorized attempts to access Azure Instance Metadata Service from containers. An attacker could potentially gather sensitive information such as access tokens and credentials by leveraging this access. This could lead to escalated privileges and further compromise of the Azure environment.
Priority:
Warning
Tags:
Contact Azure Instance Metadata Service from Host
This rule detects unauthorized connections to Azure IMDS from the host, potentially indicating a reconnaissance attempt. An attacker could abuse this to gather sensitive information or credentials stored in the Azure instance metadata to escalate privileges or move laterally within the network.
Priority:
Warning
Tags:
Contact EC2 Instance Metadata Service From Container
This rule detects unauthorized attempts to access the EC2 Instance Metadata Service from a container. An attacker could gain sensitive information about the AWS infrastructure, such as security credentials, which may lead to unauthorized access and potential data breaches.
Priority:
Warning
Tags:
Contact EC2 Instance Metadata Service From Host
This rule detects suspicious attempts to access the EC2 Instance Metadata Service from a host, potentially indicating unauthorized data retrieval or reconnaissance. An attacker could gather sensitive information about the host or launch further targeted attacks on the compromised system using the extracted data.
Priority:
Warning
Tags:
Contact GCP Instance Metadata Service from Container
This rule detects suspicious attempts to contact the GCP Instance Metadata Service from a container, indicating potential unauthorized access or data exfiltration. An attacker could leverage this access to gain sensitive information about the cloud environment, allowing for further exploitation or lateral movement within the infrastructure.
Priority:
Warning
Tags:
Contact GCP Instance Metadata Service from Host
This rule detects unauthorized attempts to access the GCP IMDS from the host, which can expose sensitive instance metadata. An attacker could leverage this access to retrieve sensitive information such as API keys or credentials stored in the instance metadata, compromising the security of the cloud environment.
Priority:
Warning
Tags:
Contact Task Metadata Endpoint
This rule detects the connections to the dedicated task metadata endpoints
Priority:
Warning
Tags:
Container image built on host
This rule detects when a container image is built on the target host, potentially enabling attackers to deploy malicious tools and evade security measures. Attackers could abuse this capability to easily deploy and execute their own malicious containerized applications on the target host.
Priority:
Warning
Tags:
Create files below dev
This rule detects unauthorized file creation under /dev by untrusted programs, which could indicate a potential rootkit presence compromising system integrity. An attacker could hide malicious files within /dev to evade detection or enhance persistence in the compromised system.
Priority:
Warning
Tags:
Curl Exfiltrating File
This rule detects the usage of cURL command line tool to exfiltrate a file to a remote location
Priority:
Warning
Tags:
DB program spawned process
This rule detects when a database-related program spawns a process other than itself. An attacker could leverage this to execute unauthorized commands or access sensitive data.
Priority:
Warning
Tags:
Data Split Activity Detected
This rule detects instances of suspicious data splitting actions, which could indicate potential data exfiltration attempts by threat actors leveraging deceptive split commands within the network. An attacker could exfiltrate sensitive information by disguising it as split data, circumventing exfiltration detection mechanisms and compromising sensitive data stored within the system.
Priority:
Warning
Tags:
Database Dump Command Detected
This rule detects execution of commands commonly employed to dump a database. Attackers may do so to steal sensitive information, launch further attacks (e.g. phishing) or sell stolen information. Common and legitimate back-up utilities are excluded.
Priority:
Warning
Tags:
Delete Bash History
This rule detects bash history deletions by specific processes or file deletions, which could indicate attempts to cover malicious activities. An attacker could hide their tracks and evade detection by erasing their command history, potentially compromising the integrity of system logs and evading forensic analysis.
Priority:
Warning
Tags:
Detection bypass by symlinked files
This rule detects attempts to bypass file detection rules by leveraging symlinked files in the system which can be used by attackers to obscure malicious activities and evade detection mechanisms."
Priority:
Warning
Tags:
Direct Memory Overwrite Detected
This rule detects attempts to directly overwrite the memory of a running process. Attackers may employ this technique to inject payloads into a running process's memory.
Priority:
Warning
Tags:
Directory traversal monitored file read Web applications can be vulnerable to directory traversal attacks that allow accessing files outside of the web app's root directory (e.g. Arbitrary File Read bugs).
Web applications can be vulnerable to directory traversal attacks that allow accessing files outside of the web app's root directory (e.g. Arbitrary File Read bugs). System directories like /etc are typically accessed via absolute paths. Access patterns outside of this (here path traversal) can be regarded as suspicious. This rule includes failed file open attempts.
Priority:
Warning
Tags:
Disable or Modify Linux Audit System
This rule detects modifications to logging configurations, such as changes to configuration files or specific commands, as well as the disabling of logging services like journalctl or auditctl.
Priority:
Warning
Tags:
Disallowed SSH Connection Non Standard Port
Detect any new outbound SSH connection from the host or container using a non-standard port. This rule holds the potential to detect a family of reverse shells that cause the victim machine to connect back out over SSH, with STDIN piped from the SSH connection to a shell's STDIN, and STDOUT of the shell piped back over SSH. Such an attack can be launched against any app that is vulnerable to command injection. The upstream rule only covers a limited selection of non-standard ports. We suggest adding more ports, potentially incorporating ranges based on your environment's knowledge and custom SSH port configurations. This rule can complement the "Redirect STDOUT/STDIN to Network Connection in Container" or "Disallowed SSH Connection" rule.
Priority:
Warning
Tags:
Download and launch remote file copy tools in container
This rule detects the download and execution of remote file copy tools in a container, aiming to prevent unauthorized data exfiltration. An attacker could exfiltrate sensitive data by downloading and launching tools like rsync, scp, or sftp in the container, bypassing traditional network security controls.
Priority:
Warning
Tags:
Dump Cached Domain Credentials
This rule detects dumping of files that may contain cached domain credentials. Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.
Priority:
Warning
Tags:
Dump memory for credentials
This rule detects potential memory dumps to extract plaintext credentials from sensitive process files. An attacker could utilize this to gain unauthorized access to critical systems or sensitive data, possibly compromising user credentials.
Priority:
Warning
Tags:
Execution from /tmp
This rule detects execution of files from /tmp, commonly used by threat actors to hide their malicious files. An attacker could hide malicious scripts in the /tmp directory to evade detection and execute them without being noticed.
Priority:
Warning
Tags:
Execution from Temporary Filesystem (tmpfs)
This rule detects executions from tmpfs locations, a common technique used by adversaries for defense evasion. An attacker could execute malicious code from a tmpfs location to evade detection by security mechanisms. By exploiting this, an attacker can potentially hide their activities and maintain persistence within the target system.
Priority:
Warning
Tags:
Execution of binary using ld-linux
This rule detects the execution of a binary using ld-linux, commonly employed to bypass file execution restrictions. An attacker could use this method to run malicious programs without triggering detection mechanisms, ultimately evading security controls and escalating privileges.
Priority:
Warning
Tags:
Exfiltrating Artifacts via Kubernetes Control Plane
Copy artifacts via Kubernetes control plane by using commands such as kubectl copy. Detect potential exfiltration of application secrets or data from containers' file systems, in cases of unauthorized access and misuse of the control plane (e.g. using stolen credentials like Kubernetes serviceaccount tokens)
Priority:
Warning
Tags:
Find Authentication Certificates
This rule detects authentication certificate theft on Linux systems by monitoring for suspicious activities in directories related to certificate storage and certificate private keys. An attacker could steal the authentication certificates with its keys and misuse them to gain unauthorized access or impersonate legitimate users.
Priority:
Warning
Tags:
Find Private Keys or Passwords
This rule detects activities searching for private keys or passwords through the process 'find', alerting on potential credential exposure. An attacker could gain unauthorized access to sensitive information such as credentials in plain text, compromising system security.
Priority:
Warning
Tags:
IP Forward Configuration Modification
This rule detects changes to IP forward configurations on the system. If enabled, an attacker can exploit it to route packets and potentially bypass existing firewalls. Also, it is a necessary precondition of an ARP cache poisoning attack.
Priority:
Warning
Tags:
Instance Metadata Service Contacted During Package Install
This rule detects Instance Metadata Service contacted when a package is installed. Malicious packages may connect to IMDS to steal credentials and exfiltrate them to an endpoint controlled by attackers.
Priority:
Warning
Tags:
Java Process Class File Download
This rule detects a Java process potentially exploiting the log4shell vulnerability by downloading a class file, which could provide an attacker with remote code execution capabilities. An attacker could leverage this access to gain full control over the targeted system, enabling data theft or further compromise of critical infrastructure.
Priority:
Warning
Tags:
Kernel Module Loaded by Unexpected Program
This rule detects the loading of kernel modules by unexpected programs, excluding common tools like insmod and modprobe, which could indicate an attempt to avoid detection. An attacker could use this technique to load malicious kernel modules for persistence or privilege escalation on the compromised system, potentially leading to further exploitation.
Priority:
Warning
Tags:
Kernel module unloaded
Detect the unloading of kernel modules, which can be used to disable security features or other important kernel functionality.
Priority:
Warning
Tags:
Kernel or Physical Memory Dumped
Adversaries may dump the kernel or physical memory in order to gain persistence, extract credentials or escape to host from containers.
Priority:
Warning
Tags:
Kernel startup modules changed
This rule detects changes in kernel modules on startup, which can indicate potential privilege escalation or persistence techniques by an attacker. An attacker could surreptitiously load malicious kernel modules to gain elevated privileges or maintain access to the system, evading detection.
Priority:
Warning
Tags:
Lastlog Files Cleared
This rule detects the deletion of lastlog files, commonly associated with attempts to cover tracks after unauthorized access. An attacker could delete lastlog records to evade detection, making it difficult to trace login activity. This manipulation could help an attacker avoid accountability and persist within the system undetected.
Priority:
Warning
Tags:
Launch Excessively Capable Container
This rule detects container startups with excessive capabilities, excluding trusted images. An attacker could leverage a compromised container to escalate privileges, execute malicious code, or move laterally within the network. Excessive capabilities in a container's start-up pose a high-risk scenario for potential privilege escalation attacks.
Priority:
Warning
Tags:
Launch Remote File Copy Tools on Host
This rule detects the launch of remote file copy tools on a host, such as rsync, scp, and sftp, which could be indicative of data exfiltration or lateral movement within the network. An attacker could use these tools to transfer sensitive files or escalate their access privileges by moving laterally across the network.
Priority:
Warning
Tags: