Advanced threat detection rules. Powered by Sysdig threat research.
Detection rules define the behaviors that indicate potential threats in cloud-native environments. Sysdig’s Threat Research Team (TRT) continuously curates and enhances these rules to protect against the latest cloud-native attacks. Get precision-tuned detections mapped to MITRE ATT&CK® and leading compliance frameworks.
Launch Sensitive Mount Container
Detect the initial process started by a container that has a mount from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images.
Priority:
Warning
Tags:
Launch Suspicious Network Tool on Host
This rule detects suspicious network tools launched on the host, monitoring for activities indicating potential unauthorized network access or data exfiltration. An attacker could use these tools to covertly establish unauthorized connections, bypassing network security controls and compromising sensitive data.
Priority:
Warning
Tags:
Leading or Trailing Space Detected in Filename
This rule detects file creation containing leading or trailing spaces within filenames. As appending a space character to the end or the start of a filename can change the way that the OS handles the file content, in some cases an attacker may be able to masquerade the true file type, and, in extreme scenarios, can result in malicious executions.
Priority:
Warning
Tags:
Linux Kernel Module Injection Detected
Detect injection of kernel modules into the system via insmod or modprobe, which can lead to privilege escalation, tampering with system behavior and bypassing security controls. This rule helps prevent attackers from gaining persistent access and control over the system.
Priority:
Warning
Tags:
Local Privilege Escalation Using SETGID Capability
This rule detects attempts by non-root processes to change their group ID to root-equivalent or exploitable groups using the CAP_SETGID capability. This capability allows a process to change its GID without following standard authentication or privilege boundaries.
Priority:
Warning
Tags:
Local Privilege Escalation Using SETUID Capability
This rule detects attempts by non-root processes to change their user ID to root (UID 0) using the CAP_SETUID capability. This capability allows a process to change its UID without following standard authentication or privilege boundaries.
Priority:
Warning
Tags:
Mailbox Data Modification
Adversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata. This can obscure evidence of malicious activities such as phishing, internal spearphishing, email collection, use of mail protocols for command and control, and email-based exfiltration
Priority:
Warning
Tags:
Mkdir binary dirs
This rule detects attempts to create directories within critical binary directories, potentially indicating malicious activities such as hiding malicious binaries or compromising system integrity. An attacker could evade detection by concealing malicious tools in system binaries, bypass security controls, and maintain persistence on the compromised system.
Priority:
Warning
Tags:
Modification of Container Image Cache
This rule detects attempts to modify container image cache or snapshots on disk, detecting attackers trying to tamper upcoming or running containers. Attackers could manipulate the image cache to plant malicious software within the container, potentially leading to unauthorized access, persistence, and so on.
Priority:
Warning
Tags:
Modification of Udev Rules Detected
This rule detects modifications to udev rules, files read by the udev device manager at system startup that allow users to manage devices and create actions based on hardware events. If maliciously altered, an attacker may be able to specify additional programs and arbitrary scripts to be run, obtaining persistence within the system.
Priority:
Warning
Tags:
Modification of pam.d detected
The shared library, pam_tty_audit.so can be used to log keystrokes of terminal users. While it may be used for specific security purposes, it can also be used by attackers.
Priority:
Warning
Tags:
Modify Timestamp attribute in File
This rule detects changes to file timestamps, which may indicate a timestomp attack attempting to cover up unauthorized access or modification. An attacker could manipulate timestamps using the 'touch' command or its variants to hide malicious activities, evading detection by altering the file's accessed, modified, or created times.
Priority:
Warning
Tags:
Modify binary dirs
This rule detects attempts to modify binary directories, often indicative of unauthorized tampering with critical system files. An attacker could potentially evade detection mechanisms and implant malicious code by changing binaries used by essential system processes.
Priority:
Warning
Tags:
Modify ld.so.preload
This rule detects attempts to modify the ld.so.preload file, typically used by attackers to preload malicious shared libraries into a system's library set. An attacker could use this to hijack the execution flow by loading their own libraries during program execution, potentially leading to privilege escalation or evasion of defense mechanisms.
Priority:
Warning
Tags:
Netcat Remote Code Execution in Container
This rule detects the execution of NetCat in a container, which could allow an attacker to perform remote code execution within the compromised container.
Priority:
Warning
Tags:
Netcat Remote Code Execution on Host
This rule detects the execution of NetCat on the host, which could allow an attacker to perform remote code execution.
Priority:
Warning
Tags:
OpenSSL File Read or Write
This rule detects OpenSSL processes attempting to read or write files with specific command line arguments, which may indicate data exfiltration activities. An attacker could use this technique to encrypt sensitive files before exfiltrating them, bypassing traditional security controls.
Priority:
Warning
Tags:
PTRACE attached to process
This rule detects a PTRACE attachment to processes, uncovering attempts to inject malicious code. An attacker could abuse this technique to gain unauthorized access to sensitive data or execute unauthorized commands, potentially leading to privilege escalation.
Priority:
Warning
Tags:
Packet Socket Created on Host
This rule detects the creation of a new packet socket at the device driver (OSI Layer 2) level in the host, which can be exploited by attackers for ARP Spoofing and privilege escalation (CVE-2020-14386).
Priority:
Warning
Tags:
Packet socket created in container
This rule detects the creation of a new packet socket at the device driver (OSI Layer 2) level in a container, which can be utilized by an attacker for ARP Spoofing and privilege escalation (CVE-2020-14386). An attacker could leverage this to intercept network traffic and potentially elevate their permissions in the system. This event could also indicate the use of a network tool, such as nmap, that is conducting a network scan.
Priority:
Warning
Tags:
Password Policy Discovery Activity Detected
Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. This information may help in creating a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy.
Priority:
Warning
Tags:
Persistence Across Github Runner Executions Detected
This rule detects the usage of the RUNNER_TRACKING_ID environment variable set to 0 or empty string. When this variable is set, the cleanup job does not terminate the associated process. Threat actors can exploit this to maintain persistence across workflow executions.
Priority:
Warning
Tags:
Possible Backdoor using BPF
This rule detects potential backdoors utilizing BPF filters on network sockets. An attacker could leverage this technique for packet sniffing to gather sensitive information in a backdoor, such as BPFDoor, or initiate covert communication channels undetected.
Priority:
Warning
Tags:
Possible Remote Code Execution using rsync
This rule detects rsync and rsyncd processes executing unexpected binaries, which may indicate arbitrary command execution through the rsync and potential vulnerability exploitation like CVE-2024-12084 which lead to remote code execution.
Priority:
Warning
Tags:
Possible SSH Hijacking Attempt Detected
Adversaries might try to take control of an active SSH session by employing a custom SSH agent. This detection rule specifically identifies instances where a custom agent is added and tested.
Priority:
Warning
Tags:
Potential Secret Dump from etcd
This rule detects an attempt to dump Kubernetes secrets from etcd using etcdctl with TLS authentication. Such activity may indicate an attacker trying to access sensitive information stored in the cluster.
Priority:
Warning
Tags:
Privileged Shell Spawned Inside Container
This rule detects the creation of a shell as root for interaction within a container. If this rule fires, it may be an indication of compromise.
Priority:
Warning
Tags:
Process memory injection via process_vm_writev
Detect process memory injection via process_vm_writev system call, an easier way to potentially inject code inside another process' memory alternatively to ptrace.
Priority:
Warning
Tags:
Python HTTP Server Started
Threat actors may exploit Python's HTTP Server tool to create a hidden channel for transferring sensitive data from compromised systems. Although typically used innocuously for file sharing or serving static content, adversaries may leverage it to establish covert communication with their external servers. By initiating the server on a compromised system, attackers can discreetly upload files, execute commands, or transfer stolen data without alerting security measures.
Priority:
Warning
Tags:
Query to Window Management System Detected
Detect any attempt at querying the window manager which could provide an attacker with a list of open application windows and, potentially, information on how the system is used.
Priority:
Warning
Tags:
Read sensitive file untrusted
This rule detects attempts to read sensitive files such as user/password/authentication information by untrusted programs. An attacker could gain unauthorized access to critical system data, compromising user credentials or sensitive configuration information.
Priority:
Warning
Tags:
Reconnaissance attempt to find SETGID binaries
An attempt was made to enumerate SETGID binaries. This typically occurs as part of reconnaissance on a compromised machine, where an attacker is looking to escalate privileges.
Priority:
Warning
Tags:
Reconnaissance attempt to find SUID binaries
An attempt was made to enumerate SUID binaries. This typically occurs as part of reconnaissance on a compromised machine, where an attacker is looking to escalate privileges.
Priority:
Warning
Tags:
Redirect STDOUT/STDIN to Network Connection in Container
This rule detects attempts to redirect standard input/output to a network connection within a container, potentially indicating a reverse shell. An attacker could establish remote access to a compromised system by leveraging this network connection to execute commands and exfiltrate sensitive data.
Priority:
Warning
Tags:
Redirect STDOUT/STDIN to Network Connection in Host
This rule detects redirection of STDOUT/STDIN to a network connection in the host, indicative of a potential reverse shell, allowing an attacker to gain unauthorized access to the target system. By intercepting communications through the network connection, the attacker could execute commands remotely and extract sensitive data, compromising system integrity.
Priority:
Warning
Tags:
Remove Bulk Data from Disk
This rule detects processes attempting to clear bulk data from the disk, such as 'shred' or 'mkfs', potentially erasing sensitive information. An attacker could perform data destruction by running these commands to cover their tracks and hinder forensic investigations.
Priority:
Warning
Tags:
Run shell untrusted
This rule detects unauthorized attempts to spawn a shell within non-shell applications using specific binaries or Java processes as entry points. An attacker could gain command execution or navigate to the system's sensitive areas to exfiltrate data.
Priority:
Warning
Tags:
SSH keys added to authorized_keys
After gaining access, attackers can modify the authorized_keys file to maintain persistence on a victim host. Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. This rules aims at detecting any modification to the authorized_keys file, that is usually located under the .ssh directory in any user's home directory.
Priority:
Warning
Tags:
Search Private Keys or Passwords
This rule detects activities searching for private keys or passwords, alerting on potential credential exposure. An attacker could gain unauthorized access to sensitive information such as SSH keys, compromising system security.
Priority:
Warning
Tags:
Sensitive File Access Attempt Detected During Package Install
This rule identifies attempts to access sensitive files during package installation. Some malicious packages, once installed, may look for sensitive information and files in the filesystem in order to exfiltrate them, and later reuse them to access to other services.
Priority:
Warning
Tags:
Sensitive File Tampered Using Capabilities
This rule detects successful attempts at tampering with critical system files that may allow an unprivileged process with certain capabilities to escalate to root. These capabilities allow a process to bypass file permission checks, change file ownership, or perform administrative operations, which are typically restricted to the root user.
Priority:
Warning
Tags:
Service Discovery Activity Detected
This rule detects activity related to discovering services, which threat actors may do to uncover vulnerabilities or evade detection. An attacker could identify exposed services for potential exploitation and gain deeper access within a target network or system.
Priority:
Warning
Tags:
Shared Libraries Reconnaissance Activity Detected
Attackers might search for RPATH and RUNPATH environment variables within binary files to locate shared libraries. Replacing these libraries can result in privilege escalation or undesired execution flaws.
Priority:
Warning
Tags:
Shell Spawned with Inline Python Command
This rule detects the execution of a Python command spawning shell processes through Python's inline command capabilities. An attacker could leverage these capabilities to create a shell and gain unauthorized access to a victim system.
Priority:
Warning
Tags:
Shell binaries opening connections
This rule detects shell binaries opening connections which could indicate a potential reverse shell or covert download. An attacker could establish unauthorized network connections to exfiltrate data or gain persistent access to the target system.
Priority:
Warning
Tags:
Suspicious Access To Kerberos Secrets
Adversaries may attempt to open files located under the secrets subfolder in Linux systems with the objective of retrieving sensitive information, such as cached Kerberos tickets.
Priority:
Warning
Tags:
Suspicious Capabilities Granted to File
Adversaries may grant specific capabilities to a binary, allowing it to perform actions beyond its usual permissions. This allows them to elevate their privileges or extract sensitive information
Priority:
Warning
Tags:
Suspicious Command Executed by Web Server
A web server process was observed executing a suspicious command. This could indicate the presence of a webshell, which is a malicious file placed on a web server that grants an attacker backdoor access by using special URL's. This event covers specific web server processes, such as httpd, and may not have full visibility into all web servers.
Priority:
Warning
Tags:
Suspicious Connection to K8S API Server From Container
Detect suspicious connections to the K8S API Server from a container. Suspicious requests such as POST ones sent by curl and wget, or kubectl binary not belonging to the base image of a container may be abused by attackers to interact with the K8s API server leveraging exceeding serviceaccount mounted on pods.
Priority:
Warning
Tags:
Suspicious Cron Modification
This rule detects suspicious modifications to cron jobs, a common tactic used by attackers to establish persistent access to systems. An attacker could leverage unauthorized changes to cron jobs to execute malicious commands at specific intervals, enabling them to maintain access and control over the system. Such modifications may go unnoticed and allow attackers to carry out stealthy activities over an extended period.
Priority:
Warning
Tags: