Advanced threat detection rules. Powered by Sysdig threat research.
Detection rules define the behaviors that indicate potential threats in cloud-native environments. Sysdig’s Threat Research Team (TRT) continuously curates and enhances these rules to protect against the latest cloud-native attacks. Get precision-tuned detections mapped to MITRE ATT&CK® and leading compliance frameworks.
Suspicious Docker Options
This rule detects risky Docker settings that may lead to container escape or misuse of host resources, enhancing container security. An attacker could exploit such Docker options to elevate privilege levels within the container or perform unauthorized actions on the host system, enabling further compromise.
Priority:
Warning
Tags:
Suspicious Java Child Processes
This rule detects suspicious Java child processes that may indicate an attempt to obtain Remote Code Execution within a system. An attacker could leverage this to execute malicious code, potentially gaining unauthorized access and control over sensitive data and resources.
Priority:
Warning
Tags:
Suspicious Kernel Parameter Modification
This rule detects suspicious modifications to critical kernel parameters, which may signal a compromise. An attacker could manipulate sensitive kernel settings to gain elevated privileges, potentially opening avenues for further compromise and bypassing security controls within the system.
Priority:
Warning
Tags:
Suspicious Listener Execution Detected
This rule detects known binaries like netcat and socat listening for connections from host or container. Such executions may be used for network purposes but may also be abused by attackers to intercept reverse shell connections.
Priority:
Warning
Tags:
Suspicious Operations with Firewalls
This rule detects suspicious operations with firewalls, including modifications to firewall rules, changes in logging configurations, and attempts to stop firewall processes, potentially enabling an attacker to disable network defenses. An attacker could evade detection by altering firewall rules, compromising the network's security posture, and allowing unauthorized access.
Priority:
Warning
Tags:
Suspicious System Service Modification
This rule detects suspicious direct writes to system service files, potentially indicating a compromise. Attackers could modify critical service files to establish persistence or disrupt system operations.
Priority:
Warning
Tags:
Suspicious cups-browsed process listening on UDP (CVE-2024-47176)
This rule detects cups-browsed process listening for incoming connections on port 631. This may indicate that it is vulnerable to CVE-2024-47176. Ensure that this is expected behavior and the process has been patched.
Priority:
Warning
Tags:
Suspicious device created in container
This rule detects suspicious creation of disk devices in containers, which can enable privilege escalation and potential container escape. An attacker could leverage this to gain unauthorized access and execute malicious activities on the host machine, bypassing container isolation.
Priority:
Warning
Tags:
Suspicious network tool downloaded and launched in container
This rule detects suspicious network tools downloaded and executed in a container environment. An attacker could use a malicious network tool to establish unauthorized communication channels and exfiltrate sensitive data. Such unauthorized activities can bypass traditional security controls and evade detection by security monitoring tools.
Priority:
Warning
Tags:
System Capabilities Configuration Updated
this rule detects changes to the capabilities.conf file. Monitoring this kind of activity is critical for preventing unauthorized privilege adjustments, ensuring system integrity, and protecting against broader security threats in environments like CI/CD pipelines and production systems.
Priority:
Warning
Tags:
System Linker Corruption Detected
This rule detects instances of a process modifying or replacing entirely the main system dynamic linker in Unix distributions. By doing so, every dynamically linked binary using that loader will load the malicious shared object or payload. This technique is indicative of rootkit behavior, specifically the OrBit rootkit. Common package management utilies are excluded as these files may be legitimately modified as part of system updates and upgrades.
Priority:
Warning
Tags:
System user interactive
This rule detects system users attempting interactive commands enabling identification of unauthorized activities by non-login users. An attacker could gain access to sensitive information or execute malicious actions by impersonating system users potentially compromising system security."
Priority:
Warning
Tags:
Tampering with Security Software on Host
This rule detects common techniques by threat actors to disable runtime security software on hosts.
Priority:
Warning
Tags:
Terminal shell in container
This rule detects the use of terminal shells as entrypoints in containers, which could be a security risk if accessed by unauthorized users. An attacker could leverage this to gain elevated privileges within a container.
Priority:
Warning
Tags:
Unexpected K8s NodePort Connection
This rule detects unexpected attempts using K8s NodePorts from containers, which can lead to unauthorized network communications. An attacker could leverage this to bypass network segmentation controls and exfiltrate sensitive data over non-standard ports.
Priority:
Warning
Tags:
eBPF Program Loaded From Unexpected Location
This rule detects the runtime loading of an eBPF program into the kernel from temporary locations, a technique commonly employed by attackers for defense evasion. eBPF programs are extremely powerful, and as long as they conform to the constraints imposed by the eBPF verifier (ex: they don't cause a kernel panic), give near-arbitrary control over a target system.
Priority:
Warning
Tags:
eBPF Program Loaded into Kernel
This rule detects the runtime loading of an eBPF program into the kernel. eBPF programs are extremely powerful, and as long as they conform to the constraints imposed by the eBPF verifier (ex: they don't cause a kernel panic), give near-arbitrary control over a target system.
Priority:
Warning
Tags:
nsenter Container Escape
This rule detects attempts to elevate privileges by switching namespace context to a privileged process. An attacker could gain escalated privileges and potentially execute unauthorized actions in the host system.
Priority:
Warning
Tags:
Create Hidden Files or Directories
This rule detects the creation of hidden files or directories by an application. An attacker could leverage this to hide malicious tools or exfiltrated data, maintaining persistence on the compromised system.
Priority:
Info
Tags:
Hardware Added to the System
This rule detects hardware additions by monitoring specific processes and commands in the system. An attacker could add unauthorized hardware to establish command and control channels.
Priority:
Info
Tags:
Launch Package Management Process in Container
This rule detects execution of package management processes within containers. An attacker could exploit this by installing malicious packages to compromise the container's security, given that a container is supposed to be immutable and package management should be done in building the image.
Priority:
Info
Tags:
Launch Privileged Container
This rule detects the launch of privileged containers, hindering container isolation. An attacker could thus escape and gain control of the node.
Priority:
Info
Tags:
Launch Remote File Copy Tools in Container
This rule detects the launch of remote file copy tools in containers, aiming to prevent unauthorized data exfiltration attempts. An attacker could exfiltrate sensitive information by using tools like 'rsync', 'scp', or 'sftp' to copy files from the container to an external location.
Priority:
Info
Tags:
Launch Root User Container
Detect a container being started and configured to run as root. This differs from Container Run as Root User in that it looks for the container started event rather that processes running inside the container.
Priority:
Info
Tags:
Launch Suspicious Network Tool in Container
This rule detects the launch of suspicious network tools inside a container, aiming to identify potential malicious activities such as unauthorized network scanning or data exfiltration. An attacker could use a suspicious network tool to establish unauthorized network connections to exfiltrate sensitive data from the container environment.
Priority:
Info
Tags:
QEMU Activity Detected
This rule is designed to detect the utilization of QEMU on Linux hosts, by detecting read operations on files. QEMU, a versatile virtualization tool, can be exploited by attackers to conveniently deploy their malicious tools and obscure the compromise of a system.
Priority:
Info
Tags:
Shutdown or Reboot detected
This rule detects if an adversary attempts to shut down or reboot the system as part of an attack path by monitoring specific system events and process activities. An attacker could disrupt operations or evade detection by rebooting the system to cover their tracks or render security controls ineffective.
Priority:
Info
Tags:
The docker client is executed in a container
This rule detects the execution of client tools, such as 'kubectl' and 'docker', interacting with container engines or K8s API server within a container, helping prevent unauthorized access and manipulation of containerized resources. An attacker could potentially leverage this to interact with the container engine and even compromise the integrity of the cluster, posing a significant security risk to the environment.
Priority:
Info
Tags: