This document includes information regarding all detections provided by Capsule8. These are broken up into the following sections:
- Detection Analytics, core coverage that detects malicious behavior
- Smart Policy, which provides additional context to incidents without generating false positive alerts for benign behavior
More information on the above can be found in Categories of Detections.
Detection Analytics
Application Exploitation
Memory Corruption
Description
Memory is often marked executable in order to allow malicious code to execute when an application is being exploited. Alerts when a program sets heap or stack memory permissions to executable.
Deployment considerations
- Can cause false positives for certain application servers.
- Can introduce a negative performance impact for workloads with many process re-executions.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1203
T1106
T1190
|
|
Jump to top |
Jump to section top
Description
Repeated program crashes could indicate that an attacker is attempting to exploit a memory corruption vulnerability, or that there is a stability issue in the affected application. Alerts when more than 5 instances of an individual program crash via segmentation fault.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1203
T1499.004
T1190
|
|
Jump to top |
Jump to section top
Description
Certain Linux functionality is almost exclusively used when exploiting kernel vulnerabilities, usually with the goal of privilege escalation. Alerts when a binary executes the userfaultfd system call.
Deployment considerations
- This detection will only alert for kernels that support userfaultfd (kernels 4.3+).
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.3.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1203
T1106
T1068
|
|
Jump to top |
Jump to section top
Unusual Application Behavior
Description
As containers are typically static workloads, this alert could indicate that an attacker has compromised the container and is attempting to install and run a backdoor. Alerts when a file that has been created or modified within 30 minutes is then executed within a container.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.3.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1204.002
|
|
Jump to top |
Jump to section top
Description
As containers are typically static workloads, this alert could indicate that an attacker has compromised the container and is attempting to install and run a backdoor. Alerts when a script that has been created or modified within 5 minutes is then executed within a container.
Deployment considerations
- Currently only works for Python scripts.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.10.0 |
| Sensor versions |
4.10.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
|
|
Jump to top |
Jump to section top
Description
Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Alerts when a program uses ptrace (debugging) mechanisms to extract process data via the /proc filesystem.
Deployment considerations
- Can generate benign/false-positive alerts from programs or scripts that regularly inspect proc entries.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.6.0-4.10.0 |
| Sensor versions |
4.4.1+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1003.007
T1055.009
|
|
Jump to top |
Jump to section top
Description
Remote Interactive shells are rare occurrences on modern production infrastructure. Alerts when a remote interactive shell is started if the shell was not created by SSHD.
Deployment considerations
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.8.0-4.10.0 |
| Sensor versions |
4.7.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1059.004
T1190
|
|
Jump to top |
Jump to section top
Description
Interactive shells are rare occurrences on modern production infrastructure. Alerts when an interactive shell is started with arguments commonly used for reverse shells.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.3.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1059.004
|
|
Jump to top |
Jump to section top
Description
Interactive shells are rare occurrences on modern production infrastructure. Alerts when an interactive shell is started with arguments commonly used for reverse shells, started in a container, or started as a child of a network service that is not SSH.
Deployment considerations
- Improves detection of interactive shells, but may result in increased false positives.
- Can cause a negative performance impact on network-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.3.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1059.004
|
|
Jump to top |
Jump to section top
Persistence
Kernel Backdoors
Description
The loading of a new BPF program could indicate that an attacker is loading a BPF-based rootkit to gain persistence and avoid detection. Alerts when a process loads a new privileged BPF program, if the process that is already part of an ongoing incident.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1014
T1562.006
T1547.006
|
|
Jump to top |
Jump to section top
Description
Attackers commonly load malicious kernel modules (rootkits) to evade detection and maintain persistence on a compromised node. Alerts when a kernel module is loaded, if the program is already part of an ongoing incident.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1014
T1547.006
|
|
Jump to top |
Jump to section top
Resource Hijacking
Description
Opportunistic attackers often start cryptocurrency miners after compromising a node or container, usually indicating that the primary motive of the attacker is to hijack processor power. Alerts when a program with a name or arguments commonly associated with cryptocurrency miners is executed.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.5.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1496
|
|
Jump to top |
Jump to section top
Remote Access Tool Download
Userland Backdoors
Description
Attackers may create or rename malicious binaries to include a space at the end of the name in an effort to impersonate a legitimate system program or service. Alerts when a program is executed with a space after the program name.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1036.006
T1036.004
T1036.005
|
|
Jump to top |
Jump to section top
Evading Detection
Description
Evading command logging is common practice for attackers, but may also indicate that a legitimate user is performing unauthorized actions or trying to evade policy. Alerts when a change to user command history logging is detected, indicating that a user is attempting to evade command logging.
Deployment considerations
- This detection requires uprobe support, present in kernels 4.8+.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.5.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1070.003
T1562.003
|
|
Jump to top |
Jump to section top
System Exploitation
Tampering of Security Mechanisms
Description
Modification of certain AppArmor attributes can only occur in-kernel, indicating that AppArmor has been disabled by a kernel exploit or rootkit. Alerts when the AppArmor state is changed from the AppArmor configuration detected when the sensor starts.
Deployment considerations
- If the kernel in use does not use AppArmor, an error may be logged for this detection when the sensor starts.
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1562.001
|
|
Jump to top |
Jump to section top
Description
Attackers may attempt to disable enforcement of AppArmor profiles as part of evading detection. Alerts when a command for modifying an AppArmor profile is executed, if it was not executed by a user in an SSH session.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1562.001
|
|
Jump to top |
Jump to section top
Description
Modification of certain SELinux attributes can only occur in-kernel, indicating that SELinux has been disabled by a kernel exploit or rootkit. Alerts when the SELinux state in the kernel has been changed from the SELinux configuration detected when the sensor starts.
Deployment considerations
- If the kernel in use does not use SELinux, an error may be logged for this detection when the sensor starts.
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1562.001
|
|
Jump to top |
Jump to section top
Description
Attackers may disable enforcement mode as a precursor to making significant system changes. Alerts when SELinux enforcement mode is disabled.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1562.001
|
|
Jump to top |
Jump to section top
Container Escapes
Description
Alerts when a program uses kernel functions commonly used in container escape exploits, indicating that an attacker is escalating privileges from container-access to node-access.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1611
T1068
|
|
Jump to top |
Jump to section top
Description
The Docker socket is used to create and interact with containers on a node, and is a common target for attackers. Alerts when a Docker socket is accessed, if the connector isn't a known container management tool.
Deployment considerations
- May issue unwanted alerts for legitimate container management tools
- Requires tuning of allowlists and blocklists for different environments
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.8.0-4.10.0 |
| Sensor versions |
4.8.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1068
T1552.007
T1610
T1613
|
|
Jump to top |
Jump to section top
Description
Privileged containers have direct access to host resources, leading to a greater impact when compromised. Alerts when a privileged container is launched, if the container isn't a known privileged image such as kube-proxy.
Deployment considerations
- Can issue unwanted alerts for legitimate privileged containers. Requires fine-tuning of allowlists and blocklists for different environments.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.7.0-4.10.0 |
| Sensor versions |
4.7.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1068
|
|
Jump to top |
Jump to section top
Description
Alerts when a modification is detected of the runc binary by a non-package manager, such as with CVE-2019-5736.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1554
T1068
T1611
|
|
Jump to top |
Jump to section top
Description
Many container escapes coerce the host to execute an in-container binary, resulting in the attacker gaining full control of the affected node. Alerts when a container-created file is executed from outside a container.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1068
T1611
|
|
Jump to top |
Jump to section top
Common Kernel Exploitation Methods
Description
Kernel privilege escalation exploits commonly enable an unprivileged user to gain root privileges without passing standard gates for privilege changes. Alerts when a program attempts to elevate privileges through unusual means.
Deployment considerations
- Can issue false positive alerts on nodes with significant workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1068
|
|
Jump to top |
Jump to section top
Description
Internal kernel functions are not accessible to regular programs, and if called, are a strong indicator that a kernel exploit has executed and that the attacker has full control of the node. Alerts when a kernel function unexpectedly returns to userland.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1212
T1211
T1068
|
|
Jump to top |
Jump to section top
Description
Kernel ROP (return-oriented programming) exploits are often used to illegally elevate privileges or bypass other security measures. Alerts when ROP is detected in the kernel, specifically in a call to prepare_kernel_cred which is indicative of an exploit.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1068
|
|
Jump to top |
Jump to section top
Description
SMEP and SMAP are processor-level protections that increase difficulty for kernel exploits to succeed, and disabling these restrictions is a common early step in kernel exploits. Alerts when a program tampers with the kernel SMEP/SMAP configuration.
Deployment considerations
- This detection is not functional for kernels between v4.19 and v5.2 (inclusive) as kernel code changes removed visibility of attempts to modify SMEP/SMAP configuration.
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.3.0+ |
| Supports aarch64 |
No |
| ATT&CK Techniques |
T1562.001
|
|
Jump to top |
Jump to section top
Description
The unshare syscall can be used to create new namespaces in which a normally unprivileged user/program can get elevated capabilities, potentially allowing additional attacks on the kernel.
Deployment considerations
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
|
|
Jump to top |
Jump to section top
Smart Policy
File Activity
Changes to System Binaries
Description
If not performed by a trusted source (e.g. package manager or configuration management tool), modification of boot files could be indicative of an attacker modifying the kernel or its options in order to gain persistent access to a host. Alerts when changes are made to files in /boot, indicating installation of a new kernel or boot configuration.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1542.003
|
|
Jump to top |
Jump to section top
Indicator Removal
Description
Log deletion not performed by a log management tool could indicate that an attacker is trying to remove indicators of compromise. Alerts on deletion of system log files.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1070.004
T1070.002
|
|
Jump to top |
Jump to section top
Userland Backdoors
Description
Attackers may modify system utilities in order to execute malicious payloads whenever these utilities are run. Alerts when a common system utility is modified by an unauthorized process.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.6.0-4.10.0 |
| Sensor versions |
4.4.1+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1543
|
|
Jump to top |
Jump to section top
Configuration Changes
Description
Modification of the root certificate store could indicate the installation of a rogue certificate authority, enabling interception of network traffic or bypass of code signature verification. Alerts when a system CA certificate store is changed.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1553.004
|
|
Jump to top |
Jump to section top
Description
Modifications to the sudoers file could indicate an attempt to escalate privileges or bypass password authentication. Alerts when the sudoers file is modified.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1548.003
|
|
Jump to top |
Jump to section top
Privileged File Operations
Description
Setting setuid/setgid bits can be used to provide a persistent method for privilege escalation on a node. Alerts when the setuid or setgid bit is set on a file with the chmod family of system calls.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1548.001
|
|
Jump to top |
Jump to section top
System Configuration Changes
Description
Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts whenever a systemd unit file is modified by a program other than systemctl.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1562.001
T1543.002
|
|
Jump to top |
Jump to section top
Description
User-scoped systemd services start whenever a user first establishes a session, and run until the last session for the user is closed. This type of service is rare, and could indicate that an attacker is attempting to establish persistent access to a system. Alerts whenever a user-scoped systemd unit file is created.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.9.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1562.001
T1543.002
|
|
Jump to top |
Jump to section top
Unusual Files Created
Description
Attackers often create hidden files as a means of obscuring tools and payloads on a compromised host. Alerts when a hidden file is created by a process associated with an ongoing incident.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1564.001
|
|
Jump to top |
Jump to section top
Network Activity
Lateral Movement
Description
An attacker or rogue user may use or install these programs to survey connected networks for additional nodes to compromise. Alerts when common network scanning program tools are executed.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1046
T1018
|
|
Jump to top |
Jump to section top
Network Sniffing
Description
An attacker or rogue user may execute network sniffing commands to capture credentials, PII, or other sensitive information. Alerts when a program is executed that allows network capture.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1040
|
|
Jump to top |
Jump to section top
Discovery
Description
A common post-exploitation activity for attackers involves discovering adjacent hosts and networks prior to lateral movement. Alerts when a program associated with network connection enumeration is executed, if the program is already part of an ongoing incident.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1049
T1018
|
|
Jump to top |
Jump to section top
Network Service Behavior
Description
Attackers may start a new network service to provide easy access to a host after compromise. Alerts when a program starts a new network service, if the program is already part of an ongoing incident.
Deployment considerations
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
|
|
Jump to top |
Jump to section top
Outbound Connections
Description
Use of file transfer tools could indicate that an attacker is attempting to move toolsets to additional hosts or exfiltrate data to a remote system. Alerts when a program associated with remote file copying is executed, if the program is already part of an ongoing incident.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.4.1-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1570
T1048.002
|
|
Jump to top |
Jump to section top
Description
Command and Control channels and cryptocoin miners often create new outbound network connections on unusual ports. Alerts when a program initiates a new connection on an uncommon port, if the program is already part of an ongoing incident.
Deployment considerations
- Can cause a negative performance impact on network-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1571
|
|
Jump to top |
Jump to section top
Process Activity
Compiler Usage
Description
An attacker may compile a custom backdoor or kernel exploit on a node to ensure compatibility with the node. Alerts when a program is executed that compiles a binary.
Deployment considerations
- Can cause a decrease in performance for workloads that run build jobs regularly
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1027.004
|
|
Jump to top |
Jump to section top
Abnormal Process Execution
Description
Newly created files from sources other than system update programs may be backdoors, kernel exploits, or part of an exploitation chain. Alerts when a file that has been created or modified within 30 minutes is then executed, excluding files created by system update programs.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.3.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1204.002
|
|
Jump to top |
Jump to section top
Description
Newly created scripts from sources other than system update programs may be backdoors, kernel exploits, or part of an exploitation chain. Alerts when a file that has been created or modified within 5 minutes is then executed by a script interpreter, excluding files created by system update programs.
Deployment considerations
- Currently only works for Python scripts.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.10.0 |
| Sensor versions |
4.10.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
|
|
Jump to top |
Jump to section top
Debugging
Description
Use of process injection techniques commonly indicates that a user is debugging a program, but may also indicate that an attacker is reading secrets from or injecting code into other processes. Alerts when a program uses ptrace (debugging) mechanisms to interact with another process.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1055.008
|
|
Jump to top |
Jump to section top
Scheduled Task Changes
Description
Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when a cron-related file is modified, indicating a change to scheduled job configurations.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1053.003
|
|
Jump to top |
Jump to section top
Description
Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when the "crontab", "at", or "batch" commands are used to modify scheduled task configurations.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1053.003
T1053.001
|
|
Jump to top |
Jump to section top
System Configuration Changes
Description
Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts when the systemctl command is used to modify systemd units.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1562.001
T1543.002
T1489
|
|
Jump to top |
Jump to section top
Discovery
Description
Attackers will often use account enumeration programs to determine their level of access and to see if other users are currently logged in to the node. Alerts when a program associated with account enumeration is executed, if the program is already part of an ongoing incident.
Deployment considerations
|
Attributes
|
Jump to top |
Jump to section top
Description
Exploring file systems is common post-exploitation behavior for an attacker looking for credentials and data of interest. Alerts when a program associated with file and directory enumeration is executed, if the program is already part of an ongoing incident.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1083
|
|
Jump to top |
Jump to section top
Description
Attackers can interrogate local network and route information to identify adjacent hosts and networks ahead of lateral movement. Alerts when a program associated with network configuration enumeration is executed, if the program is already part of an ongoing incident.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1016
T1018
|
|
Jump to top |
Jump to section top
Description
Attackers often list running programs in order to identify the purpose of a node and whether any security or monitoring tools are in place. Alerts when a program associated with process enumeration is executed, if the program is already part of an ongoing incident.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.6.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1057
|
|
Jump to top |
Jump to section top
Data Collection
Description
After gaining access to a system, an attacker may create a compressed archive of files to reduce the size of data for exfiltration. Alerts when a data compression program is executed, if the program is already part of an ongoing incident.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.6.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1560.001
|
|
Jump to top |
Jump to section top
Data Destruction
Description
Data destruction performed by a non-trusted process may indicate that an attacker is trying to remove indicators of compromise or disrupt a node. Alerts when common tools for destroying data are used, if the process is already part of an ongoing incident.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.6.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1485
T1561.001
T1561.002
T1070.004
|
|
Jump to top |
Jump to section top
Log Daemon Tampering
Description
Attempts to tamper with log daemons may indicate that an attacker is trying to remove indicators of compromise and hide their trails. Alerts when daemon control programs are invoked with specific arguments, if the process is already part of an ongoing incident.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.8.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1070
|
|
Jump to top |
Jump to section top
User Activity
User Account Changes
Description
Attackers may directly modify identity-related files to add a new user to the system. Alerts when a file related to identity management is modified by a program unrelated to updating existing user information.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
- Deprecated: This detection has been superceded by 'New System User Added', and will be removed in the next major release (5.0).
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1136.001
|
|
Jump to top |
Jump to section top
Description
An attacker may add a new user to a host to provide a reliable method of access. Alerts if a new user entity is added to the local account management file /etc/passwd, if the entity is not added by a system update program.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.7.0-4.10.0 |
| Sensor versions |
4.7.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1136.001
|
|
Jump to top |
Jump to section top
Description
Attackers may directly modify identity-related files to add a new user to the system. Alerts when a file related to user passwords is modified by a program unrelated to updating existing user information.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1136.001
T1098
|
|
Jump to top |
Jump to section top
Description
Adding a new user is a common step for attackers when establishing persistence on a compromised node. Alerts when an identity management program is executed by a program other than a package manager.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1136.001
|
|
Jump to top |
Jump to section top
Description
User profile and configuration files are often modified as a method of persistence in order to execute a program whenever a user logs in. Alerts when .bash_profile and bashrc (as well as related files) are modified by a program other than a system update tool.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1037.004
T1546.004
|
|
Jump to top |
Jump to section top
Description
Adding a new SSH public key is a common method for gaining persistent access to a compromised host. Alerts when an attempt to write to a user's SSH authorized_keys file is observed, if the program is already part of an ongoing incident.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1098.004
T1078.003
|
|
Jump to top |
Jump to section top
Risky Developer Activity
Description
This detection logs commands executed by a valid system user via SSH.
Deployment considerations
- Can result in a high volume of notifications.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1059.004
|
|
Jump to top |
Jump to section top
Description
Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls. Alerts when command line history files are deleted.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1070.003
|
|
Jump to top |
Jump to section top
Description
Alerts when an interactive shell process is started by a valid system user via SSH.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1078.002
T1078.003
T1059.004
T1133
|
|
Jump to top |
Jump to section top
Privileged Command Usage
Description
Explicit escalation to the root user decreases the ability to correlate privileged activity to a specific user. Alerts when the 'su' command is executed.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1548.003
|
|
Jump to top |
Jump to section top
Description
Alerts when the 'sudo' command is executed.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1548.003
|
|
Jump to top |
Jump to section top
Description
Some commands run with sudo privileges are rarely used legitimately by system administrators and could indicate an account has been compromised. Alerts when 'sudo' is used to execute privileged commands common to post-exploitation activities.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.8.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1548.003
|
|
Jump to top |
Jump to section top
Abnormal Process Execution
Description
Attackers and rogue users may search for passwords or other credentials after gaining access to a system, and may use these credentials to compromise additional hosts or services. Alerts when common password enumeration commands are issued in an interactive shell, if the shell is part of an ongoing incident.
Deployment considerations
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.7.0-4.10.0 |
| Sensor versions |
4.7.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1552.001
|
|
Jump to top |
Jump to section top
Audit
File Activity
Changes to System Binaries
Description
If not performed by a trusted source (e.g. package manager or configuration management tool), modification of boot files could be indicative of an attacker modifying the kernel or its options in order to gain persistent access to a host. Alerts when changes are made to files in /boot, indicating installation of a new kernel or boot configuration.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1542.003
|
|
Jump to top |
Jump to section top
Indicator Removal
Description
Log deletion not performed by a log management tool could indicate that an attacker is trying to remove indicators of compromise. Alerts on deletion of system log files.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1070.004
T1070.002
|
|
Jump to top |
Jump to section top
Userland Backdoors
Description
Attackers may modify system utilities in order to execute malicious payloads whenever these utilities are run. Alerts when a common system utility is modified by an unauthorized process.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.6.0-4.10.0 |
| Sensor versions |
4.4.1+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1543
|
|
Jump to top |
Jump to section top
Configuration Changes
Description
Modification of the root certificate store could indicate the installation of a rogue certificate authority, enabling interception of network traffic or bypass of code signature verification. Alerts when a system CA certificate store is changed.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1553.004
|
|
Jump to top |
Jump to section top
Description
Modifications to the sudoers file could indicate an attempt to escalate privileges or bypass password authentication. Alerts when the sudoers file is modified.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1548.003
|
|
Jump to top |
Jump to section top
System Configuration Changes
Description
Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts whenever a systemd unit file is modified by a program other than systemctl.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1562.001
T1543.002
|
|
Jump to top |
Jump to section top
Description
User-scoped systemd services start whenever a user first establishes a session, and run until the last session for the user is closed. This type of service is rare, and could indicate that an attacker is attempting to establish persistent access to a system. Alerts whenever a user-scoped systemd unit file is created.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.9.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1562.001
T1543.002
|
|
Jump to top |
Jump to section top
Network Activity
Lateral Movement
Description
An attacker or rogue user may use or install these programs to survey connected networks for additional nodes to compromise. Alerts when common network scanning program tools are executed.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1046
T1018
|
|
Jump to top |
Jump to section top
Network Sniffing
Description
An attacker or rogue user may execute network sniffing commands to capture credentials, PII, or other sensitive information. Alerts when a program is executed that allows network capture.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1040
|
|
Jump to top |
Jump to section top
Process Activity
Compiler Usage
Description
An attacker may compile a custom backdoor or kernel exploit on a node to ensure compatibility with the node. Alerts when a program is executed that compiles a binary.
Deployment considerations
- Can cause a decrease in performance for workloads that run build jobs regularly
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1027.004
|
|
Jump to top |
Jump to section top
Abnormal Process Execution
Description
Newly created files from sources other than system update programs may be backdoors, kernel exploits, or part of an exploitation chain. Alerts when a file that has been created or modified within 30 minutes is then executed, excluding files created by system update programs.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.3.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1204.002
|
|
Jump to top |
Jump to section top
Description
Newly created scripts from sources other than system update programs may be backdoors, kernel exploits, or part of an exploitation chain. Alerts when a file that has been created or modified within 5 minutes is then executed by a script interpreter, excluding files created by system update programs.
Deployment considerations
- Currently only works for Python scripts.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.10.0 |
| Sensor versions |
4.10.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
|
|
Jump to top |
Jump to section top
Debugging
Description
Use of process injection techniques commonly indicates that a user is debugging a program, but may also indicate that an attacker is reading secrets from or injecting code into other processes. Alerts when a program uses ptrace (debugging) mechanisms to interact with another process.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1055.008
|
|
Jump to top |
Jump to section top
Scheduled Task Changes
Description
Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when a cron-related file is modified, indicating a change to scheduled job configurations.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1053.003
|
|
Jump to top |
Jump to section top
Description
Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when the "crontab", "at", or "batch" commands are used to modify scheduled task configurations.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1053.003
T1053.001
|
|
Jump to top |
Jump to section top
System Configuration Changes
Description
Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts when the systemctl command is used to modify systemd units.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1562.001
T1543.002
T1489
|
|
Jump to top |
Jump to section top
User Activity
User Account Changes
Description
Attackers may directly modify identity-related files to add a new user to the system. Alerts when a file related to identity management is modified by a program unrelated to updating existing user information.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
- Deprecated: This detection has been superceded by 'New System User Added', and will be removed in the next major release (5.0).
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1136.001
|
|
Jump to top |
Jump to section top
Description
An attacker may add a new user to a host to provide a reliable method of access. Alerts if a new user entity is added to the local account management file /etc/passwd, if the entity is not added by a system update program.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.7.0-4.10.0 |
| Sensor versions |
4.7.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1136.001
|
|
Jump to top |
Jump to section top
Description
Attackers may directly modify identity-related files to add a new user to the system. Alerts when a file related to user passwords is modified by a program unrelated to updating existing user information.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1136.001
T1098
|
|
Jump to top |
Jump to section top
Description
Adding a new user is a common step for attackers when establishing persistence on a compromised node. Alerts when an identity management program is executed by a program other than a package manager.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1136.001
|
|
Jump to top |
Jump to section top
Description
User profile and configuration files are often modified as a method of persistence in order to execute a program whenever a user logs in. Alerts when .bash_profile and bashrc (as well as related files) are modified by a program other than a system update tool.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1037.004
T1546.004
|
|
Jump to top |
Jump to section top
Risky Developer Activity
Description
This detection logs commands executed by a valid system user via SSH.
Deployment considerations
- Can result in a high volume of notifications.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1059.004
|
|
Jump to top |
Jump to section top
Description
Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls. Alerts when command line history files are deleted.
Deployment considerations
- Can cause a negative performance impact on file-heavy workloads.
|
Attributes
| Products |
Protect+, Complete |
| Default state |
Disabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1070.003
|
|
Jump to top |
Jump to section top
Description
Alerts when an interactive shell process is started by a valid system user via SSH.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1078.002
T1078.003
T1059.004
T1133
|
|
Jump to top |
Jump to section top
Privileged Command Usage
Description
Explicit escalation to the root user decreases the ability to correlate privileged activity to a specific user. Alerts when the 'su' command is executed.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1548.003
|
|
Jump to top |
Jump to section top
Description
Alerts when the 'sudo' command is executed.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.2.0-4.10.0 |
| Sensor versions |
4.2.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1548.003
|
|
Jump to top |
Jump to section top
Description
Some commands run with sudo privileges are rarely used legitimately by system administrators and could indicate an account has been compromised. Alerts when 'sudo' is used to execute privileged commands common to post-exploitation activities.
Deployment considerations
|
Attributes
| Products |
Protect, Protect+, Complete |
| Default state |
Enabled |
| Content versions |
4.8.0-4.10.0 |
| Sensor versions |
4.4.0+ |
| Supports aarch64 |
Yes |
| ATT&CK Techniques |
T1548.003
|
|
Jump to top |
Jump to section top 
Comments
0 comments
Article is closed for comments.