Skip to main content

Core Detection Coverage

  • Updated

Core coverage maximizes usability and performance, offering a range of detections that work independent of environment characteristics and incur a minimal performance impact regardless of workload. 

With the Core set, the goal is for users to receive immediate protection against a broad spectrum of unwanted behavior. Even though Core detections optimize for working across different types of environment without any user configuration or tuning, they still offer a substantial breadth of coverage across activity like system exploitation (including the use of zero days), remote system access, attacker persistence, container escapes, attackers searching around the system for valuable data, and other activity indicative of an incident.

This document includes information regarding the Core detections provided by Capsule8. These are broken up into the following sections:

  • Detection Analytics, core coverage that detects malicious behavior
  • Smart Policy, which provides additional context to incidents without generating false positive alerts for benign behavior

More information on the above can be found in Categories of Detections.

 

Detection Analytics

Application Exploitation

Memory Corruption

Repeated Program Crashes

Medium

Description

Repeated program crashes could indicate that an attacker is attempting to exploit a memory corruption vulnerability, or that there is a stability issue in the affected application. Alerts when more than 5 instances of an individual program crash via segmentation fault.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1203

T1499.004

T1190
Jump to top | Jump to section top

Userfaultfd Usage

High

Description

Certain Linux functionality is almost exclusively used when exploiting kernel vulnerabilities, usually with the goal of privilege escalation. Alerts when a binary executes the userfaultfd system call.

Deployment considerations

  • This detection will only alert for kernels that support userfaultfd (kernels 4.3+).

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.3.0-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1203

T1106

T1068
Jump to top | Jump to section top

Unusual Application Behavior

Suspicious Interactive Shell

High

Description

Interactive shells are rare occurrences on modern production infrastructure. Alerts when an interactive shell is started with arguments commonly used for reverse shells.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.3.0+
Supports aarch64 Yes
ATT&CK Techniques

T1059.004
Jump to top | Jump to section top

Persistence

Kernel Backdoors

BPF Program Executed

Medium

Description

The loading of a new BPF program could indicate that an attacker is loading a BPF-based rootkit to gain persistence and avoid detection. Alerts when a process loads a new privileged BPF program, if the process that is already part of an ongoing incident.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1014

T1562.006

T1547.006
Jump to top | Jump to section top

Kernel Module Loaded

High

Description

Attackers commonly load malicious kernel modules (rootkits) to evade detection and maintain persistence on a compromised node. Alerts when a kernel module is loaded, if the program is already part of an ongoing incident.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1014

T1547.006
Jump to top | Jump to section top

Resource Hijacking

Cryptocurrency Miner Detected

Medium

Description

Opportunistic attackers often start cryptocurrency miners after compromising a node or container, usually indicating that the primary motive of the attacker is to hijack processor power. Alerts when a program with a name or arguments commonly associated with cryptocurrency miners is executed.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.5.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1496
Jump to top | Jump to section top

Userland Backdoors

Suspicious Program Name Executed-Space After File

Medium

Description

Attackers may create or rename malicious binaries to include a space at the end of the name in an effort to impersonate a legitimate system program or service. Alerts when a program is executed with a space after the program name.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1036.006

T1036.004

T1036.005
Jump to top | Jump to section top

System Exploitation

Tampering of Security Mechanisms

AppArmor Disabled In Kernel

High

Description

Modification of certain AppArmor attributes can only occur in-kernel, indicating that AppArmor has been disabled by a kernel exploit or rootkit. Alerts when the AppArmor state is changed from the AppArmor configuration detected when the sensor starts.

Deployment considerations

  • If the kernel in use does not use AppArmor, an error may be logged for this detection when the sensor starts.

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1562.001
Jump to top | Jump to section top

AppArmor Profile Modified

Medium

Description

Attackers may attempt to disable enforcement of AppArmor profiles as part of evading detection. Alerts when a command for modifying an AppArmor profile is executed, if it was not executed by a user in an SSH session.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1562.001
Jump to top | Jump to section top

SELinux Disabled In Kernel

High

Description

Modification of certain SELinux attributes can only occur in-kernel, indicating that SELinux has been disabled by a kernel exploit or rootkit. Alerts when the SELinux state in the kernel has been changed from the SELinux configuration detected when the sensor starts.

Deployment considerations

  • If the kernel in use does not use SELinux, an error may be logged for this detection when the sensor starts.

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1562.001
Jump to top | Jump to section top

SELinux Enforcement Mode Disabled From Userland

High

Description

Attackers may disable enforcement mode as a precursor to making significant system changes. Alerts when SELinux enforcement mode is disabled.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1562.001
Jump to top | Jump to section top

Container Escapes

Container Escape via Kernel Exploitation

High

Description

Alerts when a program uses kernel functions commonly used in container escape exploits, indicating that an attacker is escalating privileges from container-access to node-access.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1611

T1068
Jump to top | Jump to section top

Userland Container Escape

High

Description

Many container escapes coerce the host to execute an in-container binary, resulting in the attacker gaining full control of the affected node. Alerts when a container-created file is executed from outside a container.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1068

T1611
Jump to top | Jump to section top

Common Kernel Exploitation Methods

Kernel Exploit

High

Description

Internal kernel functions are not accessible to regular programs, and if called, are a strong indicator that a kernel exploit has executed and that the attacker has full control of the node. Alerts when a kernel function unexpectedly returns to userland.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1212

T1211

T1068
Jump to top | Jump to section top

Kernel ROP

High

Description

Kernel ROP (return-oriented programming) exploits are often used to illegally elevate privileges or bypass other security measures. Alerts when ROP is detected in the kernel, specifically in a call to prepare_kernel_cred which is indicative of an exploit.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1068
Jump to top | Jump to section top

Processor-Level Protections Disabled

High

Description

SMEP and SMAP are processor-level protections that increase difficulty for kernel exploits to succeed, and disabling these restrictions is a common early step in kernel exploits. Alerts when a program tampers with the kernel SMEP/SMAP configuration.

Deployment considerations

  • This detection is not functional for kernels between v4.19 and v5.2 (inclusive) as kernel code changes removed visibility of attempts to modify SMEP/SMAP configuration.

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.3.0+
Supports aarch64 No
ATT&CK Techniques

T1562.001
Jump to top | Jump to section top

Smart Policy

File Activity

Privileged File Operations

Setuid/Setgid Bit Set On File

Medium

Description

Setting setuid/setgid bits can be used to provide a persistent method for privilege escalation on a node. Alerts when the setuid or setgid bit is set on a file with the chmod family of system calls.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1548.001
Jump to top | Jump to section top

Network Activity

Lateral Movement

Network Service Scanner Executed

Medium

Description

An attacker or rogue user may use or install these programs to survey connected networks for additional nodes to compromise. Alerts when common network scanning program tools are executed.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1046

T1018
Jump to top | Jump to section top

Network Sniffing

Network Sniffing Program Executed

Medium

Description

An attacker or rogue user may execute network sniffing commands to capture credentials, PII, or other sensitive information. Alerts when a program is executed that allows network capture.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1040
Jump to top | Jump to section top

Discovery

Cloud Metadata API Accessed

Medium

Description

Attackers commonly enumerate cloud environment details and gain access to instance credentials by accessing the cloud provider's metadata API. Alerts when a program accesses the cloud metadata API, if the program is already part of an ongoing incident.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1552.005
Jump to top | Jump to section top

Network Connection Enumeration Via Program

Low

Description

A common post-exploitation activity for attackers involves discovering adjacent hosts and networks prior to lateral movement. Alerts when a program associated with network connection enumeration is executed, if the program is already part of an ongoing incident.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1049

T1018
Jump to top | Jump to section top

Outbound Connections

Remote File Copy Detected

Medium

Description

Use of file transfer tools could indicate that an attacker is attempting to move toolsets to additional hosts or exfiltrate data to a remote system. Alerts when a program associated with remote file copying is executed, if the program is already part of an ongoing incident.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.4.1-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1570

T1048.002
Jump to top | Jump to section top

Process Activity

Debugging

Process Injection

Medium

Description

Use of process injection techniques commonly indicates that a user is debugging a program, but may also indicate that an attacker is reading secrets from or injecting code into other processes. Alerts when a program uses ptrace (debugging) mechanisms to interact with another process.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1055.008
Jump to top | Jump to section top

Scheduled Task Changes

Scheduled Tasks Modified Via Program

Medium

Description

Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when the "crontab", "at", or "batch" commands are used to modify scheduled task configurations.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1053.003

T1053.001
Jump to top | Jump to section top

System Configuration Changes

Systemctl Usage Detected

Medium

Description

Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts when the systemctl command is used to modify systemd units.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1562.001

T1543.002

T1489
Jump to top | Jump to section top

Discovery

Account Enumeration Via Program

Low

Description

Attackers will often use account enumeration programs to determine their level of access and to see if other users are currently logged in to the node. Alerts when a program associated with account enumeration is executed, if the program is already part of an ongoing incident.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1087.001

T1087.002

T1069.001

T1069.002

T1069

T1033
Jump to top | Jump to section top

File and Directory Discovery Via Program

Low

Description

Exploring file systems is common post-exploitation behavior for an attacker looking for credentials and data of interest. Alerts when a program associated with file and directory enumeration is executed, if the program is already part of an ongoing incident.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1083
Jump to top | Jump to section top

Network Configuration Enumeration Via Program

Low

Description

Attackers can interrogate local network and route information to identify adjacent hosts and networks ahead of lateral movement. Alerts when a program associated with network configuration enumeration is executed, if the program is already part of an ongoing incident.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1016

T1018
Jump to top | Jump to section top

Process Enumeration Via Program

Low

Description

Attackers often list running programs in order to identify the purpose of a node and whether any security or monitoring tools are in place. Alerts when a program associated with process enumeration is executed, if the program is already part of an ongoing incident.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.6.0-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1057
Jump to top | Jump to section top

System Information Enumeration Via Program

Low

Description

Attackers will commonly execute system enumeration commands to determine Linux kernel and distribution versions and features, often to identify if the node is affected by specific vulnerabilities. Alerts when a program associated with system information enumeration is executed, if the program is already part of an ongoing incident.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1082
Jump to top | Jump to section top

Data Collection

Data Archived Via Program

Low

Description

After gaining access to a system, an attacker may create a compressed archive of files to reduce the size of data for exfiltration. Alerts when a data compression program is executed, if the program is already part of an ongoing incident.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.6.0-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1560.001
Jump to top | Jump to section top

Data Destruction

Data Destruction Via Program

Medium

Description

Data destruction performed by a non-trusted process may indicate that an attacker is trying to remove indicators of compromise or disrupt a node. Alerts when common tools for destroying data are used, if the process is already part of an ongoing incident.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.6.0-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1485

T1561.001

T1561.002

T1070.004
Jump to top | Jump to section top

Log Daemon Tampering

Log Daemon Tampering

Medium

Description

Attempts to tamper with log daemons may indicate that an attacker is trying to remove indicators of compromise and hide their trails. Alerts when daemon control programs are invoked with specific arguments, if the process is already part of an ongoing incident.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.8.0-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1070
Jump to top | Jump to section top

User Activity

User Account Changes

User Account Created Via CLI

High

Description

Adding a new user is a common step for attackers when establishing persistence on a compromised node. Alerts when an identity management program is executed by a program other than a package manager.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1136.001
Jump to top | Jump to section top

Risky Developer Activity

User Login Via SSH

Low

Description

Alerts when an interactive shell process is started by a valid system user via SSH.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1078.002

T1078.003

T1059.004

T1133
Jump to top | Jump to section top

Privileged Command Usage

User Execution Of su Command

Medium

Description

Explicit escalation to the root user decreases the ability to correlate privileged activity to a specific user. Alerts when the 'su' command is executed.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1548.003
Jump to top | Jump to section top

User Execution Of sudo Command

Medium

Description

Alerts when the 'sudo' command is executed.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.2.0-4.10.0
Sensor versions 4.2.0+
Supports aarch64 Yes
ATT&CK Techniques

T1548.003
Jump to top | Jump to section top

User Execution Of Unwanted sudo Command

Medium

Description

Some commands run with sudo privileges are rarely used legitimately by system administrators and could indicate an account has been compromised. Alerts when 'sudo' is used to execute privileged commands common to post-exploitation activities.

Deployment considerations

  • None

Attributes

Products Protect, Protect+, Complete
Default state Enabled
Content versions 4.8.0-4.10.0
Sensor versions 4.4.0+
Supports aarch64 Yes
ATT&CK Techniques

T1548.003
Jump to top | Jump to section top
Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Article is closed for comments.