This section lists three categories of Detections:
- Detection Analytics
- Smart Policy
- Audit
You can find an overview of each of those categories here.
Heads up: Any detections listed in italics are disabled by default, and must be manually enabled. To enable a disabled detection, check out Adjusting default detections.
Detection Analytics
Below is a list of the detection classes bundled in Detection Analytics, including the individual detections that comprise each detection class. Each detection's corresponding MITRE ATT&CK categories and considerations are also shown.
Application Exploitation
Memory Corruption
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Memory Marked Executable | Disabled |
Alerts when a program sets heap or stack memory permissions to executable. |
None |
|
| Repeated Program Crashes | Enabled |
Alerts when more than 5 instances of an individual program crash via segmentation fault. |
None |
|
| Userfaultfd Usage | Enabled |
Alerts when a newly-created binary executes the userfaultfd system call, which is commonly used during exploitation. This detection will not fire unless the New File Executed or New File Executed in Container detections are enabled, and will only alert for kernels that support userfaultfd (kernels 4.3+) |
None |
New File Behavior
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| New File Executed in Container | Disabled |
Alerts when a file that has been created or modified within 30 minutes is then executed within a container. |
Can cause a negative performance impact on file-heavy workloads. |
|
| Userfaultfd Usage | Enabled |
Alerts when a newly-created binary executes the userfaultfd system call, which is commonly used during exploitation. This detection will not fire unless the New File Executed or New File Executed in Container detections are enabled, and will only alert for kernels that support userfaultfd (kernels 4.3+) |
None |
Unusual Application Behavior
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Compromised Shell Session Detected | Disabled |
Alerts if a shell has executed several commands common to post-exploitation discovery activities. |
None |
|
| New File Executed in Container | Disabled |
Alerts when a file that has been created or modified within 30 minutes is then executed within a container. |
Can cause a negative performance impact on file-heavy workloads. |
|
| Repeated Program Crashes | Enabled |
Alerts when more than 5 instances of an individual program crash via segmentation fault. |
None |
|
| Suspicious Interactive Shell | Enabled |
Alerts when an interactive shell is started with arguments commonly used for reverse shells. |
None |
|
| Suspicious Interactive Shell Advanced | Disabled |
Alerts when an interactive shell is started with arguments commonly used for reverse shells, started in a container, or started as a child of a network service that is not SSH. |
None |
Persistence
Kernel Backdoors
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| BPF Program Executed | Enabled |
Alerts when a BPF program is loaded by a process that is already part of an ongoing incident. This could indicate that an attacker is loading a BPF-based rootkit to gain persistence and avoid detection. |
None |
|
| Kernel Module Loaded | Enabled |
Alerts when a kernel module is loaded, if the program is already part of an ongoing incident. |
None |
Userland Backdoors
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Suspicious Program Name Executed-Space After File | Enabled |
Alerts when a program is executed with a space after the program name, commonly used to masquerade as a legitimate system service. |
None |
System Exploitation
Common Kernel Exploitation Methods
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Illegal Elevation Of Privileges | Disabled |
Alerts when a program attempts to elevate privileges through unusual means. |
None |
|
| Kernel Exploit | Enabled |
Alerts when a kernel function unexpectedly returns to userland. |
None |
|
| Processor-Level Protections Disabled | Enabled |
Alerts when a program tampers with the kernel SMEP/SMAP configuration. |
This detection is not functional for kernels between v4.19 and v5.2 (inclusive) as kernel code changes removed visibility of attempts to modify SMEP/SMAP configuration. |
Container Escapes
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Container Escape via Kernel Exploitation | Enabled |
Alerts when a program uses kernel functions commonly used in container escape exploits. |
None |
|
| RunC Container Escape | Disabled |
Alerts when a modification is detected of the runc binary by a non-package manager, such as with CVE-2019-5736 |
Can cause a negative performance impact on file-heavy workloads. |
|
| Userland Container Escape | Enabled |
Alerts when a container-created file is executed from the host namespace, which indicates a possible container escape |
None |
Privilege Escalation
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Illegal Elevation Of Privileges | Disabled |
Alerts when a program attempts to elevate privileges through unusual means. |
None |
Tampering of Security Mechanisms
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| AppArmor Disabled In Kernel | Enabled |
Alerts when the AppArmor state is changed from the AppArmor configuration detected when the sensor starts. |
If the kernel in use does not use AppArmor, an error may be logged for this detection when the sensor starts. |
|
| AppArmor Profile Modified | Enabled |
Alerts when a command for modifying an AppArmor profile is executed, if it was not disabled by a user in an SSH session. |
None |
|
| Processor-Level Protections Disabled | Enabled |
Alerts when a program tampers with the kernel SMEP/SMAP configuration. |
This detection is not functional for kernels between v4.19 and v5.2 (inclusive) as kernel code changes removed visibility of attempts to modify SMEP/SMAP configuration. |
|
| SELinux Disabled In Kernel | Enabled |
Alerts when the SELinux state in the kernel has been changed from the SELinux configuration detected when the sensor starts. This indicates that SELinux has been disabled by a kernel exploit or rootkit. |
If the kernel in use does not use SELinux, an error may be logged for this detection when the sensor starts. |
|
| SELinux Enforcement Mode Disabled From Userland | Enabled |
Alerts when SELinux enforcement mode is disabled. |
None |
Smart Policy
Below is a list of the detection classes bundled in Smart Policy, including the individual detections that comprise each detection class. Each detection's corresponding MITRE ATT&CK categories and considerations are also shown.
File Activity
Changes to System Binaries
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Boot Files Modified | Disabled |
Alerts when changes are made to files in /boot, indicating installation of a new kernel or boot configuration. |
Can cause a negative performance impact on file-heavy workloads. |
Configuration Changes
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Root Certificate Store Modified | Disabled |
Alerts when a system CA certificate store is changed. |
Can cause a negative performance impact on file-heavy workloads. |
Indicator Removal
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Log Files Deleted | Disabled |
Alerts on deletion of log files. |
Can cause a negative performance impact on file-heavy workloads. |
New File Behavior
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| New File Executed | Disabled |
Alerts when a file that has been created or modified within 30 minutes is then executed. Excludes files created by system update programs. |
Can cause a negative performance impact on file-heavy workloads. |
Privileged File Operations
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Setuid/Setgid Bit Set On File | Enabled |
Alerts when the setuid or setgid bit is set on a file with chmod. |
None |
System Configuration Changes
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Systemd Unit File Modified | Disabled |
Alerts whenever a systemd unit file is modified by a program other than systemctl. |
Can cause a negative performance impact on file-heavy workloads. |
Unusual Files Created
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Hidden File Created | Disabled |
Alerts when a hidden file is created by a process associated with an ongoing incident. |
Can cause a negative performance impact on file-heavy workloads. |
Network Activity
Discovery
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Cloud Metadata API Accessed | Enabled |
Alerts when a program accesses the cloud metadata API, if the program is already part of an ongoing incident. |
None |
|
| Network Connection Enumeration Via Program | Enabled |
Alerts when a program associated with network connection enumeration is executed, if the program is already part of an ongoing incident. |
None |
Lateral Movement
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Network Service Scanner Executed | Enabled |
Alerts when common network scanning program tools are executed. |
None |
Network Service Behavior
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Network Service Created | Disabled |
Alerts when a program starts a new network service, if the program is already part of an ongoing incident. |
None |
Network Sniffing
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Network Sniffing Program Executed | Enabled |
Alerts when a program is executed that allows network capture. |
None |
Outbound Connections
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Unusual Outbound Connection Detected | Disabled |
Alerts when a program initiates a new connection on an uncommon port, if the program is already part of an ongoing incident. |
Can cause a negative performance impact on network-heavy workloads. |
Process Activity
Abnormal Process Execution
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| New File Executed | Disabled |
Alerts when a file that has been created or modified within 30 minutes is then executed. Excludes files created by system update programs. |
Can cause a negative performance impact on file-heavy workloads. |
Compiler Usage
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Compiler Usage | Enabled |
Alerts when a program is executed that compiles a binary. |
None |
Debugging
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Process Injection | Enabled |
Alerts when a program uses ptrace mechanisms to interact with another process. |
None |
Discovery
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Account Enumeration Via Program | Enabled |
Alerts when a program associated with account enumeration is executed, if the program is already part of an ongoing incident. |
None |
|
| File and Directory Discovery Via Program | Enabled |
Alerts when a program associated with file and directory enumeration is executed, if the program is already part of an ongoing incident. |
None |
|
| Network Configuration Enumeration Via Program | Enabled |
Alerts when a program associated with network configuration enumeration is executed |
None |
|
| System Information Enumeration Via Program | Enabled |
Alerts when a program associated with system information enumeration is executed, if the program is already part of an ongoing incident. |
None |
Scheduled Task Changes
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Scheduled Tasks Modified Via File | Disabled |
Alerts when a cron-related file is modified, indicating a change to scheduled job configurations. |
Can cause a negative performance impact on file-heavy workloads. |
|
| Scheduled Tasks Modified Via Program | Enabled |
Alerts when the crontab command is used to modify cron job configurations. |
None |
System Configuration Changes
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Systemctl Usage Detected | Enabled |
Alerts when the systemctl command is used to modify systemd units. |
None |
User Activity
Privileged Command Usage
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| User Execution Of su Command | Enabled |
Alerts when the 'su' command is executed. |
None |
|
| User Execution Of sudo Command | Enabled |
Alerts when the 'sudo' command is executed. |
None |
Risky Developer Activity
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Shell Command Executed | Enabled |
Alerts when an command is executed by a valid system user via SSH. |
None |
|
| User Command History Cleared | Disabled |
Alerts when command line history files are deleted. |
Can cause a negative performance impact on file-heavy workloads. |
|
| User Login Via SSH | Enabled |
Alerts when an interactive shell process is started by a valid system user via SSH. |
None |
User Account Changes
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Account Modification | Disabled |
Alerts when a file related to identity management is modified by a program unrelated to updating existing user information. |
Can cause a negative performance impact on file-heavy workloads. |
|
| Password Database Modification | Disabled |
Alerts when a file related to user passwords is modified by a program unrelated to updating existing user information. |
Can cause a negative performance impact on file-heavy workloads. |
|
| SSH Authorized Keys Modification | Disabled |
Alerts when an attempt to write to a user's SSH authorized_keys file is observed, if the program is already part of an ongoing incident. |
Can cause a negative performance impact on file-heavy workloads. |
|
| User Account Created Via CLI | Enabled |
Alerts when an identity management program is executed by a program other than a package manager. |
None |
|
| User Configuration Changes | Disabled |
Alerts when .bash_profile and bashrc (as well as related files) are modified by an unexpected program. |
Can cause a negative performance impact on file-heavy workloads. |
Audit
Below is a list of the detection classes bundled in Audit, including the individual detections that comprise each detection class. Each detection's corresponding MITRE ATT&CK categories and considerations are also shown.
To avoid generating a large volume of events, Audit detections will not emit events by default, unless the process that caused the event is part of an active incident (that is, Capsule8 has determined that it is malicious). To always receive Audit notifications, you will need to both:
- Configure an audit output in your alert configuration, as described in Routing Alerts
- Enable Audit events, as described in Adjusting default detections.
File Activity
Changes to System Binaries
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Boot Files Modified | Disabled |
Alerts when changes are made to files in /boot, indicating installation of a new kernel or boot configuration. |
Can cause a negative performance impact on file-heavy workloads. |
Configuration Changes
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Root Certificate Store Modified | Disabled |
Alerts when a system CA certificate store is changed. |
Can cause a negative performance impact on file-heavy workloads. |
Indicator Removal
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Log Files Deleted | Disabled |
Alerts on deletion of log files. |
Can cause a negative performance impact on file-heavy workloads. |
Privileged File Operations
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Setuid/Setgid Bit Set On File | Enabled |
Alerts when the setuid or setgid bit is set on a file with chmod. |
None |
System Configuration Changes
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Systemd Unit File Modified | Disabled |
Alerts whenever a systemd unit file is modified by a program other than systemctl. |
Can cause a negative performance impact on file-heavy workloads. |
Network Activity
Lateral Movement
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Network Service Scanner Executed | Enabled |
Alerts when common network scanning program tools are executed. |
None |
Network Sniffing
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Network Sniffing Program Executed | Enabled |
Alerts when a program is executed that allows network capture. |
None |
Process Activity
Abnormal Process Execution
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| New File Executed | Disabled |
Alerts when a file that has been created or modified within 30 minutes is then executed. Excludes files created by system update programs. |
Can cause a negative performance impact on file-heavy workloads. |
Compiler Usage
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Compiler Usage | Enabled |
Alerts when a program is executed that compiles a binary. |
None |
Debugging
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Process Injection | Enabled |
Alerts when a program uses ptrace mechanisms to interact with another process. |
None |
Scheduled Task Changes
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Scheduled Tasks Modified Via File | Disabled |
Alerts when a cron-related file is modified, indicating a change to scheduled job configurations. |
Can cause a negative performance impact on file-heavy workloads. |
|
| Scheduled Tasks Modified Via Program | Enabled |
Alerts when the crontab command is used to modify cron job configurations. |
None |
System Configuration Changes
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Systemctl Usage Detected | Enabled |
Alerts when the systemctl command is used to modify systemd units. |
None |
User Activity
Privileged Command Usage
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| User Execution Of su Command | Enabled |
Alerts when the 'su' command is executed. |
None |
|
| User Execution Of sudo Command | Enabled |
Alerts when the 'sudo' command is executed. |
None |
Risky Developer Activity
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Shell Command Executed | Enabled |
Alerts when an command is executed by a valid system user via SSH. |
None |
|
| User Command History Cleared | Disabled |
Alerts when command line history files are deleted. |
Can cause a negative performance impact on file-heavy workloads. |
|
| User Login Via SSH | Enabled |
Alerts when an interactive shell process is started by a valid system user via SSH. |
None |
User Account Changes
| Detection Name | Default State | Description | Deployment Considerations | ATT&CK Techniques |
| Account Modification | Disabled |
Alerts when a file related to identity management is modified by a program unrelated to updating existing user information. |
Can cause a negative performance impact on file-heavy workloads. |
|
| Password Database Modification | Disabled |
Alerts when a file related to user passwords is modified by a program unrelated to updating existing user information. |
Can cause a negative performance impact on file-heavy workloads. |
|
| User Account Created Via CLI | Enabled |
Alerts when an identity management program is executed by a program other than a package manager. |
None |
|
| User Configuration Changes | Disabled |
Alerts when .bash_profile and bashrc (as well as related files) are modified by an unexpected program. |
Can cause a negative performance impact on file-heavy workloads. |
Comments
0 comments
Please sign in to leave a comment.