EXPLORE DETECTIONS
Kubernetes CronJob/Job Modification
Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
Kubernetes Events Deleted
Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.
Kubernetes Potential Enumeration Activity
Detects potential Kubernetes enumeration or attack activity via the audit log. This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests. Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
Kubernetes Rolebinding Modification
Detects when a Kubernetes Rolebinding is created or modified.
Kubernetes Secrets Enumeration
Detects enumeration of Kubernetes secrets.
Kubernetes Secrets Modified or Deleted
Detects when Kubernetes Secrets are Modified or Deleted.
Kubernetes Unauthorized or Unauthenticated Access
Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. This may indicate an attacker attempting to leverage credentials they have obtained.
Launch Agent/Daemon Execution Via Launchctl
Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
Launch-VsDevShell.PS1 Proxy Execution
Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
Legitimate Application Dropped Archive
Detects programs on a Windows system that should not write an archive to disk
Legitimate Application Dropped Executable
Detects LOLBINs and applications that should not legitimately drop executable or executable-equivalent files to disk. This may indicate malware staging, process injection, or abuse of a trusted binary for payload delivery.
Legitimate Application Dropped Script
Detects LOLBINs and applications that should not legitimately drop script files to disk. This may indicate malware staging or abuse of a trusted binary for script-based code execution.
Legitimate Application Writing Files In Uncommon Location
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution. Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
Linux Base64 Encoded Pipe to Shell
Detects suspicious process command line that uses base64 encoded input for execution with a shell
Linux Base64 Encoded Shebang In CLI
Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
Linux Capabilities Discovery
Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
Linux Command History Tampering
Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
Linux Crypto Mining Indicators
Detects command line parameters or strings often used by crypto miners
Linux Crypto Mining Pool Connections
Detects process connections to a Monero crypto mining pool
Linux Doas Conf File Creation
Detects the creation of doas.conf file in linux host platform.
Linux Doas Tool Execution
Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
Linux HackTool Execution
Detects known hacktool execution based on image name.
Linux Keylogging with Pam.d
Detect attempt to enable auditing of TTY input
Linux Logs Clearing Attempts
Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories. Adversaries often try to clear logs to cover their tracks after performing malicious activities.