EXPLORE DETECTIONS
Unusual Instance Metadata Service (IMDS) API Request
This rule identifies potentially malicious processes attempting to access the cloud service provider's instance metadata service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as instance ID, public IP address, and even temporary security credentials if role's are assumed by that instance. The rule monitors for various tools and scripts like curl, wget, python, and perl that might be used to interact with the metadata API.
Unusual Interactive Shell Launched from System User
This rule detects interactive shells launched from system users. System users typically do not require interactive shells, and their presence may indicate malicious activity.
Unusual Kernel Module Enumeration
Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.
Unusual Kill Signal
This rule detects the use of unusual kill signals, specifically kill signals in the range of 32-64, which are not commonly used in standard operations. Rootkits may leverage these signals to conduct certain actions, such as manipulating processes in unexpected ways, potentially escalating privileges or evading detection.
Unusual Kubernetes Sensitive Workload Modification
Detects the creation or modification of several sensitive workloads, such as DaemonSets, Deployments, or CronJobs, by an unusual user agent, source IP and username, which may indicate privilege escalation or unauthorized access within the cluster.
Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments
This rule detects the use of the LD_PRELOAD and LD_LIBRARY_PATH environment variables in a command line argument. This behavior is unusual and may indicate an attempt to hijack the execution flow of a process. Threat actors may use this technique to evade defenses, escalate privileges, or maintain persistence on a system.
Unusual Library Load via Python
Detects when a Python process loads an unusual library from within the user's home directory where the file is not a standard .so or .dylib file. This technique has been observed in APT campaigns by the Lazarus Group and Slow Pisces to load malicious payloads.
Unusual Linux Network Activity
Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.
Unusual Linux Network Configuration Discovery
Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.
Unusual Linux Network Connection Discovery
Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.
Unusual Linux Network Port Activity
Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.
Unusual Linux Process Calling the Metadata Service
Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
Unusual Linux Process Discovery Activity
Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.
Unusual Linux System Information Discovery Activity
Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.
Unusual Linux User Calling the Metadata Service
Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.
Unusual Linux User Discovery Activity
Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.
Unusual Linux Username
A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.
Unusual Login Activity
Identifies an unusually high number of authentication attempts.
Unusual Login via System User
This rule identifies successful logins by system users that are uncommon to authenticate. These users have "nologin" set by default, and must be modified to allow SSH access. Adversaries may backdoor these users to gain unauthorized access to the system.
Unusual Network Activity from a Windows System Binary
Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.
Unusual Network Connection to Suspicious Top Level Domain
This rule monitors for the unusual occurrence of outbound network connections to suspicious top level domains.
Unusual Network Connection to Suspicious Web Service
This rule monitors for the unusual occurrence of outbound network connections to suspicious webservice domains.
Unusual Network Connection via DllHost
Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.
Unusual Network Connection via RunDLL32
Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.