diff --git a/datadog/fwprovider/data_source_datadog_csm_threats_agent_rule.go b/datadog/fwprovider/data_source_datadog_csm_threats_agent_rule.go new file mode 100644 index 0000000000..6d9698c043 --- /dev/null +++ b/datadog/fwprovider/data_source_datadog_csm_threats_agent_rule.go @@ -0,0 +1,125 @@ +package fwprovider + +import ( + "context" + "crypto/sha256" + "fmt" + "strings" + + "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" + "github.com/hashicorp/terraform-plugin-framework/attr" + "github.com/hashicorp/terraform-plugin-framework/datasource" + "github.com/hashicorp/terraform-plugin-framework/datasource/schema" + "github.com/hashicorp/terraform-plugin-framework/types" + + "github.com/terraform-providers/terraform-provider-datadog/datadog/internal/utils" +) + +var ( + _ datasource.DataSourceWithConfigure = &csmThreatsAgentRulesDataSource{} +) + +type csmThreatsAgentRulesDataSource struct { + api *datadogV2.CloudWorkloadSecurityApi + auth context.Context +} + +type csmThreatsAgentRulesDataSourceModel struct { + Id types.String `tfsdk:"id"` + AgentRulesIds types.List `tfsdk:"agent_rules_ids"` + AgentRules []csmThreatsAgentRuleModel `tfsdk:"agent_rules"` +} + +func NewCSMThreatsAgentRulesDataSource() datasource.DataSource { + return &csmThreatsAgentRulesDataSource{} +} + +func (r *csmThreatsAgentRulesDataSource) Configure(_ context.Context, request datasource.ConfigureRequest, _ *datasource.ConfigureResponse) { + providerData := request.ProviderData.(*FrameworkProvider) + r.api = providerData.DatadogApiInstances.GetCloudWorkloadSecurityApiV2() + r.auth = providerData.Auth +} + +func (*csmThreatsAgentRulesDataSource) Metadata(_ context.Context, _ datasource.MetadataRequest, response *datasource.MetadataResponse) { + response.TypeName = "csm_threats_agent_rules" +} + +func (r *csmThreatsAgentRulesDataSource) Read(ctx context.Context, request datasource.ReadRequest, response *datasource.ReadResponse) { + var state csmThreatsAgentRulesDataSourceModel + response.Diagnostics.Append(request.Config.Get(ctx, &state)...) + if response.Diagnostics.HasError() { + return + } + + res, _, err := r.api.ListCSMThreatsAgentRules(r.auth) + if err != nil { + response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "error while fetching agent rules")) + return + } + + data := res.GetData() + agentRuleIds := make([]string, len(data)) + agentRules := make([]csmThreatsAgentRuleModel, len(data)) + + for idx, agentRule := range res.GetData() { + var agentRuleModel csmThreatsAgentRuleModel + agentRuleModel.Id = types.StringValue(agentRule.GetId()) + attributes := agentRule.Attributes + agentRuleModel.Name = types.StringValue(attributes.GetName()) + agentRuleModel.Description = types.StringValue(attributes.GetDescription()) + agentRuleModel.Enabled = types.BoolValue(attributes.GetEnabled()) + agentRuleModel.Expression = types.StringValue(*attributes.Expression) + + agentRuleIds[idx] = agentRule.GetId() + agentRules[idx] = agentRuleModel + } + + stateId := strings.Join(agentRuleIds, "--") + state.Id = types.StringValue(computeAgentRulesDataSourceID(&stateId)) + tfAgentRuleIds, diags := types.ListValueFrom(ctx, types.StringType, agentRuleIds) + response.Diagnostics.Append(diags...) + state.AgentRulesIds = tfAgentRuleIds + state.AgentRules = agentRules + + response.Diagnostics.Append(response.State.Set(ctx, &state)...) +} + +func computeAgentRulesDataSourceID(agentruleIds *string) string { + // Key for hashing + var b strings.Builder + if agentruleIds != nil { + b.WriteString(*agentruleIds) + } + keyStr := b.String() + h := sha256.New() + h.Write([]byte(keyStr)) + + return fmt.Sprintf("%x", h.Sum(nil)) +} + +func (*csmThreatsAgentRulesDataSource) Schema(_ context.Context, _ datasource.SchemaRequest, response *datasource.SchemaResponse) { + response.Schema = schema.Schema{ + Description: "Use this data source to retrieve information about existing Agent rules.", + Attributes: map[string]schema.Attribute{ + "id": utils.ResourceIDAttribute(), + "agent_rules_ids": schema.ListAttribute{ + Computed: true, + Description: "List of IDs for the Agent rules.", + ElementType: types.StringType, + }, + "agent_rules": schema.ListAttribute{ + Computed: true, + Description: "List of Agent rules", + ElementType: types.ObjectType{ + AttrTypes: map[string]attr.Type{ + "id": types.StringType, + "name": types.StringType, + "description": types.StringType, + "enabled": types.BoolType, + "expression": types.StringType, + }, + }, + }, + }, + } +} diff --git a/datadog/fwprovider/framework_provider.go b/datadog/fwprovider/framework_provider.go index adf49dedb9..1d510734ba 100644 --- a/datadog/fwprovider/framework_provider.go +++ b/datadog/fwprovider/framework_provider.go @@ -60,6 +60,7 @@ var Resources = []func() resource.Resource{ NewTeamPermissionSettingResource, NewTeamResource, NewSecurityMonitoringSuppressionResource, + NewCSMThreatsAgentRuleResource, NewServiceAccountResource, } @@ -78,6 +79,7 @@ var Datasources = []func() datasource.DataSource{ NewSensitiveDataScannerGroupOrderDatasource, NewDatadogUsersDataSource, NewSecurityMonitoringSuppressionDataSource, + NewCSMThreatsAgentRulesDataSource, } // FrameworkProvider struct diff --git a/datadog/fwprovider/resource_datadog_csm_threats_agent_rule.go b/datadog/fwprovider/resource_datadog_csm_threats_agent_rule.go new file mode 100644 index 0000000000..270d006cd8 --- /dev/null +++ b/datadog/fwprovider/resource_datadog_csm_threats_agent_rule.go @@ -0,0 +1,229 @@ +package fwprovider + +import ( + "context" + + "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" + "github.com/hashicorp/terraform-plugin-framework/path" + "github.com/hashicorp/terraform-plugin-framework/resource" + "github.com/hashicorp/terraform-plugin-framework/resource/schema" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier" + "github.com/hashicorp/terraform-plugin-framework/types" + + "github.com/terraform-providers/terraform-provider-datadog/datadog/internal/utils" +) + +var ( + _ resource.ResourceWithConfigure = &csmThreatsAgentRuleResource{} + _ resource.ResourceWithImportState = &csmThreatsAgentRuleResource{} +) + +type csmThreatsAgentRuleModel struct { + Id types.String `tfsdk:"id"` + Name types.String `tfsdk:"name"` + Description types.String `tfsdk:"description"` + Enabled types.Bool `tfsdk:"enabled"` + Expression types.String `tfsdk:"expression"` +} + +type csmThreatsAgentRuleResource struct { + api *datadogV2.CloudWorkloadSecurityApi + auth context.Context +} + +func NewCSMThreatsAgentRuleResource() resource.Resource { + return &csmThreatsAgentRuleResource{} +} + +func (r *csmThreatsAgentRuleResource) Metadata(_ context.Context, request resource.MetadataRequest, response *resource.MetadataResponse) { + response.TypeName = "csm_threats_agent_rule" +} + +func (r *csmThreatsAgentRuleResource) Configure(_ context.Context, request resource.ConfigureRequest, response *resource.ConfigureResponse) { + providerData := request.ProviderData.(*FrameworkProvider) + r.api = providerData.DatadogApiInstances.GetCloudWorkloadSecurityApiV2() + r.auth = providerData.Auth +} + +func (r *csmThreatsAgentRuleResource) Schema(_ context.Context, _ resource.SchemaRequest, response *resource.SchemaResponse) { + response.Schema = schema.Schema{ + Description: "Provides a Datadog CSM Threats Agent Rule API resource.", + Attributes: map[string]schema.Attribute{ + "id": utils.ResourceIDAttribute(), + "name": schema.StringAttribute{ + Required: true, + Description: "The name of the Agent rule.", + PlanModifiers: []planmodifier.String{ + stringplanmodifier.RequiresReplace(), + }, + }, + "description": schema.StringAttribute{ + Optional: true, + Description: "A description for the Agent rule.", + Default: stringdefault.StaticString(""), + Computed: true, + }, + "enabled": schema.BoolAttribute{ + Required: true, + Description: "Indicates Whether the Agent rule is enabled.", + }, + "expression": schema.StringAttribute{ + Required: true, + Description: "The SECL expression of the Agent rule", + PlanModifiers: []planmodifier.String{ + stringplanmodifier.RequiresReplace(), + }, + }, + }, + } +} + +func (r *csmThreatsAgentRuleResource) ImportState(ctx context.Context, request resource.ImportStateRequest, response *resource.ImportStateResponse) { + resource.ImportStatePassthroughID(ctx, path.Root("id"), request, response) +} + +func (r *csmThreatsAgentRuleResource) Create(ctx context.Context, request resource.CreateRequest, response *resource.CreateResponse) { + var state csmThreatsAgentRuleModel + response.Diagnostics.Append(request.Plan.Get(ctx, &state)...) + if response.Diagnostics.HasError() { + return + } + + agentRulePayload, err := r.buildCreateCSMThreatsAgentRulePayload(&state) + if err != nil { + response.Diagnostics.AddError("error while parsing resource", err.Error()) + } + + res, _, err := r.api.CreateCSMThreatsAgentRule(r.auth, *agentRulePayload) + if err != nil { + response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "error creating agent rule")) + return + } + if err := utils.CheckForUnparsed(response); err != nil { + response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "response contains unparsed object")) + return + } + + r.updateStateFromResponse(ctx, &state, &res) + response.Diagnostics.Append(response.State.Set(ctx, &state)...) +} + +func (r *csmThreatsAgentRuleResource) Read(ctx context.Context, request resource.ReadRequest, response *resource.ReadResponse) { + var state csmThreatsAgentRuleModel + response.Diagnostics.Append(request.State.Get(ctx, &state)...) + if response.Diagnostics.HasError() { + return + } + + agentRuleId := state.Id.ValueString() + res, httpResponse, err := r.api.GetCSMThreatsAgentRule(r.auth, agentRuleId) + if err != nil { + if httpResponse != nil && httpResponse.StatusCode == 404 { + response.State.RemoveResource(ctx) + return + } + response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "error fetching agent rule")) + return + } + if err := utils.CheckForUnparsed(response); err != nil { + response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "response contains unparsed object")) + return + } + + r.updateStateFromResponse(ctx, &state, &res) + response.Diagnostics.Append(response.State.Set(ctx, &state)...) +} + +func (r *csmThreatsAgentRuleResource) Update(ctx context.Context, request resource.UpdateRequest, response *resource.UpdateResponse) { + var state csmThreatsAgentRuleModel + response.Diagnostics.Append(request.Plan.Get(ctx, &state)...) + if response.Diagnostics.HasError() { + return + } + + agentRulePayload, err := r.buildUpdateCSMThreatsAgentRulePayload(&state) + if err != nil { + response.Diagnostics.AddError("error while parsing resource", err.Error()) + } + + res, _, err := r.api.UpdateCSMThreatsAgentRule(r.auth, state.Id.ValueString(), *agentRulePayload) + if err != nil { + response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "error updating agent rule")) + return + } + if err := utils.CheckForUnparsed(response); err != nil { + response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "response contains unparsed object")) + return + } + + r.updateStateFromResponse(ctx, &state, &res) + response.Diagnostics.Append(response.State.Set(ctx, &state)...) +} + +func (r *csmThreatsAgentRuleResource) Delete(ctx context.Context, request resource.DeleteRequest, response *resource.DeleteResponse) { + var state csmThreatsAgentRuleModel + response.Diagnostics.Append(request.State.Get(ctx, &state)...) + if response.Diagnostics.HasError() { + return + } + + id := state.Id.ValueString() + + httpResp, err := r.api.DeleteCSMThreatsAgentRule(r.auth, id) + if err != nil { + if httpResp != nil && httpResp.StatusCode == 404 { + return + } + response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "error deleting agent rule")) + return + } +} + +func (r *csmThreatsAgentRuleResource) buildCreateCSMThreatsAgentRulePayload(state *csmThreatsAgentRuleModel) (*datadogV2.CloudWorkloadSecurityAgentRuleCreateRequest, error) { + _, name, description, enabled, expression := r.extractAgentRuleAttributesFromResource(state) + + attributes := datadogV2.CloudWorkloadSecurityAgentRuleCreateAttributes{} + attributes.Expression = expression + attributes.Name = name + attributes.Description = description + attributes.Enabled = &enabled + + data := datadogV2.NewCloudWorkloadSecurityAgentRuleCreateData(attributes, datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE) + return datadogV2.NewCloudWorkloadSecurityAgentRuleCreateRequest(*data), nil +} + +func (r *csmThreatsAgentRuleResource) buildUpdateCSMThreatsAgentRulePayload(state *csmThreatsAgentRuleModel) (*datadogV2.CloudWorkloadSecurityAgentRuleUpdateRequest, error) { + agentRuleId, _, description, enabled, _ := r.extractAgentRuleAttributesFromResource(state) + + attributes := datadogV2.CloudWorkloadSecurityAgentRuleUpdateAttributes{} + attributes.Description = description + attributes.Enabled = &enabled + + data := datadogV2.NewCloudWorkloadSecurityAgentRuleUpdateData(attributes, datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE) + data.Id = &agentRuleId + return datadogV2.NewCloudWorkloadSecurityAgentRuleUpdateRequest(*data), nil +} + +func (r *csmThreatsAgentRuleResource) extractAgentRuleAttributesFromResource(state *csmThreatsAgentRuleModel) (string, string, *string, bool, string) { + // Mandatory fields + id := state.Id.ValueString() + name := state.Name.ValueString() + enabled := state.Enabled.ValueBool() + expression := state.Expression.ValueString() + description := state.Description.ValueStringPointer() + + return id, name, description, enabled, expression +} + +func (r *csmThreatsAgentRuleResource) updateStateFromResponse(ctx context.Context, state *csmThreatsAgentRuleModel, res *datadogV2.CloudWorkloadSecurityAgentRuleResponse) { + state.Id = types.StringValue(res.Data.GetId()) + + attributes := res.Data.Attributes + + state.Name = types.StringValue(attributes.GetName()) + state.Description = types.StringValue(attributes.GetDescription()) + state.Enabled = types.BoolValue(attributes.GetEnabled()) + state.Expression = types.StringValue(attributes.GetExpression()) +} diff --git a/datadog/tests/cassettes/TestAccCSMThreatsAgentRuleDataSource.freeze b/datadog/tests/cassettes/TestAccCSMThreatsAgentRuleDataSource.freeze new file mode 100644 index 0000000000..b8630797d4 --- /dev/null +++ b/datadog/tests/cassettes/TestAccCSMThreatsAgentRuleDataSource.freeze @@ -0,0 +1 @@ +2024-03-14T12:54:12.185366-04:00 \ No newline at end of file diff --git a/datadog/tests/cassettes/TestAccCSMThreatsAgentRuleDataSource.yaml b/datadog/tests/cassettes/TestAccCSMThreatsAgentRuleDataSource.yaml new file mode 100644 index 0000000000..6751e6fece --- /dev/null +++ b/datadog/tests/cassettes/TestAccCSMThreatsAgentRuleDataSource.yaml @@ -0,0 +1,442 @@ +--- +version: 2 +interactions: + - id: 0 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 165 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: | + {"data":{"attributes":{"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","name":"jsgajmagfh"},"type":"agent_rule"}} + form: {} + headers: + Accept: + - application/json + Content-Type: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 420 + uncompressed: false + body: '{"data":{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254767,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254767,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 573.160792ms + - id: 1 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/13y-c2p-ddm + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 420 + uncompressed: false + body: '{"data":{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 188.837667ms + - id: 2 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/13y-c2p-ddm + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 420 + uncompressed: false + body: '{"data":{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 270.228458ms + - id: 3 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: + - chunked + trailer: {} + content_length: -1 + uncompressed: false + body: '{"data":[{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"name":"auditctl_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_config_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"name":"aws_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"name":"azure_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"name":"certutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A newly created file contacted a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.change_time \u003c 60s","filters":["os == \"linux\""],"name":"chatroom_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"name":"common_net_intrusion_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"compile_after_delivery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"name":"compiler_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"credential_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"name":"cryptominer_args","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"name":"cryptominer_envs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"curl_docker_socket","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"name":"exec_whoami","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"name":"exec_wrmsr","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"name":"executable_bit_added","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"name":"gcp_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"interactive_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ip_check_domain","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"name":"iptables_egress_allowed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"name":"jupyter_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"kernel_module_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"name":"kernel_module_load","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"name":"kernel_msr_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","filters":["os == \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"name":"looney_tunables_exploit","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path =~ \"/proc/*\" \u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"mount_proc_hide","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"name":"net_file_download","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-0ra","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"net_util_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"name":"offensive_k8s_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"name":"omigod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-k6i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a conatiner outside of container start_up","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"package_management_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pam_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes were listed using the ps command","enabled":true,"expression":"exec.comm == \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os == \"linux\""],"name":"ps_discovery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ptrace_antidebug","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"name":"python_cli_code","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"rc_scripts_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"name":"read_kubeconfig","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os == \"linux\""],"name":"read_release_info","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"runc_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"name":"sensitive_tracing","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"shell_history_deleted","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"name":"shell_history_symlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"suspicious_container_client","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"name":"tunnel_traffic","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"user_deleted_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"name":"wmi_spawning_shell","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}}]}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 157.41925ms + - id: 4 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/13y-c2p-ddm + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 420 + uncompressed: false + body: '{"data":{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 217.413125ms + - id: 5 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: + - chunked + trailer: {} + content_length: -1 + uncompressed: false + body: '{"data":[{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"name":"auditctl_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_config_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"name":"aws_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"name":"azure_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"name":"certutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A newly created file contacted a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.change_time \u003c 60s","filters":["os == \"linux\""],"name":"chatroom_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"name":"common_net_intrusion_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"compile_after_delivery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"name":"compiler_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"credential_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"name":"cryptominer_args","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"name":"cryptominer_envs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"curl_docker_socket","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"name":"exec_whoami","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"name":"exec_wrmsr","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"name":"executable_bit_added","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"name":"gcp_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"interactive_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ip_check_domain","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"name":"iptables_egress_allowed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"name":"jupyter_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"kernel_module_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"name":"kernel_module_load","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"name":"kernel_msr_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","filters":["os == \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"name":"looney_tunables_exploit","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path =~ \"/proc/*\" \u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"mount_proc_hide","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"name":"net_file_download","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-0ra","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"net_util_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"name":"offensive_k8s_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"name":"omigod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-k6i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a conatiner outside of container start_up","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"package_management_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pam_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes were listed using the ps command","enabled":true,"expression":"exec.comm == \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os == \"linux\""],"name":"ps_discovery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ptrace_antidebug","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"name":"python_cli_code","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"rc_scripts_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"name":"read_kubeconfig","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os == \"linux\""],"name":"read_release_info","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"runc_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"name":"sensitive_tracing","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"shell_history_deleted","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"name":"shell_history_symlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"suspicious_container_client","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"name":"tunnel_traffic","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"user_deleted_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"name":"wmi_spawning_shell","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}}]}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 131.34875ms + - id: 6 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: + - chunked + trailer: {} + content_length: -1 + uncompressed: false + body: '{"data":[{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"name":"auditctl_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_config_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"name":"aws_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"name":"azure_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"name":"certutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A newly created file contacted a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.change_time \u003c 60s","filters":["os == \"linux\""],"name":"chatroom_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"name":"common_net_intrusion_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"compile_after_delivery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"name":"compiler_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"credential_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"name":"cryptominer_args","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"name":"cryptominer_envs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"curl_docker_socket","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"name":"exec_whoami","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"name":"exec_wrmsr","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"name":"executable_bit_added","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"name":"gcp_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"interactive_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ip_check_domain","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"name":"iptables_egress_allowed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"name":"jupyter_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"kernel_module_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"name":"kernel_module_load","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"name":"kernel_msr_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","filters":["os == \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"name":"looney_tunables_exploit","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path =~ \"/proc/*\" \u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"mount_proc_hide","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"name":"net_file_download","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-0ra","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"net_util_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"name":"offensive_k8s_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"name":"omigod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-k6i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a conatiner outside of container start_up","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"package_management_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pam_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes were listed using the ps command","enabled":true,"expression":"exec.comm == \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os == \"linux\""],"name":"ps_discovery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ptrace_antidebug","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"name":"python_cli_code","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"rc_scripts_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"name":"read_kubeconfig","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os == \"linux\""],"name":"read_release_info","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"runc_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"name":"sensitive_tracing","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"shell_history_deleted","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"name":"shell_history_symlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"suspicious_container_client","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"name":"tunnel_traffic","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"user_deleted_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"name":"wmi_spawning_shell","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}}]}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 157.204709ms + - id: 7 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: + - chunked + trailer: {} + content_length: -1 + uncompressed: false + body: '{"data":[{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"name":"auditctl_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_config_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"name":"aws_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"name":"azure_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"name":"certutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A newly created file contacted a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.change_time \u003c 60s","filters":["os == \"linux\""],"name":"chatroom_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"name":"common_net_intrusion_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"compile_after_delivery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"name":"compiler_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"credential_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"name":"cryptominer_args","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"name":"cryptominer_envs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"curl_docker_socket","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"name":"exec_whoami","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"name":"exec_wrmsr","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"name":"executable_bit_added","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"name":"gcp_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"interactive_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ip_check_domain","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"name":"iptables_egress_allowed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"name":"jupyter_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"kernel_module_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"name":"kernel_module_load","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"name":"kernel_msr_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","filters":["os == \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"name":"looney_tunables_exploit","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path =~ \"/proc/*\" \u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"mount_proc_hide","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"name":"net_file_download","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-0ra","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"net_util_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"name":"offensive_k8s_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"name":"omigod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-k6i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a conatiner outside of container start_up","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"package_management_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pam_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes were listed using the ps command","enabled":true,"expression":"exec.comm == \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os == \"linux\""],"name":"ps_discovery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ptrace_antidebug","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"name":"python_cli_code","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"rc_scripts_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"name":"read_kubeconfig","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os == \"linux\""],"name":"read_release_info","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"runc_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"name":"sensitive_tracing","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"shell_history_deleted","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"name":"shell_history_symlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"suspicious_container_client","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"name":"tunnel_traffic","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"user_deleted_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"name":"wmi_spawning_shell","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}}]}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 133.282208ms + - id: 8 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/13y-c2p-ddm + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 420 + uncompressed: false + body: '{"data":{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 150.326625ms + - id: 9 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: + - chunked + trailer: {} + content_length: -1 + uncompressed: false + body: '{"data":[{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"name":"auditctl_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_config_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"name":"aws_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"name":"azure_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"name":"certutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A newly created file contacted a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.change_time \u003c 60s","filters":["os == \"linux\""],"name":"chatroom_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"name":"common_net_intrusion_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"compile_after_delivery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"name":"compiler_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"credential_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"name":"cryptominer_args","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"name":"cryptominer_envs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"curl_docker_socket","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"name":"exec_whoami","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"name":"exec_wrmsr","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"name":"executable_bit_added","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"name":"gcp_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"interactive_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ip_check_domain","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"name":"iptables_egress_allowed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"name":"jupyter_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"kernel_module_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"name":"kernel_module_load","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"name":"kernel_msr_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","filters":["os == \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"name":"looney_tunables_exploit","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path =~ \"/proc/*\" \u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"mount_proc_hide","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"name":"net_file_download","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-0ra","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"net_util_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"name":"offensive_k8s_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"name":"omigod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-k6i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a conatiner outside of container start_up","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"package_management_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pam_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes were listed using the ps command","enabled":true,"expression":"exec.comm == \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os == \"linux\""],"name":"ps_discovery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ptrace_antidebug","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"name":"python_cli_code","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"rc_scripts_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"name":"read_kubeconfig","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os == \"linux\""],"name":"read_release_info","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"runc_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"name":"sensitive_tracing","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"shell_history_deleted","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"name":"shell_history_symlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"suspicious_container_client","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"name":"tunnel_traffic","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"user_deleted_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"name":"wmi_spawning_shell","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}}]}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 158.481ms + - id: 10 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: + - chunked + trailer: {} + content_length: -1 + uncompressed: false + body: '{"data":[{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"name":"auditctl_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_config_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"name":"aws_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"name":"azure_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"name":"certutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A newly created file contacted a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.change_time \u003c 60s","filters":["os == \"linux\""],"name":"chatroom_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"name":"common_net_intrusion_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"compile_after_delivery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"name":"compiler_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"credential_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"name":"cryptominer_args","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"name":"cryptominer_envs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"curl_docker_socket","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"name":"exec_whoami","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"name":"exec_wrmsr","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"name":"executable_bit_added","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"name":"gcp_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"interactive_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ip_check_domain","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"name":"iptables_egress_allowed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"name":"jupyter_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"kernel_module_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"name":"kernel_module_load","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"name":"kernel_msr_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","filters":["os == \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"name":"looney_tunables_exploit","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path =~ \"/proc/*\" \u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"mount_proc_hide","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"name":"net_file_download","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-0ra","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"net_util_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"name":"offensive_k8s_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"name":"omigod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-k6i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a conatiner outside of container start_up","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"package_management_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pam_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes were listed using the ps command","enabled":true,"expression":"exec.comm == \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os == \"linux\""],"name":"ps_discovery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ptrace_antidebug","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"name":"python_cli_code","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"rc_scripts_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"name":"read_kubeconfig","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os == \"linux\""],"name":"read_release_info","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"runc_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"name":"sensitive_tracing","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"shell_history_deleted","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"name":"shell_history_symlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"suspicious_container_client","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"name":"tunnel_traffic","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"user_deleted_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"name":"wmi_spawning_shell","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}}]}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 123.345208ms + - id: 11 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - '*/*' + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/13y-c2p-ddm + method: DELETE + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 0 + uncompressed: false + body: "" + headers: + Content-Type: + - application/json + status: 204 No Content + code: 204 + duration: 273.049167ms + - id: 12 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/13y-c2p-ddm + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 44 + uncompressed: false + body: | + {"errors":[{"title":"failed to get rule"}]} + headers: + Content-Type: + - application/json + status: 404 Not Found + code: 404 + duration: 128.301417ms diff --git a/datadog/tests/cassettes/TestAccCSMThreatsAgentRule_CreateAndUpdate.freeze b/datadog/tests/cassettes/TestAccCSMThreatsAgentRule_CreateAndUpdate.freeze new file mode 100644 index 0000000000..a64e5b2701 --- /dev/null +++ b/datadog/tests/cassettes/TestAccCSMThreatsAgentRule_CreateAndUpdate.freeze @@ -0,0 +1 @@ +2024-03-14T12:54:20.016507-04:00 \ No newline at end of file diff --git a/datadog/tests/cassettes/TestAccCSMThreatsAgentRule_CreateAndUpdate.yaml b/datadog/tests/cassettes/TestAccCSMThreatsAgentRule_CreateAndUpdate.yaml new file mode 100644 index 0000000000..0f5d4ae75e --- /dev/null +++ b/datadog/tests/cassettes/TestAccCSMThreatsAgentRule_CreateAndUpdate.yaml @@ -0,0 +1,307 @@ +--- +version: 2 +interactions: + - id: 0 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 164 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: | + {"data":{"attributes":{"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","name":"txrpiwrxcp"},"type":"agent_rule"}} + form: {} + headers: + Accept: + - application/json + Content-Type: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + method: POST + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 419 + uncompressed: false + body: '{"data":{"id":"253-34a-t2k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435260867,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"txrpiwrxcp","updateDate":1710435260867,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 622.032292ms + - id: 1 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 419 + uncompressed: false + body: '{"data":{"id":"253-34a-t2k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435260000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"txrpiwrxcp","updateDate":1710435260000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 204.511083ms + - id: 2 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 419 + uncompressed: false + body: '{"data":{"id":"253-34a-t2k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435260000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"txrpiwrxcp","updateDate":1710435260000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 216.713042ms + - id: 3 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 419 + uncompressed: false + body: '{"data":{"id":"253-34a-t2k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435260000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"txrpiwrxcp","updateDate":1710435260000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 166.602958ms + - id: 4 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 143 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: | + {"data":{"attributes":{"description":"updated agent rule for terraform provider test","enabled":true},"id":"253-34a-t2k","type":"agent_rule"}} + form: {} + headers: + Accept: + - application/json + Content-Type: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k + method: PATCH + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 456 + uncompressed: false + body: '{"data":{"id":"253-34a-t2k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435260000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"updated agent rule for terraform provider test","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"txrpiwrxcp","updateDate":1710435263631,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 528.792708ms + - id: 5 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 456 + uncompressed: false + body: '{"data":{"id":"253-34a-t2k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435260000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"updated agent rule for terraform provider test","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"txrpiwrxcp","updateDate":1710435263000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 192.504541ms + - id: 6 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 456 + uncompressed: false + body: '{"data":{"id":"253-34a-t2k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435260000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"updated agent rule for terraform provider test","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"txrpiwrxcp","updateDate":1710435263000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + headers: + Content-Type: + - application/json + status: 200 OK + code: 200 + duration: 229.127333ms + - id: 7 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - '*/*' + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k + method: DELETE + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 0 + uncompressed: false + body: "" + headers: + Content-Type: + - application/json + status: 204 No Content + code: 204 + duration: 485.813209ms + - id: 8 + request: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + content_length: 0 + transfer_encoding: [] + trailer: {} + host: api.datadoghq.com + remote_addr: "" + request_uri: "" + body: "" + form: {} + headers: + Accept: + - application/json + url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k + method: GET + response: + proto: HTTP/1.1 + proto_major: 1 + proto_minor: 1 + transfer_encoding: [] + trailer: {} + content_length: 44 + uncompressed: false + body: | + {"errors":[{"title":"failed to get rule"}]} + headers: + Content-Type: + - application/json + status: 404 Not Found + code: 404 + duration: 113.42125ms diff --git a/datadog/tests/data_source_datadog_csm_threats_agent_rules_test.go b/datadog/tests/data_source_datadog_csm_threats_agent_rules_test.go new file mode 100644 index 0000000000..87205d6043 --- /dev/null +++ b/datadog/tests/data_source_datadog_csm_threats_agent_rules_test.go @@ -0,0 +1,109 @@ +package test + +import ( + "context" + "fmt" + "strconv" + "testing" + + "github.com/hashicorp/terraform-plugin-testing/helper/resource" + "github.com/hashicorp/terraform-plugin-testing/terraform" + + "github.com/terraform-providers/terraform-provider-datadog/datadog/fwprovider" +) + +func TestAccCSMThreatsAgentRuleDataSource(t *testing.T) { + ctx, providers, accProviders := testAccFrameworkMuxProviders(context.Background(), t) + + agentRuleName := uniqueAgentRuleName(ctx) + dataSourceName := "data.datadog_csm_threats_agent_rules.my_data_source" + agentRuleConfig := fmt.Sprintf(` + resource "datadog_csm_threats_agent_rule" "agent_rule_for_data_source_test" { + name = "%s" + enabled = false + description = "im a rule" + expression = "open.file.name == \"etc/shadow/password\"" + } + `, agentRuleName) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProtoV5ProviderFactories: accProviders, + CheckDestroy: testAccCheckCSMThreatsAgentRuleDestroy(providers.frameworkProvider), + Steps: []resource.TestStep{ + { + // Create an agent rule to have at least one + Config: agentRuleConfig, + Check: testAccCheckCSMThreatsAgentRuleExists(providers.frameworkProvider, "datadog_csm_threats_agent_rule.agent_rule_for_data_source_test"), + }, + { + Config: fmt.Sprintf(` + %s + data "datadog_csm_threats_agent_rules" "my_data_source" {} + `, agentRuleConfig), + Check: checkCSMThreatsAgentRulesDataSourceContent(providers.frameworkProvider, dataSourceName, agentRuleName), + }, + }, + }) +} + +func checkCSMThreatsAgentRulesDataSourceContent(accProvider *fwprovider.FrameworkProvider, dataSourceName string, agentRuleName string) resource.TestCheckFunc { + return func(state *terraform.State) error { + res, ok := state.RootModule().Resources[dataSourceName] + if !ok { + return fmt.Errorf("resource missing from state: %s", dataSourceName) + } + + auth := accProvider.Auth + apiInstances := accProvider.DatadogApiInstances + + allAgentRulesResponse, _, err := apiInstances.GetCloudWorkloadSecurityApiV2().ListCSMThreatsAgentRules(auth) + if err != nil { + return err + } + + // Check the agentRule we created is in the API response + agentRuleId := "" + ruleName := "" + for _, rule := range allAgentRulesResponse.GetData() { + if rule.Attributes.GetName() == agentRuleName { + agentRuleId = rule.GetId() + ruleName = rule.Attributes.GetName() + break + } + } + if agentRuleId == "" { + return fmt.Errorf("agent rule with name '%s' not found in API responses", agentRuleName) + } + + // Check that the data_source fetched is correct + resourceAttributes := res.Primary.Attributes + agentRulesIdsCount, err := strconv.Atoi(resourceAttributes["agent_rules_ids.#"]) + if err != nil { + return err + } + agentRulesCount, err := strconv.Atoi(resourceAttributes["agent_rules.#"]) + if err != nil { + return err + } + if agentRulesCount != agentRulesIdsCount { + return fmt.Errorf("the data source contains %d agent rules IDs but %d agent rules", agentRulesIdsCount, agentRulesCount) + } + + // Find in which position is the agent rule we created, and check its values + idx := 0 + for idx < agentRulesIdsCount && resourceAttributes[fmt.Sprintf("agent_rules_ids.%d", idx)] != agentRuleId { + idx++ + } + if idx == len(resourceAttributes) { + return fmt.Errorf("agent rule with ID '%s' not found in data source", agentRuleId) + } + + return resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("agent_rules.%d.name", idx), ruleName), + resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("agent_rules.%d.enabled", idx), "false"), + resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("agent_rules.%d.description", idx), "im a rule"), + resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("agent_rules.%d.expression", idx), "open.file.name == \"etc/shadow/password\""), + )(state) + } +} diff --git a/datadog/tests/provider_test.go b/datadog/tests/provider_test.go index a5e5af0400..26c4f3e0be 100644 --- a/datadog/tests/provider_test.go +++ b/datadog/tests/provider_test.go @@ -7,6 +7,7 @@ import ( "fmt" "io" "log" + "math/rand" "net/http" "net/url" "os" @@ -53,6 +54,7 @@ var testFiles2EndpointTags = map[string]string{ "tests/data_source_datadog_apm_retention_filters_order_test": "apm_retention_filters_order", "tests/data_source_datadog_application_key_test": "application_keys", "tests/data_source_datadog_cloud_workload_security_agent_rules_test": "cloud-workload-security", + "tests/data_source_datadog_csm_threats_agent_rules_test": "cloud-workload-security", "tests/data_source_datadog_dashboard_list_test": "dashboard-lists", "tests/data_source_datadog_dashboard_test": "dashboard", "tests/data_source_datadog_hosts_test": "hosts", @@ -101,6 +103,7 @@ var testFiles2EndpointTags = map[string]string{ "tests/resource_datadog_child_organization_test": "organization", "tests/resource_datadog_cloud_configuration_rule_test": "security-monitoring", "tests/resource_datadog_cloud_workload_security_agent_rule_test": "cloud_workload_security", + "tests/resource_datadog_csm_threats_agent_rule_test": "cloud-workload-security", "tests/resource_datadog_dashboard_alert_graph_test": "dashboards", "tests/resource_datadog_dashboard_alert_value_test": "dashboards", "tests/resource_datadog_dashboard_change_test": "dashboards", @@ -415,6 +418,20 @@ func uniqueAWSAccountID(ctx context.Context, t *testing.T) string { return result[:12] } +// uniqueAgentRuleName takes the current/frozen time and uses it to generate a unique agent +// rule name that changes in CI, but is stable locally. +func uniqueAgentRuleName(ctx context.Context) string { + var seededRand *rand.Rand = rand.New(rand.NewSource(clockFromContext(ctx).Now().Unix())) + var charset = "abcdefghijklmnopqrstuvwxyz" + nameLength := 10 + var buf bytes.Buffer + buf.Grow(nameLength) + for i := 0; i < nameLength; i++ { + buf.WriteString(string(charset[seededRand.Intn(len(charset))])) + } + return buf.String() +} + // uniqueAWSAccessKeyID takes uniqueEntityName result, hashes it to get a unique string // and then returns first 16 characters (numerical only), so that the value can be used // as AWS account ID and is still as unique as possible, it changes in CI, but is stable locally diff --git a/datadog/tests/resource_datadog_csm_threats_agent_rule_test.go b/datadog/tests/resource_datadog_csm_threats_agent_rule_test.go new file mode 100644 index 0000000000..e72279646b --- /dev/null +++ b/datadog/tests/resource_datadog_csm_threats_agent_rule_test.go @@ -0,0 +1,120 @@ +package test + +import ( + "context" + "errors" + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-testing/helper/resource" + "github.com/hashicorp/terraform-plugin-testing/terraform" + + "github.com/terraform-providers/terraform-provider-datadog/datadog/fwprovider" +) + +// Create an agent rule and update its description +func TestAccCSMThreatsAgentRule_CreateAndUpdate(t *testing.T) { + ctx, providers, accProviders := testAccFrameworkMuxProviders(context.Background(), t) + + agentRuleName := uniqueAgentRuleName(ctx) + resourceName := "datadog_csm_threats_agent_rule.agent_rule_test" + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProtoV5ProviderFactories: accProviders, + CheckDestroy: testAccCheckCSMThreatsAgentRuleDestroy(providers.frameworkProvider), + Steps: []resource.TestStep{ + { + Config: fmt.Sprintf(` + resource "datadog_csm_threats_agent_rule" "agent_rule_test" { + name = "%s" + enabled = true + description = "im a rule" + expression = "open.file.name == \"etc/shadow/password\"" + } + `, agentRuleName), + Check: resource.ComposeTestCheckFunc( + testAccCheckCSMThreatsAgentRuleExists(providers.frameworkProvider, "datadog_csm_threats_agent_rule.agent_rule_test"), + checkCSMThreatsAgentRuleContent( + resourceName, + agentRuleName, + "im a rule", + "open.file.name == \"etc/shadow/password\"", + ), + ), + }, + // Update description + { + Config: fmt.Sprintf(` + resource "datadog_csm_threats_agent_rule" "agent_rule_test" { + name = "%s" + enabled = true + description = "updated agent rule for terraform provider test" + expression = "open.file.name == \"etc/shadow/password\"" + } + `, agentRuleName), + Check: resource.ComposeTestCheckFunc( + testAccCheckCSMThreatsAgentRuleExists(providers.frameworkProvider, resourceName), + checkCSMThreatsAgentRuleContent( + resourceName, + agentRuleName, + "updated agent rule for terraform provider test", + "open.file.name == \"etc/shadow/password\"", + ), + ), + }, + }, + }) +} + +func checkCSMThreatsAgentRuleContent(resourceName string, name string, description string, expression string) resource.TestCheckFunc { + return resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "name", name), + resource.TestCheckResourceAttr(resourceName, "description", description), + resource.TestCheckResourceAttr(resourceName, "enabled", "true"), + resource.TestCheckResourceAttr(resourceName, "expression", expression), + ) +} + +func testAccCheckCSMThreatsAgentRuleExists(accProvider *fwprovider.FrameworkProvider, resourceName string) resource.TestCheckFunc { + return func(s *terraform.State) error { + resource, ok := s.RootModule().Resources[resourceName] + if !ok { + return fmt.Errorf("resource '%s' not found in the state %s", resourceName, s.RootModule().Resources) + } + + if resource.Type != "datadog_csm_threats_agent_rule" { + return fmt.Errorf("resource %s is not of type datadog_csm_threats_agent_rule, found %s instead", resourceName, resource.Type) + } + + auth := accProvider.Auth + apiInstances := accProvider.DatadogApiInstances + + _, _, err := apiInstances.GetCloudWorkloadSecurityApiV2().GetCSMThreatsAgentRule(auth, resource.Primary.ID) + if err != nil { + return fmt.Errorf("received an error retrieving agent rule: %s", err) + } + + return nil + } +} + +func testAccCheckCSMThreatsAgentRuleDestroy(accProvider *fwprovider.FrameworkProvider) resource.TestCheckFunc { + return func(s *terraform.State) error { + auth := accProvider.Auth + apiInstances := accProvider.DatadogApiInstances + + for _, resource := range s.RootModule().Resources { + if resource.Type == "datadog_csm_threats_agent_rule" { + _, httpResponse, err := apiInstances.GetCloudWorkloadSecurityApiV2().GetCSMThreatsAgentRule(auth, resource.Primary.ID) + if err == nil { + return errors.New("agent rule still exists") + } + if httpResponse == nil || httpResponse.StatusCode != 404 { + return fmt.Errorf("received an error while getting the agent rule: %s", err) + } + } + } + + return nil + } +} diff --git a/docs/data-sources/csm_threats_agent_rules.md b/docs/data-sources/csm_threats_agent_rules.md new file mode 100644 index 0000000000..6e6e7a0d19 --- /dev/null +++ b/docs/data-sources/csm_threats_agent_rules.md @@ -0,0 +1,33 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "datadog_csm_threats_agent_rules Data Source - terraform-provider-datadog" +subcategory: "" +description: |- + Use this data source to retrieve information about existing Agent rules. +--- + +# datadog_csm_threats_agent_rules (Data Source) + +Use this data source to retrieve information about existing Agent rules. + + + + +## Schema + +### Read-Only + +- `agent_rules` (List of Object) List of Agent rules (see [below for nested schema](#nestedatt--agent_rules)) +- `agent_rules_ids` (List of String) List of IDs for the Agent rules. +- `id` (String) The ID of this resource. + + +### Nested Schema for `agent_rules` + +Read-Only: + +- `description` (String) +- `enabled` (Boolean) +- `expression` (String) +- `id` (String) +- `name` (String) diff --git a/docs/resources/csm_threats_agent_rule.md b/docs/resources/csm_threats_agent_rule.md new file mode 100644 index 0000000000..0db98a372c --- /dev/null +++ b/docs/resources/csm_threats_agent_rule.md @@ -0,0 +1,48 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "datadog_csm_threats_agent_rule Resource - terraform-provider-datadog" +subcategory: "" +description: |- + Provides a Datadog CSM Threats Agent Rule API resource. +--- + +# datadog_csm_threats_agent_rule (Resource) + +Provides a Datadog CSM Threats Agent Rule API resource. + +## Example Usage + +```terraform +resource "datadog_csm_threats_agent_rule" "my_agent_rule" { + name = "my_agent_rule" + enabled = true + description = "im a rule" + expression = "open.file.name == \"etc/shadow/password\"" +} +``` + + +## Schema + +### Required + +- `enabled` (Boolean) Indicates Whether the Agent rule is enabled. +- `expression` (String) The SECL expression of the Agent rule +- `name` (String) The name of the Agent rule. + +### Optional + +- `description` (String) A description for the Agent rule. Defaults to `""`. + +### Read-Only + +- `id` (String) The ID of this resource. + +## Import + +Import is supported using the following syntax: + +```shell +# CSM Agent Rules can be imported using ID. For example: +terraform import datadog_csm_threats_agent_rule.my_agent_rule m0o-hto-lkb +``` diff --git a/examples/resources/datadog_csm_threats_agent_rule/import.sh b/examples/resources/datadog_csm_threats_agent_rule/import.sh new file mode 100644 index 0000000000..b73528c95b --- /dev/null +++ b/examples/resources/datadog_csm_threats_agent_rule/import.sh @@ -0,0 +1,2 @@ +# CSM Agent Rules can be imported using ID. For example: +terraform import datadog_csm_threats_agent_rule.my_agent_rule m0o-hto-lkb \ No newline at end of file diff --git a/examples/resources/datadog_csm_threats_agent_rule/resource.tf b/examples/resources/datadog_csm_threats_agent_rule/resource.tf new file mode 100644 index 0000000000..90e18ab411 --- /dev/null +++ b/examples/resources/datadog_csm_threats_agent_rule/resource.tf @@ -0,0 +1,6 @@ +resource "datadog_csm_threats_agent_rule" "my_agent_rule" { + name = "my_agent_rule" + enabled = true + description = "im a rule" + expression = "open.file.name == \"etc/shadow/password\"" +} \ No newline at end of file