Identifies instances where a binary is granted the CAP_SYS_ADMIN capability. In Linux, the CAP_SYS_ADMIN capability is a powerful and broad capability that allows a process to perform a range of system administration operations, such as mounting and unmounting filesystems, configuring network interfaces, and accessing hardware devices. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root. The rule identifies previously unknown processes executing with CAP_SYS_ADMIN capabilities through the use of the new terms rule type.

Read More

Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory.

Read More

Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. For example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.

Read More

Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts.

Read More

Monitors for a sequence of network activity on atypical ports, prior to receiving a single packet on such a non-standard port, which potentially indicates signal port knocking activity. Port knocking is a covert method of externally opening ports by sending a sequence of packets to previously closed ports, which adversaries may leverage to discreetly gain access without directly alerting traditional monitoring systems.

Read More