Skip to content

List of Detection Categories and their Individual Detections - 4.5.0

This section lists three categories of Detections:

  • Detection Analytics
  • Smart Policy
  • Audit

You can find an overview of each of those categories here.

Note

Any detections listed in italics are disabled by default, and must be manually enabled. To enable a disabled detection, see Adjusting default detections.

Detection Analytics

Below is a list of the detection classes bundled in Detection Analytics, including the individual detections that comprise each detection class. Each detection's corresponding MITRE ATT&CK categories and considerations are also shown.

Application Exploitation

Memory Corruption

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Memory Marked ExecutableDisabled

Memory is often marked executable in order to allow malicious code to execute when an application is being exploited. Alerts when a program sets heap or stack memory permissions to executable.

Can cause false positives for certain application servers.

Can introduce a negative performance impact for workloads with many process re-executions.

T1203

T1106

T1190

Repeated Program CrashesEnabled

Repeated program crashes could indicate that an attacker is attempting to exploit a memory corruption vulnerability, or that there is a stability issue in the affected application. Alerts when more than 5 instances of an individual program crash via segmentation fault.

None

T1203

T1499.004

T1190

Userfaultfd UsageEnabled

Certain Linux functionality is almost exclusively used when exploiting kernel vulnerabilities, usually with the goal of privilege escalation. Alerts when a binary executes the userfaultfd system call.

This detection will only alert for kernels that support userfaultfd (kernels 4.3+).

T1203

T1106

T1068


New File Behavior

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
New File Executed in ContainerDisabled

As containers are typically static workloads, this alert could indicate that an attacker has compromised the container and is attempting to install and run a backdoor. Alerts when a file that has been created or modified within 30 minutes is then executed within a container.

Can cause a negative performance impact on file-heavy workloads.

T1190


Unusual Application Behavior

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
New File Executed in ContainerDisabled

As containers are typically static workloads, this alert could indicate that an attacker has compromised the container and is attempting to install and run a backdoor. Alerts when a file that has been created or modified within 30 minutes is then executed within a container.

Can cause a negative performance impact on file-heavy workloads.

T1190

Repeated Program CrashesEnabled

Repeated program crashes could indicate that an attacker is attempting to exploit a memory corruption vulnerability, or that there is a stability issue in the affected application. Alerts when more than 5 instances of an individual program crash via segmentation fault.

None

T1203

T1499.004

T1190

Suspicious Interactive ShellEnabled

Interactive shells are rare occurrences on modern production infrastructure. Alerts when an interactive shell is started with arguments commonly used for reverse shells.

None

T1059.004

T1190

Suspicious Interactive Shell AdvancedDisabled

Interactive shells are rare occurrences on modern production infrastructure. Alerts when an interactive shell is started with arguments commonly used for reverse shells, started in a container, or started as a child of a network service that is not SSH.

Improves detection of interactive shells, but may result in increased false positives.

Can cause a negative performance impact on network-heavy workloads.

T1059.004

T1190


Persistence

Evading Detection

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
User Command Logging EvasionDisabled

Evading command logging is common practice for attackers, but may also indicate that a legitimate user is performing unauthorized actions or trying to evade policy. Alerts when a change to user command history logging is detected, indicating that a user is attempting to evade command logging.

This detection requires uprobe support, present in kernels 3.5+.

T1070.003


Kernel Backdoors

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
BPF Program ExecutedEnabled

The loading of a new BPF program could indicate that an attacker is loading a BPF-based rootkit to gain persistence and avoid detection. Alerts when a process loads a new privileged BPF program, if the process that is already part of an ongoing incident.

None

T1014

T1562.006

T1547.006

Kernel Module LoadedEnabled

Attackers commonly load malicious kernel modules (rootkits) to evade detection and maintain persistence on a compromised node. Alerts when a kernel module is loaded, if the program is already part of an ongoing incident.

None

T1014

T1547.006


Resource Hijacking

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Cryptocurrency Miner DetectedEnabled

Opportunistic attackers often start cryptocurrency miners after compromising a node or container, usually indicating that the primary motive of the attacker is to hijack processor power. Alerts when a program with a name or arguments commonly associated with cryptocurrency miners is executed.

None

T1496


Userland Backdoors

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Suspicious Program Name Executed-Space After FileEnabled

Attackers may create or rename malicious binaries to include a space at the end of the name in an effort to impersonate a legitimate system program or service. Alerts when a program is executed with a space after the program name.

None

T1036.006

T1036.004


System Exploitation

Common Kernel Exploitation Methods

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Illegal Elevation Of PrivilegesDisabled

Kernel privilege escalation exploits commonly enable an unprivileged user to gain root privileges without passing standard gates for privilege changes. Alerts when a program attempts to elevate privileges through unusual means.

Can issue false positive alerts on nodes with significant workloads.

T1068

Kernel ExploitEnabled

Internal kernel functions are not accessible to regular programs, and if called, are a strong indicator that a kernel exploit has executed and that the attacker has full control of the node. Alerts when a kernel function unexpectedly returns to userland.

None

T1212

T1211

T1068

Processor-Level Protections DisabledEnabled

SMEP and SMAP are processor-level protections that increase difficulty for kernel exploits to succeed, and disabling these restrictions is a common early step in kernel exploits. Alerts when a program tampers with the kernel SMEP/SMAP configuration.

This detection is not functional for kernels between v4.19 and v5.2 (inclusive) as kernel code changes removed visibility of attempts to modify SMEP/SMAP configuration.

T1562.001


Container Escapes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Container Escape via Kernel ExploitationEnabled

Alerts when a program uses kernel functions commonly used in container escape exploits, indicating that an attacker is escalating privileges from container-access to node-access.

None

T1212

T1211

T1068

RunC Container EscapeDisabled

Alerts when a modification is detected of the runc binary by a non-package manager, such as with CVE-2019-5736.

Can cause a negative performance impact on file-heavy workloads.

T1554

T1068

Userland Container EscapeEnabled

Many container escapes coerce the host to execute an in-container binary, resulting in the attacker gaining full control of the affected node. Alerts when a container-created file is executed from outside a container.

None

T1068


Privilege Escalation

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Illegal Elevation Of PrivilegesDisabled

Kernel privilege escalation exploits commonly enable an unprivileged user to gain root privileges without passing standard gates for privilege changes. Alerts when a program attempts to elevate privileges through unusual means.

Can issue false positive alerts on nodes with significant workloads.

T1068


Tampering of Security Mechanisms

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
AppArmor Disabled In KernelEnabled

Modification of certain AppArmor attributes can only occur in-kernel, indicating that AppArmor has been disabled by a kernel exploit or rootkit. Alerts when the AppArmor state is changed from the AppArmor configuration detected when the sensor starts.

If the kernel in use doesn't use AppArmor, an error may be logged for this detection when the sensor starts.

T1562.001

AppArmor Profile ModifiedEnabled

Attackers may attempt to disable enforcement of AppArmor profiles as part of evading detection. Alerts when a command for modifying an AppArmor profile is executed, if it was not executed by a user in an SSH session.

None

T1562.001

Processor-Level Protections DisabledEnabled

SMEP and SMAP are processor-level protections that increase difficulty for kernel exploits to succeed, and disabling these restrictions is a common early step in kernel exploits. Alerts when a program tampers with the kernel SMEP/SMAP configuration.

This detection is not functional for kernels between v4.19 and v5.2 (inclusive) as kernel code changes removed visibility of attempts to modify SMEP/SMAP configuration.

T1562.001

SELinux Disabled In KernelEnabled

Modification of certain SELinux attributes can only occur in-kernel, indicating that SELinux has been disabled by a kernel exploit or rootkit. Alerts when the SELinux state in the kernel has been changed from the SELinux configuration detected when the sensor starts.

If the kernel in use doesn't use SELinux, an error may be logged for this detection when the sensor starts.

T1562.001

SELinux Enforcement Mode Disabled From UserlandEnabled

Attackers may disable enforcement mode as a precursor to making significant system changes. Alerts when SELinux enforcement mode is disabled.

None

T1562.001


Smart Policy

Below is a list of the detection classes bundled in Smart Policy, including the individual detections that comprise each detection class. Each detection's corresponding MITRE ATT&CK categories and considerations are also shown.

File Activity

Changes to System Binaries

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Boot Files ModifiedDisabled

If not performed by a trusted source (e.g. package manager or configuration management tool), modification of boot files could be indicative of an attacker modifying the kernel or its options in order to gain persistent access to a host. Alerts when changes are made to files in /boot, indicating installation of a new kernel or boot configuration.

Can cause a negative performance impact on file-heavy workloads.

T1542.003


Configuration Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Root Certificate Store ModifiedDisabled

Modification of the root certificate store could indicate the installation of a rogue certificate authority, enabling interception of network traffic or bypass of code signature verification. Alerts when a system CA certificate store is changed.

Can cause a negative performance impact on file-heavy workloads.

T1553.004


Indicator Removal

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Log Files DeletedDisabled

Log deletion not performed by a log management tool could indicate that an attacker is trying to remove indicators of compromise. Alerts on deletion of system log files.

Can cause a negative performance impact on file-heavy workloads.

T1070.004

T1070.002


New File Behavior

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
New File ExecutedDisabled

Newly created files from sources other than system update programs may be backdoors, kernel exploits, or part of an exploitation chain. Alerts when a file that has been created or modified within 30 minutes is then executed, excluding files created by system update programs.

Can cause a negative performance impact on file-heavy workloads.

T1190


Privileged File Operations

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Setuid/Setgid Bit Set On FileEnabled

Setting setuid/setgid bits can be used to provide a persistent method for privilege escalation on a node. Alerts when the setuid or setgid bit's set on a file with the chmod family of system calls.

None

T1548.001


System Configuration Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Systemd Unit File ModifiedDisabled

Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts whenever a systemd unit file is modified by a program other than systemctl.

Can cause a negative performance impact on file-heavy workloads.

T1562.001

T1543.002


Unusual Files Created

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Hidden File CreatedDisabled

Attackers often create hidden files as a means of obscuring tools and payloads on a compromised host. Alerts when a hidden file is created by a process associated with an ongoing incident.

Can cause a negative performance impact on file-heavy workloads.

T1564.001


Network Activity

Discovery

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Cloud Metadata API AccessedEnabled

Attackers commonly enumerate cloud environment details and gain access to instance credentials by accessing the cloud provider's metadata API. Alerts when a program accesses the cloud metadata API, if the program is already part of an ongoing incident.

None

T1552.005

Network Connection Enumeration Via ProgramEnabled

A common post-exploitation activity for attackers involves discovering adjacent hosts and networks prior to lateral movement. Alerts when a program associated with network connection enumeration is executed, if the program is already part of an ongoing incident.

None

T1049

T1018


Lateral Movement

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Network Service Scanner ExecutedEnabled

An attacker or rogue user may use or install these programs to survey connected networks for additional nodes to compromise. Alerts when common network scanning program tools are executed.

None

T1046

T1018


Network Service Behavior

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Network Service CreatedDisabled

Attackers may start a new network service to provide easy access to a host after compromise. Alerts when a program starts a new network service, if the program is already part of an ongoing incident.

None



Network Sniffing

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Network Sniffing Program ExecutedEnabled

An attacker or rogue user may execute network sniffing commands to capture credentials, PII, or other sensitive information. Alerts when a program is executed that allows network capture.

None

T1040


Outbound Connections

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Remote File Copy DetectedEnabled

Use of file transfer tools could indicate that an attacker is attempting to move toolsets to additional hosts or exfiltrate data to a remote system. Alerts when a program associated with remote file copying is executed, if the program is already part of an ongoing incident.

None

T1570

T1048.002

Unusual Outbound Connection DetectedDisabled

Command and Control channels and cryptocoin miners often create new outbound network connections on unusual ports. Alerts when a program initiates a new connection on an uncommon port, if the program is already part of an ongoing incident.

Can cause a negative performance impact on network-heavy workloads.

T1571


Process Activity

Abnormal Process Execution

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
New File ExecutedDisabled

Newly created files from sources other than system update programs may be backdoors, kernel exploits, or part of an exploitation chain. Alerts when a file that has been created or modified within 30 minutes is then executed, excluding files created by system update programs.

Can cause a negative performance impact on file-heavy workloads.

T1190


Compiler Usage

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Compiler UsageDisabled

An attacker may compile a custom backdoor or kernel exploit on a node to ensure compatibility with the node. Alerts when a program is executed that compiles a binary.

Can cause a decrease in performance for workloads that run build jobs regularly

T1027.004


Debugging

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Process InjectionEnabled

Use of process injection techniques commonly indicates that a user is debugging a program, but may also indicate that an attacker is reading secrets from or injecting code into other processes. Alerts when a program uses ptrace (debugging) mechanisms to interact with another process.

None

T1055.008


Discovery

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Account Enumeration Via ProgramEnabled

Attackers will often use account enumeration programs to determine their level of access and to see if other users are currently logged in to the node. Alerts when a program associated with account enumeration is executed, if the program is already part of an ongoing incident.

None

T1087.001

T1069.001

T1069

File and Directory Discovery Via ProgramEnabled

Exploring file systems is common post-exploitation behavior for an attacker looking for credentials and data of interest. Alerts when a program associated with file and directory enumeration is executed, if the program is already part of an ongoing incident.

None

T1083

Network Configuration Enumeration Via ProgramEnabled

Attackers can interrogate local network and route information to identify adjacent hosts and networks ahead of lateral movement. Alerts when a program associated with network configuration enumeration is executed, if the program is already part of an ongoing incident.

None

T1016

T1018

System Information Enumeration Via ProgramEnabled

Attackers will commonly execute system enumeration commands to determine Linux kernel and distribution versions and features, often to identify if the node is affected by specific vulnerabilities. Alerts when a program associated with system information enumeration is executed, if the program is already part of an ongoing incident.

None

T1082

T1033


Scheduled Task Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Scheduled Tasks Modified Via FileDisabled

Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when a cron-related file is modified, indicating a change to scheduled job configurations.

Can cause a negative performance impact on file-heavy workloads.

T1053.003

Scheduled Tasks Modified Via ProgramEnabled

Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when the crontab command is used to modify cron job configurations.

None

T1053.003


System Configuration Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Systemctl Usage DetectedEnabled

Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts when the systemctl command is used to modify systemd units.

None

T1562.001

T1543.002


User Activity

Privileged Command Usage

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
User Execution Of su CommandEnabled

Alerts when the 'su' command is executed. Explicit escalation to the root user decreases the ability to correlate privileged activity to a specific user.

None

T1548.003

User Execution Of sudo CommandEnabled

Alerts when the 'sudo' command is executed.

None

T1548.003


Risky Developer Activity

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Shell Command ExecutedDisabled

This detection logs commands executed by a valid system user via SSH.

Can result in a high volume of notifications.

T1059.004

User Command History ClearedDisabled

Alerts when command line history files are deleted. Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls.

Can cause a negative performance impact on file-heavy workloads.

T1070.003

User Login Via SSHEnabled

Alerts when an interactive shell process is started by a valid system user via SSH.

None

T1078.002

T1078.003

T1059.004


User Account Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Account ModificationDisabled

Attackers may directly modify identity-related files to add a new user to the system. Alerts when a file related to identity management is modified by a program unrelated to updating existing user information.

Can cause a negative performance impact on file-heavy workloads.

T1136.001

Password Database ModificationDisabled

Attackers may directly modify identity-related files to add a new user to the system. Alerts when a file related to user passwords is modified by a program unrelated to updating existing user information.

Can cause a negative performance impact on file-heavy workloads.

T1136.001

SSH Authorized Keys ModificationDisabled

Adding a new SSH public key is a common method for gaining persistent access to a compromised host. Alerts when an attempt to write to a user's SSH authorized_keys file is observed, if the program is already part of an ongoing incident.

Can cause a negative performance impact on file-heavy workloads.

T1098.004

T1078.003

User Account Created Via CLIEnabled

Alerts when an identity management program is executed by a program other than a package manager. Adding a new user is a common step for attackers when establishing persistence on a compromised node.

None

T1136.001

User Configuration ChangesDisabled

Alerts when .bash_profile and bashrc (as well as related files) are modified by an unexpected program. These files are often modified as a method of persistence in order to execute a program whenever a user logs in.

Can cause a negative performance impact on file-heavy workloads.

T1546.004


Audit

Below is a list of the detection classes bundled in Audit, including the individual detections that comprise each detection class. Each detection's corresponding MITRE ATT&CK categories and considerations are also shown.

To avoid generating a large volume of events, Audit detections won't emit events by default, unless the process that caused the event is part of an active incident. To always receive Audit notifications, you will need to both:


File Activity

Changes to System Binaries

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Boot Files ModifiedDisabled

If not performed by a trusted source (e.g. package manager or configuration management tool), modification of boot files could be indicative of an attacker modifying the kernel or its options in order to gain persistent access to a host. Alerts when changes are made to files in /boot, indicating installation of a new kernel or boot configuration.

Can cause a negative performance impact on file-heavy workloads.

T1542.003


Configuration Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Root Certificate Store ModifiedDisabled

Modification of the root certificate store could indicate the installation of a rogue certificate authority, enabling interception of network traffic or bypass of code signature verification. Alerts when a system CA certificate store is changed.

Can cause a negative performance impact on file-heavy workloads.

T1553.004


Indicator Removal

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Log Files DeletedDisabled

Log deletion not performed by a log management tool could indicate that an attacker is trying to remove indicators of compromise. Alerts on deletion of system log files.

Can cause a negative performance impact on file-heavy workloads.

T1070.004

T1070.002


Privileged File Operations

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Setuid/Setgid Bit Set On FileEnabled

Setting setuid/setgid bits can be used to provide a persistent method for privilege escalation on a node. Alerts when the setuid or setgid bit's set on a file with the chmod family of system calls.

None

T1548.001


System Configuration Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Systemd Unit File ModifiedDisabled

Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts whenever a systemd unit file is modified by a program other than systemctl.

Can cause a negative performance impact on file-heavy workloads.

T1562.001

T1543.002


Network Activity

Lateral Movement

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Network Service Scanner ExecutedEnabled

An attacker or rogue user may use or install these programs to survey connected networks for additional nodes to compromise. Alerts when common network scanning program tools are executed.

None

T1046

T1018


Network Sniffing

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Network Sniffing Program ExecutedEnabled

An attacker or rogue user may execute network sniffing commands to capture credentials, PII, or other sensitive information. Alerts when a program is executed that allows network capture.

None

T1040


Process Activity

Abnormal Process Execution

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
New File ExecutedDisabled

Newly created files from sources other than system update programs may be backdoors, kernel exploits, or part of an exploitation chain. Alerts when a file that has been created or modified within 30 minutes is then executed, excluding files created by system update programs.

Can cause a negative performance impact on file-heavy workloads.

T1190


Compiler Usage

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Compiler UsageDisabled

An attacker may compile a custom backdoor or kernel exploit on a node to ensure compatibility with the node. Alerts when a program is executed that compiles a binary.

Can cause a decrease in performance for workloads that run build jobs regularly

T1027.004


Debugging

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Process InjectionEnabled

Use of process injection techniques commonly indicates that a user is debugging a program, but may also indicate that an attacker is reading secrets from or injecting code into other processes. Alerts when a program uses ptrace (debugging) mechanisms to interact with another process.

None

T1055.008


Scheduled Task Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Scheduled Tasks Modified Via FileDisabled

Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when a cron-related file is modified, indicating a change to scheduled job configurations.

Can cause a negative performance impact on file-heavy workloads.

T1053.003

Scheduled Tasks Modified Via ProgramEnabled

Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when the crontab command is used to modify cron job configurations.

None

T1053.003


System Configuration Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Systemctl Usage DetectedEnabled

Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts when the systemctl command is used to modify systemd units.

None

T1562.001

T1543.002


User Activity

Privileged Command Usage

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
User Execution Of su CommandEnabled

Alerts when the 'su' command is executed. Explicit escalation to the root user decreases the ability to correlate privileged activity to a specific user.

None

T1548.003

User Execution Of sudo CommandEnabled

Alerts when the 'sudo' command is executed.

None

T1548.003


Risky Developer Activity

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Shell Command ExecutedDisabled

This detection logs commands executed by a valid system user via SSH.

Can result in a high volume of notifications.

T1059.004

User Command History ClearedDisabled

Alerts when command line history files are deleted. Deleting the history file is unusual, commonly performed by attackers hiding activity, or by legitimate users intending to evade audit controls.

Can cause a negative performance impact on file-heavy workloads.

T1070.003

User Login Via SSHEnabled

Alerts when an interactive shell process is started by a valid system user via SSH.

None

T1078.002

T1078.003

T1059.004


User Account Changes

Detection NameDefault StateDescriptionDeployment ConsiderationsATT&CK Techniques
Account ModificationDisabled

Attackers may directly modify identity-related files to add a new user to the system. Alerts when a file related to identity management is modified by a program unrelated to updating existing user information.

Can cause a negative performance impact on file-heavy workloads.

T1136.001

Password Database ModificationDisabled

Attackers may directly modify identity-related files to add a new user to the system. Alerts when a file related to user passwords is modified by a program unrelated to updating existing user information.

Can cause a negative performance impact on file-heavy workloads.

T1136.001

User Account Created Via CLIEnabled

Alerts when an identity management program is executed by a program other than a package manager. Adding a new user is a common step for attackers when establishing persistence on a compromised node.

None

T1136.001

User Configuration ChangesDisabled

Alerts when .bash_profile and bashrc (as well as related files) are modified by an unexpected program. These files are often modified as a method of persistence in order to execute a program whenever a user logs in.

Can cause a negative performance impact on file-heavy workloads.

T1546.004