Core Detection Coverage
Core coverage maximizes usability and performance, offering a range of detections that work independent of environment characteristics and incur a minimal performance impact regardless of workload.
With the Core set, the goal is for users to receive immediate protection against a broad spectrum of unwanted behavior. Core detections are optimized for working across different environments without user configuration or tuning but still offer a substantial breadth of coverage. Coverage includes system exploitation (including zero-day exploits), remote system access, attacker persistence, container escapes, attackers searching around the system for valuable data, and other activity indicative of an incident.
This document includes information regarding Core detections provided by Sophos. These include the following categories:
- Detection Analytics: Core coverage that detects malicious behavior
- Smart Policy: Provides additional context to incidents without generating false positive alerts for benign behavior
For more information, see Categories of Detections.
Detection Analytics
Application Exploitation
Repeated Program Crashes
Severity: Medium
DescriptionRepeated program crashes could indicate that an attacker is attempting to exploit a memory corruption vulnerability, or that there is a stability issue in the affected application. Alerts when more than 5 instances of an individual program crash via segmentation fault. Deployment considerations
| Attributes
|
Userfaultfd Usage
Severity: High
DescriptionCertain Linux functionality is almost exclusively used when exploiting kernel vulnerabilities, usually with the goal of privilege escalation. Alerts when a binary executes the userfaultfd system call. Deployment considerations
| Attributes
|
Unusual application behavior
Suspicious Interactive Shell
Severity: High
DescriptionInteractive shells are rare occurrences on modern production infrastructure. Alerts when an interactive shell is started with arguments commonly used for reverse shells. Deployment considerations
| Attributes
|
Persistence
Kernel backdoors
BPF Program Executed
Severity: Medium
DescriptionThe loading of a new BPF program could indicate that an attacker is loading a BPF-based rootkit to gain persistence and avoid detection. Alerts when a process loads a new privileged BPF program, if the process that is already part of an ongoing incident. Deployment considerations
| Attributes
|
Kernel Module Loaded
Severity: High
DescriptionAttackers commonly load malicious kernel modules (rootkits) to evade detection and maintain persistence on a compromised node. Alerts when a kernel module is loaded, if the program is already part of an ongoing incident. Deployment considerations
| Attributes
|
Resource hijacking
Cryptocurrency Miner Detected
Severity: Medium
DescriptionOpportunistic attackers often start cryptocurrency miners after compromising a node or container, usually indicating that the primary motive of the attacker is to hijack processor power. Alerts when a program with a name or arguments commonly associated with cryptocurrency miners is executed. Deployment considerations
| Attributes
|
Userland backdoors
Suspicious Program Name Executed-Space After File
Severity: Medium
DescriptionAttackers may create or rename malicious binaries to include a space at the end of the name in an effort to impersonate a legitimate system program or service. Alerts when a program is executed with a space after the program name. Deployment considerations
| Attributes
|
System Exploitation
Tampering of security mechanisms
AppArmor Disabled In Kernel
Severity: High
DescriptionModification of certain AppArmor attributes can only occur in-kernel, indicating that AppArmor has been disabled by a kernel exploit or rootkit. Alerts when the AppArmor state is changed from the AppArmor configuration detected when the sensor starts. Deployment considerations
| Attributes
|
AppArmor Profile Modified
Severity: Medium
DescriptionAttackers may attempt to disable enforcement of AppArmor profiles as part of evading detection. Alerts when a command for modifying an AppArmor profile is executed, if it was not executed by a user in an SSH session. Deployment considerations
| Attributes
|
SELinux Disabled In Kernel
Severity: High
DescriptionModification of certain SELinux attributes can only occur in-kernel, indicating that SELinux has been disabled by a kernel exploit or rootkit. Alerts when the SELinux state in the kernel has been changed from the SELinux configuration detected when the sensor starts. Deployment considerations
| Attributes
|
SELinux Enforcement Mode Disabled From Userland
Severity: High
DescriptionAttackers may disable enforcement mode as a precursor to making significant system changes. Alerts when SELinux enforcement mode is disabled. Deployment considerations
| Attributes
|
Container escapes Container Escape via Kernel Exploitation
Severity: High
Description
Alerts when a program uses kernel functions commonly used in container escape exploits, indicating that an attacker is escalating privileges from container-access to node-access.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Userland Container Escape
Severity: High
Description
Many container escapes coerce the host to execute an in-container binary, resulting in the attacker gaining full control of the affected node. Alerts when a container-created file is executed from outside a container.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Common kernel exploitation methods
Kernel Exploit
Severity: High
Description
Internal kernel functions are not accessible to regular programs, and if called, are a strong indicator that a kernel exploit has executed and that the attacker has full control of the node. Alerts when a kernel function unexpectedly returns to userland.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Kernel ROP
Severity: High
Description
Kernel ROP (return-oriented programming) exploits are often used to illegally elevate privileges or bypass other security measures. Alerts when ROP is detected in the kernel, specifically in a call to prepare_kernel_cred which is indicative of an exploit.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.10.0 Minimum sensor version 4.2.0 Supports aarch64 Yes ATT&CK Techniques
Processor-Level Protections Disabled
Severity: High
Description
SMEP and SMAP are processor-level protections that increase difficulty for kernel exploits to succeed, and disabling these restrictions is a common early step in kernel exploits. Alerts when a program tampers with the kernel SMEP/SMAP configuration.
Deployment considerations
- This detection is not functional for kernels between v4.19 and v5.2 (inclusive) as kernel code changes removed visibility of attempts to modify SMEP/SMAP configuration.
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 No ATT&CK Techniques
Smart Policy
File Activity
Setuid/Setgid Bit Set On File
Severity: Medium
Description
Setting setuid/setgid bits can be used to provide a persistent method for privilege escalation on a node. Alerts when the setuid or setgid bit's set on a file with the chmod family of system calls.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Network Activity
Lateral movement
Network Service Scanner Executed
Severity: Medium
Description
An attacker or rogue user may use or install these programs to survey connected networks for additional nodes to compromise. Alerts when common network scanning program tools are executed.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Network sniffing
Network Sniffing Program Executed
Severity: Medium
Description
An attacker or rogue user may execute network sniffing commands to capture credentials, PII, or other sensitive information. Alerts when a program is executed that allows network capture.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Discovery
Cloud Metadata API Accessed
Severity: Medium
Description
Attackers commonly enumerate cloud environment details and gain access to instance credentials by accessing the cloud provider's metadata API. Alerts when a program accesses the cloud metadata API, if the program is already part of an ongoing incident.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Network Connection Enumeration Via Program
Severity: Low
Description
A common post-exploitation activity for attackers involves discovering adjacent hosts and networks prior to lateral movement. Alerts when a program associated with network connection enumeration is executed, if the program is already part of an ongoing incident.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Outbound connections
Remote File Copy Detected
Severity: Medium
Description
Use of file transfer tools could indicate that an attacker is attempting to move toolsets to additional hosts or exfiltrate data to a remote system. Alerts when a program associated with remote file copying is executed, if the program is already part of an ongoing incident.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Process Activity
Debugging
Process Injection
Severity: Medium
Description
Use of process injection techniques commonly indicates that a user is debugging a program, but may also indicate that an attacker is reading secrets from or injecting code into other processes. Alerts when a program uses ptrace (debugging) mechanisms to interact with another process.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Scheduled task changes
Scheduled Tasks Modified Via Program
Severity: Medium
Description
Modifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when the "crontab", "at", or "batch" commands are used to modify scheduled task configurations.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
System configuration changes
Systemctl Usage Detected
Severity: Medium
Description
Changes to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts when the systemctl command is used to modify systemd units.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Discovery
Account Enumeration Via Program
Severity: Low
Description
Attackers will often use account enumeration programs to determine their level of access and to see if other users are currently logged in to the node. Alerts when a program associated with account enumeration is executed, if the program is already part of an ongoing incident.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
File and Directory Discovery Via Program
Severity: Low
Description
Exploring file systems is common post-exploitation behavior for an attacker looking for credentials and data of interest. Alerts when a program associated with file and directory enumeration is executed, if the program is already part of an ongoing incident.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Network Configuration Enumeration Via Program
Severity: Low
Description
Attackers can interrogate local network and route information to identify adjacent hosts and networks ahead of lateral movement. Alerts when a program associated with network configuration enumeration is executed, if the program is already part of an ongoing incident.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Process Enumeration Via Program
Severity: Low
Description
Attackers often list running programs in order to identify the purpose of a node and whether any security or monitoring tools are in place. Alerts when a program associated with process enumeration is executed, if the program is already part of an ongoing incident.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
System Information Enumeration Via Program
Severity: Low
Description
Attackers will commonly execute system enumeration commands to determine Linux kernel and distribution versions and features, often to identify if the node is affected by specific vulnerabilities. Alerts when a program associated with system information enumeration is executed, if the program is already part of an ongoing incident.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Data collection
Data Archived Via Program
Severity: Low
Description
After gaining access to a system, an attacker may create a compressed archive of files to reduce the size of data for exfiltration. Alerts when a data compression program is executed, if the program is already part of an ongoing incident.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Data destruction
Data Destruction Via Program
Severity: Medium
Description
Data destruction performed by a non-trusted process may indicate that an attacker is trying to remove indicators of compromise or disrupt a node. Alerts when common tools for destroying data are used, if the process is already part of an ongoing incident.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Log daemon tampering
Log Daemon Tampering
Severity: Medium
Description
Attempts to tamper with log daemons may indicate that an attacker is trying to remove indicators of compromise and hide their trails. Alerts when daemon control programs are invoked with specific arguments, if the process is already part of an ongoing incident.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
User Activity
User account changes
User Account Created Via CLI
Severity: High
Description
Adding a new user is a common step for attackers when establishing persistence on a compromised node. Alerts when an identity management program is executed by a program other than a package manager.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Risky developer activity
User Login Via SSH
Severity: Low
Description
Alerts when an interactive shell process is started by a valid system user via SSH.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Privileged command usage
User Execution Of su Command
Severity: Medium
Description
Explicit escalation to the root user decreases the ability to correlate privileged activity to a specific user. Alerts when the 'su' command is executed.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
User Execution Of sudo Command
Severity: Medium
Description
Alerts when the 'sudo' command is executed.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
User execution of unwanted sudo command
Severity: Medium
Description
Some commands run with sudo privileges are rarely used legitimately by system administrators and could indicate an account has been compromised. Alerts when 'sudo' is used to execute privileged commands common to post-exploitation activities.
Deployment considerations
- None
Attributes
Default state Enabled Content versions 4.9.0+ Minimum sensor version 5.0.0 Supports aarch64 Yes ATT&CK Techniques
Container Escape via Kernel Exploitation
Severity: High
DescriptionAlerts when a program uses kernel functions commonly used in container escape exploits, indicating that an attacker is escalating privileges from container-access to node-access. Deployment considerations
| Attributes
|
Userland Container Escape
Severity: High
DescriptionMany container escapes coerce the host to execute an in-container binary, resulting in the attacker gaining full control of the affected node. Alerts when a container-created file is executed from outside a container. Deployment considerations
| Attributes
|
Common kernel exploitation methods
Kernel Exploit
Severity: High
DescriptionInternal kernel functions are not accessible to regular programs, and if called, are a strong indicator that a kernel exploit has executed and that the attacker has full control of the node. Alerts when a kernel function unexpectedly returns to userland. Deployment considerations
| Attributes
|
Kernel ROP
Severity: High
DescriptionKernel ROP (return-oriented programming) exploits are often used to illegally elevate privileges or bypass other security measures. Alerts when ROP is detected in the kernel, specifically in a call to prepare_kernel_cred which is indicative of an exploit. Deployment considerations
| Attributes
|
Processor-Level Protections Disabled
Severity: High
DescriptionSMEP and SMAP are processor-level protections that increase difficulty for kernel exploits to succeed, and disabling these restrictions is a common early step in kernel exploits. Alerts when a program tampers with the kernel SMEP/SMAP configuration. Deployment considerations
| Attributes
|
Smart Policy
File Activity
Setuid/Setgid Bit Set On File
Severity: Medium
DescriptionSetting setuid/setgid bits can be used to provide a persistent method for privilege escalation on a node. Alerts when the setuid or setgid bit's set on a file with the chmod family of system calls. Deployment considerations
| Attributes
|
Network Activity
Lateral movement
Network Service Scanner Executed
Severity: Medium
DescriptionAn attacker or rogue user may use or install these programs to survey connected networks for additional nodes to compromise. Alerts when common network scanning program tools are executed. Deployment considerations
| Attributes
|
Network sniffing
Network Sniffing Program Executed
Severity: Medium
DescriptionAn attacker or rogue user may execute network sniffing commands to capture credentials, PII, or other sensitive information. Alerts when a program is executed that allows network capture. Deployment considerations
| Attributes
|
Discovery
Cloud Metadata API Accessed
Severity: Medium
DescriptionAttackers commonly enumerate cloud environment details and gain access to instance credentials by accessing the cloud provider's metadata API. Alerts when a program accesses the cloud metadata API, if the program is already part of an ongoing incident. Deployment considerations
| Attributes
|
Network Connection Enumeration Via Program
Severity: Low
DescriptionA common post-exploitation activity for attackers involves discovering adjacent hosts and networks prior to lateral movement. Alerts when a program associated with network connection enumeration is executed, if the program is already part of an ongoing incident. Deployment considerations
| Attributes
|
Outbound connections
Remote File Copy Detected
Severity: Medium
DescriptionUse of file transfer tools could indicate that an attacker is attempting to move toolsets to additional hosts or exfiltrate data to a remote system. Alerts when a program associated with remote file copying is executed, if the program is already part of an ongoing incident. Deployment considerations
| Attributes
|
Process Activity
Debugging
Process Injection
Severity: Medium
DescriptionUse of process injection techniques commonly indicates that a user is debugging a program, but may also indicate that an attacker is reading secrets from or injecting code into other processes. Alerts when a program uses ptrace (debugging) mechanisms to interact with another process. Deployment considerations
| Attributes
|
Scheduled task changes
Scheduled Tasks Modified Via Program
Severity: Medium
DescriptionModifying scheduled tasks is a common method for establishing persistence on a compromised node. Alerts when the "crontab", "at", or "batch" commands are used to modify scheduled task configurations. Deployment considerations
| Attributes
|
System configuration changes
Systemctl Usage Detected
Severity: Medium
DescriptionChanges to systemd units could result in security controls being relaxed or disabled, or the installation of a malicious service. Alerts when the systemctl command is used to modify systemd units. Deployment considerations
| Attributes
|
Discovery
Account Enumeration Via Program
Severity: Low
DescriptionAttackers will often use account enumeration programs to determine their level of access and to see if other users are currently logged in to the node. Alerts when a program associated with account enumeration is executed, if the program is already part of an ongoing incident. Deployment considerations
| Attributes
|
File and Directory Discovery Via Program
Severity: Low
DescriptionExploring file systems is common post-exploitation behavior for an attacker looking for credentials and data of interest. Alerts when a program associated with file and directory enumeration is executed, if the program is already part of an ongoing incident. Deployment considerations
| Attributes
|
Network Configuration Enumeration Via Program
Severity: Low
DescriptionAttackers can interrogate local network and route information to identify adjacent hosts and networks ahead of lateral movement. Alerts when a program associated with network configuration enumeration is executed, if the program is already part of an ongoing incident. Deployment considerations
| Attributes
|
Process Enumeration Via Program
Severity: Low
DescriptionAttackers often list running programs in order to identify the purpose of a node and whether any security or monitoring tools are in place. Alerts when a program associated with process enumeration is executed, if the program is already part of an ongoing incident. Deployment considerations
| Attributes
|
System Information Enumeration Via Program
Severity: Low
DescriptionAttackers will commonly execute system enumeration commands to determine Linux kernel and distribution versions and features, often to identify if the node is affected by specific vulnerabilities. Alerts when a program associated with system information enumeration is executed, if the program is already part of an ongoing incident. Deployment considerations
| Attributes
|
Data collection
Data Archived Via Program
Severity: Low
DescriptionAfter gaining access to a system, an attacker may create a compressed archive of files to reduce the size of data for exfiltration. Alerts when a data compression program is executed, if the program is already part of an ongoing incident. Deployment considerations
| Attributes
|
Data destruction
Data Destruction Via Program
Severity: Medium
DescriptionData destruction performed by a non-trusted process may indicate that an attacker is trying to remove indicators of compromise or disrupt a node. Alerts when common tools for destroying data are used, if the process is already part of an ongoing incident. Deployment considerations
| Attributes
|
Log daemon tampering
Log Daemon Tampering
Severity: Medium
DescriptionAttempts to tamper with log daemons may indicate that an attacker is trying to remove indicators of compromise and hide their trails. Alerts when daemon control programs are invoked with specific arguments, if the process is already part of an ongoing incident. Deployment considerations
| Attributes
|
User Activity
User account changes
User Account Created Via CLI
Severity: High
DescriptionAdding a new user is a common step for attackers when establishing persistence on a compromised node. Alerts when an identity management program is executed by a program other than a package manager. Deployment considerations
| Attributes
|
Risky developer activity
User Login Via SSH
Severity: Low
DescriptionAlerts when an interactive shell process is started by a valid system user via SSH. Deployment considerations
| Attributes
|
Privileged command usage
User Execution Of su Command
Severity: Medium
DescriptionExplicit escalation to the root user decreases the ability to correlate privileged activity to a specific user. Alerts when the 'su' command is executed. Deployment considerations
| Attributes
|
User Execution Of sudo Command
Severity: Medium
DescriptionAlerts when the 'sudo' command is executed. Deployment considerations
| Attributes
|
User execution of unwanted sudo command
Severity: Medium
DescriptionSome commands run with sudo privileges are rarely used legitimately by system administrators and could indicate an account has been compromised. Alerts when 'sudo' is used to execute privileged commands common to post-exploitation activities. Deployment considerations
| Attributes
|