diff --git a/datadog/fwprovider/data_source_datadog_csm_threats_agent_rule.go b/datadog/fwprovider/data_source_datadog_csm_threats_agent_rule.go
index d6e160a1a..b94d3547a 100644
--- a/datadog/fwprovider/data_source_datadog_csm_threats_agent_rule.go
+++ b/datadog/fwprovider/data_source_datadog_csm_threats_agent_rule.go
@@ -25,22 +25,44 @@ type csmThreatsAgentRulesDataSource struct {
}
type csmThreatsAgentRulesDataSourceModel struct {
- Id types.String `tfsdk:"id"`
- AgentRulesIds types.List `tfsdk:"agent_rules_ids"`
- AgentRules []csmThreatsAgentRuleModel `tfsdk:"agent_rules"`
+ PolicyId types.String `tfsdk:"policy_id"`
+ Id types.String `tfsdk:"id"`
+ AgentRulesIds types.List `tfsdk:"agent_rules_ids"`
+ AgentRules []csmThreatsAgentRuleDataSourceModel `tfsdk:"agent_rules"`
+}
+
+type csmThreatsAgentRuleDataSourceModel struct {
+ Id types.String `tfsdk:"id"`
+ Name types.String `tfsdk:"name"`
+ Description types.String `tfsdk:"description"`
+ Enabled types.Bool `tfsdk:"enabled"`
+ Expression types.String `tfsdk:"expression"`
+ ProductTags types.Set `tfsdk:"product_tags"`
}
func NewCSMThreatsAgentRulesDataSource() datasource.DataSource {
return &csmThreatsAgentRulesDataSource{}
}
-func (r *csmThreatsAgentRulesDataSource) Configure(_ context.Context, request datasource.ConfigureRequest, _ *datasource.ConfigureResponse) {
- providerData := request.ProviderData.(*FrameworkProvider)
+func (r *csmThreatsAgentRulesDataSource) Configure(_ context.Context, request datasource.ConfigureRequest, response *datasource.ConfigureResponse) {
+ if request.ProviderData == nil {
+ return
+ }
+
+ providerData, ok := request.ProviderData.(*FrameworkProvider)
+ if !ok {
+ response.Diagnostics.AddError(
+ "Unexpected Resource Configure Type",
+ fmt.Sprintf("Expected *FrameworkProvider, got: %T. Please report this issue to the provider developers.", request.ProviderData),
+ )
+ return
+ }
+
r.api = providerData.DatadogApiInstances.GetCSMThreatsApiV2()
r.auth = providerData.Auth
}
-func (*csmThreatsAgentRulesDataSource) Metadata(_ context.Context, _ datasource.MetadataRequest, response *datasource.MetadataResponse) {
+func (r *csmThreatsAgentRulesDataSource) Metadata(_ context.Context, request datasource.MetadataRequest, response *datasource.MetadataResponse) {
response.TypeName = "csm_threats_agent_rules"
}
@@ -51,7 +73,13 @@ func (r *csmThreatsAgentRulesDataSource) Read(ctx context.Context, request datas
return
}
- res, _, err := r.api.ListCSMThreatsAgentRules(r.auth)
+ params := datadogV2.NewListCSMThreatsAgentRulesOptionalParameters()
+ if !state.PolicyId.IsNull() && !state.PolicyId.IsUnknown() {
+ policyId := state.PolicyId.ValueString()
+ params.WithPolicyId(policyId)
+ }
+
+ res, _, err := r.api.ListCSMThreatsAgentRules(r.auth, *params)
if err != nil {
response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "error while fetching agent rules"))
return
@@ -59,23 +87,38 @@ func (r *csmThreatsAgentRulesDataSource) Read(ctx context.Context, request datas
data := res.GetData()
agentRuleIds := make([]string, len(data))
- agentRules := make([]csmThreatsAgentRuleModel, len(data))
+ agentRules := make([]csmThreatsAgentRuleDataSourceModel, len(data))
for idx, agentRule := range res.GetData() {
- var agentRuleModel csmThreatsAgentRuleModel
+ var agentRuleModel csmThreatsAgentRuleDataSourceModel
agentRuleModel.Id = types.StringValue(agentRule.GetId())
attributes := agentRule.Attributes
agentRuleModel.Name = types.StringValue(attributes.GetName())
agentRuleModel.Description = types.StringValue(attributes.GetDescription())
agentRuleModel.Enabled = types.BoolValue(attributes.GetEnabled())
agentRuleModel.Expression = types.StringValue(*attributes.Expression)
-
+ tags := attributes.GetProductTags()
+ tagSet := make(map[string]struct{})
+ for _, tag := range tags {
+ tagSet[tag] = struct{}{}
+ }
+ uniqueTags := make([]string, 0, len(tagSet))
+ for tag := range tagSet {
+ uniqueTags = append(uniqueTags, tag)
+ }
+
+ productTags, diags := types.SetValueFrom(ctx, types.StringType, uniqueTags)
+ if diags.HasError() {
+ response.Diagnostics.Append(diags...)
+ continue
+ }
+ agentRuleModel.ProductTags = productTags
agentRuleIds[idx] = agentRule.GetId()
agentRules[idx] = agentRuleModel
}
stateId := strings.Join(agentRuleIds, "--")
- state.Id = types.StringValue(computeAgentRulesDataSourceID(&stateId))
+ state.Id = types.StringValue(computeDataSourceID(&stateId))
tfAgentRuleIds, diags := types.ListValueFrom(ctx, types.StringType, agentRuleIds)
response.Diagnostics.Append(diags...)
state.AgentRulesIds = tfAgentRuleIds
@@ -84,24 +127,20 @@ func (r *csmThreatsAgentRulesDataSource) Read(ctx context.Context, request datas
response.Diagnostics.Append(response.State.Set(ctx, &state)...)
}
-func computeAgentRulesDataSourceID(agentruleIds *string) string {
- // Key for hashing
- var b strings.Builder
- if agentruleIds != nil {
- b.WriteString(*agentruleIds)
- }
- keyStr := b.String()
- h := sha256.New()
- h.Write([]byte(keyStr))
-
- return fmt.Sprintf("%x", h.Sum(nil))
-}
-
func (*csmThreatsAgentRulesDataSource) Schema(_ context.Context, _ datasource.SchemaRequest, response *datasource.SchemaResponse) {
response.Schema = schema.Schema{
Description: "Use this data source to retrieve information about existing Agent rules.",
Attributes: map[string]schema.Attribute{
- "id": utils.ResourceIDAttribute(),
+ // Input
+ "policy_id": schema.StringAttribute{
+ Description: "Listing only the rules in the policy with this field as the ID",
+ Optional: true,
+ },
+ // Output
+ "id": schema.StringAttribute{
+ Description: "The ID of the data source",
+ Computed: true,
+ },
"agent_rules_ids": schema.ListAttribute{
Computed: true,
Description: "List of IDs for the Agent rules.",
@@ -112,14 +151,28 @@ func (*csmThreatsAgentRulesDataSource) Schema(_ context.Context, _ datasource.Sc
Description: "List of Agent rules",
ElementType: types.ObjectType{
AttrTypes: map[string]attr.Type{
- "id": types.StringType,
- "name": types.StringType,
- "description": types.StringType,
- "enabled": types.BoolType,
- "expression": types.StringType,
+ "id": types.StringType,
+ "name": types.StringType,
+ "description": types.StringType,
+ "enabled": types.BoolType,
+ "expression": types.StringType,
+ "product_tags": types.SetType{ElemType: types.StringType},
},
},
},
},
}
}
+
+func computeDataSourceID(ids *string) string {
+ // Key for hashing
+ var b strings.Builder
+ if ids != nil {
+ b.WriteString(*ids)
+ }
+ keyStr := b.String()
+ h := sha256.New()
+ h.Write([]byte(keyStr))
+
+ return fmt.Sprintf("%x", h.Sum(nil))
+}
diff --git a/datadog/fwprovider/data_source_datadog_csm_threats_policy.go b/datadog/fwprovider/data_source_datadog_csm_threats_policy.go
new file mode 100644
index 000000000..b7acd305c
--- /dev/null
+++ b/datadog/fwprovider/data_source_datadog_csm_threats_policy.go
@@ -0,0 +1,117 @@
+package fwprovider
+
+import (
+ "context"
+ "strings"
+
+ "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
+ "github.com/hashicorp/terraform-plugin-framework/attr"
+ "github.com/hashicorp/terraform-plugin-framework/datasource"
+ "github.com/hashicorp/terraform-plugin-framework/datasource/schema"
+ "github.com/hashicorp/terraform-plugin-framework/types"
+
+ "github.com/terraform-providers/terraform-provider-datadog/datadog/internal/utils"
+)
+
+var (
+ _ datasource.DataSourceWithConfigure = &csmThreatsPoliciesDataSource{}
+)
+
+type csmThreatsPoliciesDataSource struct {
+ api *datadogV2.CSMThreatsApi
+ auth context.Context
+}
+
+type csmThreatsPoliciesDataSourceModel struct {
+ Id types.String `tfsdk:"id"`
+ PolicyIds types.List `tfsdk:"policy_ids"`
+ Policies []csmThreatsPolicyModel `tfsdk:"policies"`
+}
+
+func NewCSMThreatsPoliciesDataSource() datasource.DataSource {
+ return &csmThreatsPoliciesDataSource{}
+}
+
+func (r *csmThreatsPoliciesDataSource) Configure(_ context.Context, request datasource.ConfigureRequest, _ *datasource.ConfigureResponse) {
+ providerData := request.ProviderData.(*FrameworkProvider)
+ r.api = providerData.DatadogApiInstances.GetCSMThreatsApiV2()
+ r.auth = providerData.Auth
+}
+
+func (*csmThreatsPoliciesDataSource) Metadata(_ context.Context, _ datasource.MetadataRequest, response *datasource.MetadataResponse) {
+ response.TypeName = "csm_threats_policies"
+}
+
+func (r *csmThreatsPoliciesDataSource) Read(ctx context.Context, request datasource.ReadRequest, response *datasource.ReadResponse) {
+ var state csmThreatsPoliciesDataSourceModel
+ response.Diagnostics.Append(request.Config.Get(ctx, &state)...)
+ if response.Diagnostics.HasError() {
+ return
+ }
+
+ res, _, err := r.api.ListCSMThreatsAgentPolicies(r.auth)
+ if err != nil {
+ response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "error while fetching agent rules"))
+ return
+ }
+
+ data := res.GetData()
+ policyIds := make([]string, len(data))
+ policies := make([]csmThreatsPolicyModel, len(data))
+
+ for idx, policy := range res.GetData() {
+ var policyModel csmThreatsPolicyModel
+ policyModel.Id = types.StringValue(policy.GetId())
+ attributes := policy.Attributes
+ policyModel.Name = types.StringValue(attributes.GetName())
+ policyModel.Description = types.StringValue(attributes.GetDescription())
+ policyModel.Enabled = types.BoolValue(attributes.GetEnabled())
+ policyModel.Tags, _ = types.SetValueFrom(ctx, types.StringType, attributes.GetHostTags())
+ policyModel.HostTagsLists, _ = types.SetValueFrom(ctx, types.ListType{
+ ElemType: types.StringType,
+ }, attributes.GetHostTagsLists())
+ policyIds[idx] = policy.GetId()
+ policies[idx] = policyModel
+ }
+
+ stateId := strings.Join(policyIds, "--")
+ state.Id = types.StringValue(computeDataSourceID(&stateId))
+ tfAgentRuleIds, diags := types.ListValueFrom(ctx, types.StringType, policyIds)
+ response.Diagnostics.Append(diags...)
+ state.PolicyIds = tfAgentRuleIds
+ state.Policies = policies
+
+ response.Diagnostics.Append(response.State.Set(ctx, &state)...)
+}
+
+func (*csmThreatsPoliciesDataSource) Schema(_ context.Context, _ datasource.SchemaRequest, response *datasource.SchemaResponse) {
+ response.Schema = schema.Schema{
+ Description: "Use this data source to retrieve information about existing policies.",
+ Attributes: map[string]schema.Attribute{
+ "id": utils.ResourceIDAttribute(),
+ "policy_ids": schema.ListAttribute{
+ Computed: true,
+ Description: "List of IDs for the policies.",
+ ElementType: types.StringType,
+ },
+ "policies": schema.ListAttribute{
+ Computed: true,
+ Description: "List of policies",
+ ElementType: types.ObjectType{
+ AttrTypes: map[string]attr.Type{
+ "id": types.StringType,
+ "tags": types.SetType{ElemType: types.StringType},
+ "host_tags_lists": types.SetType{
+ ElemType: types.ListType{
+ ElemType: types.StringType,
+ },
+ },
+ "name": types.StringType,
+ "description": types.StringType,
+ "enabled": types.BoolType,
+ },
+ },
+ },
+ },
+ }
+}
diff --git a/datadog/fwprovider/framework_provider.go b/datadog/fwprovider/framework_provider.go
index 9c6e6524c..02d73c5c3 100644
--- a/datadog/fwprovider/framework_provider.go
+++ b/datadog/fwprovider/framework_provider.go
@@ -71,7 +71,6 @@ var Resources = []func() resource.Resource{
NewTeamResource,
NewUserRoleResource,
NewSecurityMonitoringSuppressionResource,
- NewCSMThreatsAgentRuleResource,
NewServiceAccountResource,
NewWebhookResource,
NewWebhookCustomVariableResource,
@@ -85,6 +84,8 @@ var Resources = []func() resource.Resource{
NewAppBuilderAppResource,
NewObservabilitPipelineResource,
NewSecurityMonitoringRuleJSONResource,
+ NewCSMThreatsAgentRuleResource,
+ NewCSMThreatsPolicyResource,
}
var Datasources = []func() datasource.DataSource{
@@ -109,7 +110,6 @@ var Datasources = []func() datasource.DataSource{
NewDatadogUsersDataSource,
NewDatadogRoleUsersDataSource,
NewSecurityMonitoringSuppressionDataSource,
- NewCSMThreatsAgentRulesDataSource,
NewLogsPipelinesOrderDataSource,
NewDatadogTeamsDataSource,
NewDatadogActionConnectionDataSource,
@@ -117,6 +117,8 @@ var Datasources = []func() datasource.DataSource{
NewDatadogSyntheticsLocationsDataSource,
NewWorkflowAutomationDataSource,
NewDatadogAppBuilderAppDataSource,
+ NewCSMThreatsAgentRulesDataSource,
+ NewCSMThreatsPoliciesDataSource,
}
// FrameworkProvider struct
diff --git a/datadog/fwprovider/resource_datadog_csm_threats_agent_rule.go b/datadog/fwprovider/resource_datadog_csm_threats_agent_rule.go
index f04ada2d7..2527a53f1 100644
--- a/datadog/fwprovider/resource_datadog_csm_threats_agent_rule.go
+++ b/datadog/fwprovider/resource_datadog_csm_threats_agent_rule.go
@@ -2,6 +2,7 @@ package fwprovider
import (
"context"
+ "strings"
"sync"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
@@ -9,7 +10,6 @@ import (
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
- "github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
"github.com/hashicorp/terraform-plugin-framework/types"
@@ -22,17 +22,19 @@ var (
_ resource.ResourceWithImportState = &csmThreatsAgentRuleResource{}
)
+type csmThreatsAgentRuleResource struct {
+ api *datadogV2.CSMThreatsApi
+ auth context.Context
+}
+
type csmThreatsAgentRuleModel struct {
Id types.String `tfsdk:"id"`
+ PolicyId types.String `tfsdk:"policy_id"`
Name types.String `tfsdk:"name"`
Description types.String `tfsdk:"description"`
Enabled types.Bool `tfsdk:"enabled"`
Expression types.String `tfsdk:"expression"`
-}
-
-type csmThreatsAgentRuleResource struct {
- api *datadogV2.CSMThreatsApi
- auth context.Context
+ ProductTags types.Set `tfsdk:"product_tags"`
}
func NewCSMThreatsAgentRuleResource() resource.Resource {
@@ -54,6 +56,10 @@ func (r *csmThreatsAgentRuleResource) Schema(_ context.Context, _ resource.Schem
Description: "Provides a Datadog CSM Threats Agent Rule API resource.",
Attributes: map[string]schema.Attribute{
"id": utils.ResourceIDAttribute(),
+ "policy_id": schema.StringAttribute{
+ Required: true,
+ Description: "The ID of the agent policy in which the rule is saved",
+ },
"name": schema.StringAttribute{
Required: true,
Description: "The name of the Agent rule.",
@@ -64,7 +70,6 @@ func (r *csmThreatsAgentRuleResource) Schema(_ context.Context, _ resource.Schem
"description": schema.StringAttribute{
Optional: true,
Description: "A description for the Agent rule.",
- Default: stringdefault.StaticString(""),
Computed: true,
},
"enabled": schema.BoolAttribute{
@@ -78,12 +83,25 @@ func (r *csmThreatsAgentRuleResource) Schema(_ context.Context, _ resource.Schem
stringplanmodifier.RequiresReplace(),
},
},
+ "product_tags": schema.SetAttribute{
+ Optional: true,
+ ElementType: types.StringType,
+ Description: "The list of product tags associated with the rule",
+ Computed: true,
+ },
},
}
}
func (r *csmThreatsAgentRuleResource) ImportState(ctx context.Context, request resource.ImportStateRequest, response *resource.ImportStateResponse) {
- resource.ImportStatePassthroughID(ctx, path.Root("id"), request, response)
+ result := strings.SplitN(request.ID, ":", 2)
+ if len(result) != 2 {
+ response.Diagnostics.AddError("error retrieving policy_id or rule_id from given ID", "")
+ return
+ }
+
+ response.Diagnostics.Append(response.State.SetAttribute(ctx, path.Root("policy_id"), result[0])...)
+ response.Diagnostics.Append(response.State.SetAttribute(ctx, path.Root("id"), result[1])...)
}
func (r *csmThreatsAgentRuleResource) Create(ctx context.Context, request resource.CreateRequest, response *resource.CreateResponse) {
@@ -93,9 +111,6 @@ func (r *csmThreatsAgentRuleResource) Create(ctx context.Context, request resour
return
}
- csmThreatsMutex.Lock()
- defer csmThreatsMutex.Unlock()
-
agentRulePayload, err := r.buildCreateCSMThreatsAgentRulePayload(&state)
if err != nil {
response.Diagnostics.AddError("error while parsing resource", err.Error())
@@ -123,7 +138,8 @@ func (r *csmThreatsAgentRuleResource) Read(ctx context.Context, request resource
}
agentRuleId := state.Id.ValueString()
- res, httpResponse, err := r.api.GetCSMThreatsAgentRule(r.auth, agentRuleId)
+ policyId := state.PolicyId.ValueString()
+ res, httpResponse, err := r.api.GetCSMThreatsAgentRule(r.auth, agentRuleId, *datadogV2.NewGetCSMThreatsAgentRuleOptionalParameters().WithPolicyId(policyId))
if err != nil {
if httpResponse != nil && httpResponse.StatusCode == 404 {
response.State.RemoveResource(ctx)
@@ -148,9 +164,6 @@ func (r *csmThreatsAgentRuleResource) Update(ctx context.Context, request resour
return
}
- csmThreatsMutex.Lock()
- defer csmThreatsMutex.Unlock()
-
agentRulePayload, err := r.buildUpdateCSMThreatsAgentRulePayload(&state)
if err != nil {
response.Diagnostics.AddError("error while parsing resource", err.Error())
@@ -177,12 +190,9 @@ func (r *csmThreatsAgentRuleResource) Delete(ctx context.Context, request resour
return
}
- csmThreatsMutex.Lock()
- defer csmThreatsMutex.Unlock()
-
id := state.Id.ValueString()
-
- httpResp, err := r.api.DeleteCSMThreatsAgentRule(r.auth, id)
+ policyId := state.PolicyId.ValueString()
+ httpResp, err := r.api.DeleteCSMThreatsAgentRule(r.auth, id, *datadogV2.NewDeleteCSMThreatsAgentRuleOptionalParameters().WithPolicyId(policyId))
if err != nil {
if httpResp != nil && httpResp.StatusCode == 404 {
return
@@ -193,39 +203,54 @@ func (r *csmThreatsAgentRuleResource) Delete(ctx context.Context, request resour
}
func (r *csmThreatsAgentRuleResource) buildCreateCSMThreatsAgentRulePayload(state *csmThreatsAgentRuleModel) (*datadogV2.CloudWorkloadSecurityAgentRuleCreateRequest, error) {
- _, name, description, enabled, expression := r.extractAgentRuleAttributesFromResource(state)
+ _, policyId, name, description, enabled, expression, productTags := r.extractAgentRuleAttributesFromResource(state)
attributes := datadogV2.CloudWorkloadSecurityAgentRuleCreateAttributes{}
attributes.Expression = expression
attributes.Name = name
attributes.Description = description
attributes.Enabled = &enabled
+ attributes.PolicyId = &policyId
+ attributes.ProductTags = productTags
data := datadogV2.NewCloudWorkloadSecurityAgentRuleCreateData(attributes, datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE)
return datadogV2.NewCloudWorkloadSecurityAgentRuleCreateRequest(*data), nil
}
func (r *csmThreatsAgentRuleResource) buildUpdateCSMThreatsAgentRulePayload(state *csmThreatsAgentRuleModel) (*datadogV2.CloudWorkloadSecurityAgentRuleUpdateRequest, error) {
- agentRuleId, _, description, enabled, _ := r.extractAgentRuleAttributesFromResource(state)
+ agentRuleId, policyId, _, description, enabled, _, productTags := r.extractAgentRuleAttributesFromResource(state)
attributes := datadogV2.CloudWorkloadSecurityAgentRuleUpdateAttributes{}
attributes.Description = description
attributes.Enabled = &enabled
+ attributes.PolicyId = &policyId
+ attributes.ProductTags = productTags
data := datadogV2.NewCloudWorkloadSecurityAgentRuleUpdateData(attributes, datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE)
data.Id = &agentRuleId
return datadogV2.NewCloudWorkloadSecurityAgentRuleUpdateRequest(*data), nil
}
-func (r *csmThreatsAgentRuleResource) extractAgentRuleAttributesFromResource(state *csmThreatsAgentRuleModel) (string, string, *string, bool, string) {
+func (r *csmThreatsAgentRuleResource) extractAgentRuleAttributesFromResource(state *csmThreatsAgentRuleModel) (string, string, string, *string, bool, string, []string) {
// Mandatory fields
id := state.Id.ValueString()
+ policyId := state.PolicyId.ValueString()
name := state.Name.ValueString()
enabled := state.Enabled.ValueBool()
expression := state.Expression.ValueString()
description := state.Description.ValueStringPointer()
+ var productTags []string
+ if !state.ProductTags.IsNull() && !state.ProductTags.IsUnknown() {
+ for _, tag := range state.ProductTags.Elements() {
+ tagStr, ok := tag.(types.String)
+ if !ok {
+ return "", "", "", nil, false, "", nil
+ }
+ productTags = append(productTags, tagStr.ValueString())
+ }
+ }
- return id, name, description, enabled, expression
+ return id, policyId, name, description, enabled, expression, productTags
}
func (r *csmThreatsAgentRuleResource) updateStateFromResponse(ctx context.Context, state *csmThreatsAgentRuleModel, res *datadogV2.CloudWorkloadSecurityAgentRuleResponse) {
@@ -237,4 +262,10 @@ func (r *csmThreatsAgentRuleResource) updateStateFromResponse(ctx context.Contex
state.Description = types.StringValue(attributes.GetDescription())
state.Enabled = types.BoolValue(attributes.GetEnabled())
state.Expression = types.StringValue(attributes.GetExpression())
+ tags := attributes.GetProductTags()
+ if len(tags) == 0 && state.ProductTags.IsNull() {
+ state.ProductTags = types.SetNull(types.StringType)
+ } else {
+ state.ProductTags, _ = types.SetValueFrom(ctx, types.StringType, tags)
+ }
}
diff --git a/datadog/fwprovider/resource_datadog_csm_threats_policy.go b/datadog/fwprovider/resource_datadog_csm_threats_policy.go
new file mode 100644
index 000000000..768a8dcc4
--- /dev/null
+++ b/datadog/fwprovider/resource_datadog_csm_threats_policy.go
@@ -0,0 +1,275 @@
+package fwprovider
+
+import (
+ "context"
+ "fmt"
+
+ "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
+ "github.com/hashicorp/terraform-plugin-framework/path"
+ "github.com/hashicorp/terraform-plugin-framework/resource"
+ "github.com/hashicorp/terraform-plugin-framework/resource/schema"
+ "github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault"
+ "github.com/hashicorp/terraform-plugin-framework/types"
+
+ "github.com/terraform-providers/terraform-provider-datadog/datadog/internal/utils"
+)
+
+type csmThreatsPolicyModel struct {
+ Id types.String `tfsdk:"id"`
+ Tags types.Set `tfsdk:"tags"`
+ HostTagsLists types.Set `tfsdk:"host_tags_lists"`
+ Name types.String `tfsdk:"name"`
+ Description types.String `tfsdk:"description"`
+ Enabled types.Bool `tfsdk:"enabled"`
+}
+
+type csmThreatsPolicyResource struct {
+ api *datadogV2.CSMThreatsApi
+ auth context.Context
+}
+
+func NewCSMThreatsPolicyResource() resource.Resource {
+ return &csmThreatsPolicyResource{}
+}
+
+func (r *csmThreatsPolicyResource) Metadata(_ context.Context, request resource.MetadataRequest, response *resource.MetadataResponse) {
+ response.TypeName = "csm_threats_policy"
+}
+
+func (r *csmThreatsPolicyResource) Configure(_ context.Context, request resource.ConfigureRequest, response *resource.ConfigureResponse) {
+ providerData := request.ProviderData.(*FrameworkProvider)
+ r.api = providerData.DatadogApiInstances.GetCSMThreatsApiV2()
+ r.auth = providerData.Auth
+}
+
+func (r *csmThreatsPolicyResource) Schema(_ context.Context, _ resource.SchemaRequest, response *resource.SchemaResponse) {
+ response.Schema = schema.Schema{
+ Description: "Provides a Datadog CSM Threats policy API resource.",
+ Attributes: map[string]schema.Attribute{
+ "id": utils.ResourceIDAttribute(),
+ "name": schema.StringAttribute{
+ Required: true,
+ Description: "The name of the policy.",
+ },
+ "description": schema.StringAttribute{
+ Optional: true,
+ Description: "A description for the policy.",
+ Computed: true,
+ },
+ "enabled": schema.BoolAttribute{
+ Optional: true,
+ Default: booldefault.StaticBool(false),
+ Description: "Indicates whether the policy is enabled.",
+ Computed: true,
+ },
+ "tags": schema.SetAttribute{
+ Optional: true,
+ Description: "Host tags that define where the policy is deployed. Deprecated, use host_tags_lists instead.",
+ ElementType: types.StringType,
+ Computed: true,
+ },
+ "host_tags_lists": schema.SetAttribute{
+ Optional: true,
+ Description: "Host tags that define where the policy is deployed. Inner values are ANDed, outer arrays are ORed.",
+ ElementType: types.ListType{
+ ElemType: types.StringType,
+ },
+ },
+ },
+ }
+}
+
+func (r *csmThreatsPolicyResource) ImportState(ctx context.Context, request resource.ImportStateRequest, response *resource.ImportStateResponse) {
+ resource.ImportStatePassthroughID(ctx, path.Root("id"), request, response)
+}
+
+func (r *csmThreatsPolicyResource) Create(ctx context.Context, request resource.CreateRequest, response *resource.CreateResponse) {
+ var state csmThreatsPolicyModel
+ response.Diagnostics.Append(request.Plan.Get(ctx, &state)...)
+ if response.Diagnostics.HasError() {
+ return
+ }
+
+ csmThreatsMutex.Lock()
+ defer csmThreatsMutex.Unlock()
+
+ policyPayload, err := r.buildCreateCSMThreatsPolicyPayload(&state)
+ if err != nil {
+ response.Diagnostics.AddError("error while parsing resource", err.Error())
+ }
+
+ res, _, err := r.api.CreateCSMThreatsAgentPolicy(r.auth, *policyPayload)
+ if err != nil {
+ response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "error creating policy"))
+ return
+ }
+ if err := utils.CheckForUnparsed(response); err != nil {
+ response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "response contains unparsed object"))
+ return
+ }
+
+ r.updateStateFromResponse(ctx, &state, &res)
+ response.Diagnostics.Append(response.State.Set(ctx, &state)...)
+}
+
+func (r *csmThreatsPolicyResource) Read(ctx context.Context, request resource.ReadRequest, response *resource.ReadResponse) {
+ var state csmThreatsPolicyModel
+ response.Diagnostics.Append(request.State.Get(ctx, &state)...)
+ if response.Diagnostics.HasError() {
+ return
+ }
+
+ policyId := state.Id.ValueString()
+ res, httpResponse, err := r.api.GetCSMThreatsAgentPolicy(r.auth, policyId)
+ if err != nil {
+ if httpResponse != nil && httpResponse.StatusCode == 404 {
+ response.State.RemoveResource(ctx)
+ return
+ }
+ response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "error fetching agent policy"))
+ return
+ }
+ if err := utils.CheckForUnparsed(response); err != nil {
+ response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "response contains unparsed object"))
+ return
+ }
+
+ r.updateStateFromResponse(ctx, &state, &res)
+ response.Diagnostics.Append(response.State.Set(ctx, &state)...)
+}
+
+func (r *csmThreatsPolicyResource) Update(ctx context.Context, request resource.UpdateRequest, response *resource.UpdateResponse) {
+ var state csmThreatsPolicyModel
+ response.Diagnostics.Append(request.Plan.Get(ctx, &state)...)
+ if response.Diagnostics.HasError() {
+ return
+ }
+
+ csmThreatsMutex.Lock()
+ defer csmThreatsMutex.Unlock()
+
+ policyPayload, err := r.buildUpdateCSMThreatsPolicyPayload(&state)
+ if err != nil {
+ response.Diagnostics.AddError("error while parsing resource", err.Error())
+ }
+
+ res, _, err := r.api.UpdateCSMThreatsAgentPolicy(r.auth, state.Id.ValueString(), *policyPayload)
+ if err != nil {
+ response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "error updating agent rule"))
+ return
+ }
+ if err := utils.CheckForUnparsed(response); err != nil {
+ response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "response contains unparsed object"))
+ return
+ }
+
+ r.updateStateFromResponse(ctx, &state, &res)
+ response.Diagnostics.Append(response.State.Set(ctx, &state)...)
+}
+
+func (r *csmThreatsPolicyResource) Delete(ctx context.Context, request resource.DeleteRequest, response *resource.DeleteResponse) {
+ var state csmThreatsPolicyModel
+ response.Diagnostics.Append(request.State.Get(ctx, &state)...)
+ if response.Diagnostics.HasError() {
+ return
+ }
+
+ csmThreatsMutex.Lock()
+ defer csmThreatsMutex.Unlock()
+
+ id := state.Id.ValueString()
+
+ httpResp, err := r.api.DeleteCSMThreatsAgentPolicy(r.auth, id)
+ if err != nil {
+ if httpResp != nil && httpResp.StatusCode == 404 {
+ return
+ }
+ response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "error deleting agent rule"))
+ return
+ }
+}
+
+func (r *csmThreatsPolicyResource) buildCreateCSMThreatsPolicyPayload(state *csmThreatsPolicyModel) (*datadogV2.CloudWorkloadSecurityAgentPolicyCreateRequest, error) {
+ _, name, description, enabled, tags, hostTagsLists, err := r.extractPolicyAttributesFromResource(state)
+ if err != nil {
+ return nil, err
+ }
+
+ attributes := datadogV2.CloudWorkloadSecurityAgentPolicyCreateAttributes{}
+ attributes.Name = name
+ attributes.Description = description
+ attributes.Enabled = enabled
+ attributes.HostTags = tags
+ attributes.HostTagsLists = hostTagsLists
+
+ data := datadogV2.NewCloudWorkloadSecurityAgentPolicyCreateData(attributes, datadogV2.CLOUDWORKLOADSECURITYAGENTPOLICYTYPE_POLICY)
+ return datadogV2.NewCloudWorkloadSecurityAgentPolicyCreateRequest(*data), nil
+}
+
+func (r *csmThreatsPolicyResource) buildUpdateCSMThreatsPolicyPayload(state *csmThreatsPolicyModel) (*datadogV2.CloudWorkloadSecurityAgentPolicyUpdateRequest, error) {
+ policyId, name, description, enabled, tags, hostTagsLists, err := r.extractPolicyAttributesFromResource(state)
+ if err != nil {
+ return nil, err
+ }
+ attributes := datadogV2.CloudWorkloadSecurityAgentPolicyUpdateAttributes{}
+ attributes.Name = &name
+ attributes.Description = description
+ attributes.Enabled = enabled
+ attributes.HostTags = tags
+ attributes.HostTagsLists = hostTagsLists
+
+ data := datadogV2.NewCloudWorkloadSecurityAgentPolicyUpdateData(attributes, datadogV2.CLOUDWORKLOADSECURITYAGENTPOLICYTYPE_POLICY)
+ data.Id = &policyId
+ return datadogV2.NewCloudWorkloadSecurityAgentPolicyUpdateRequest(*data), nil
+}
+
+func (r *csmThreatsPolicyResource) extractPolicyAttributesFromResource(state *csmThreatsPolicyModel) (string, string, *string, *bool, []string, [][]string, error) {
+ // Mandatory fields
+ id := state.Id.ValueString()
+ name := state.Name.ValueString()
+ enabled := state.Enabled.ValueBoolPointer()
+ description := state.Description.ValueStringPointer()
+ var tags []string
+ if !state.Tags.IsNull() && !state.Tags.IsUnknown() {
+ for _, tag := range state.Tags.Elements() {
+ tagStr, ok := tag.(types.String)
+ if !ok {
+ return "", "", nil, nil, nil, nil, fmt.Errorf("expected item to be of type types.String, got %T", tag)
+ }
+ tags = append(tags, tagStr.ValueString())
+ }
+ }
+ var hostTagsLists [][]string
+ if !state.HostTagsLists.IsNull() && !state.HostTagsLists.IsUnknown() {
+ for _, hostTagList := range state.HostTagsLists.Elements() {
+ hostTagListStr, ok := hostTagList.(types.List)
+ if !ok {
+ return "", "", nil, nil, nil, nil, fmt.Errorf("expected item to be of type types.List, got %T", hostTagList)
+ }
+ var tags []string
+ for _, hostTag := range hostTagListStr.Elements() {
+ hostTagStr, ok := hostTag.(types.String)
+ if !ok {
+ return "", "", nil, nil, nil, nil, fmt.Errorf("expected item to be of type types.String, got %T", hostTag)
+ }
+ tags = append(tags, hostTagStr.ValueString())
+ }
+ hostTagsLists = append(hostTagsLists, tags)
+ }
+ }
+ return id, name, description, enabled, tags, hostTagsLists, nil
+}
+
+func (r *csmThreatsPolicyResource) updateStateFromResponse(ctx context.Context, state *csmThreatsPolicyModel, res *datadogV2.CloudWorkloadSecurityAgentPolicyResponse) {
+ state.Id = types.StringValue(res.Data.GetId())
+
+ attributes := res.Data.Attributes
+
+ state.Name = types.StringValue(attributes.GetName())
+ state.Description = types.StringValue(attributes.GetDescription())
+ state.Enabled = types.BoolValue(attributes.GetEnabled())
+ state.Tags, _ = types.SetValueFrom(ctx, types.StringType, attributes.GetHostTags())
+ state.HostTagsLists, _ = types.SetValueFrom(ctx, types.ListType{
+ ElemType: types.StringType,
+ }, attributes.GetHostTagsLists())
+}
diff --git a/datadog/tests/cassettes/TestAccCSMThreatsAgentRuleDataSource.freeze b/datadog/tests/cassettes/TestAccCSMThreatsAgentRuleDataSource.freeze
index b8630797d..f836613a9 100644
--- a/datadog/tests/cassettes/TestAccCSMThreatsAgentRuleDataSource.freeze
+++ b/datadog/tests/cassettes/TestAccCSMThreatsAgentRuleDataSource.freeze
@@ -1 +1 @@
-2024-03-14T12:54:12.185366-04:00
\ No newline at end of file
+2025-05-15T09:45:26.123122+02:00
\ No newline at end of file
diff --git a/datadog/tests/cassettes/TestAccCSMThreatsAgentRuleDataSource.yaml b/datadog/tests/cassettes/TestAccCSMThreatsAgentRuleDataSource.yaml
index 6751e6fec..597cc90ac 100644
--- a/datadog/tests/cassettes/TestAccCSMThreatsAgentRuleDataSource.yaml
+++ b/datadog/tests/cassettes/TestAccCSMThreatsAgentRuleDataSource.yaml
@@ -13,30 +13,31 @@ interactions:
remote_addr: ""
request_uri: ""
body: |
- {"data":{"attributes":{"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","name":"jsgajmagfh"},"type":"agent_rule"}}
+ {"data":{"attributes":{"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","name":"ztfkbnhtzk"},"type":"agent_rule"}}
form: {}
headers:
Accept:
- application/json
Content-Type:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules
+ url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules
method: POST
response:
- proto: HTTP/1.1
- proto_major: 1
- proto_minor: 1
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
transfer_encoding: []
trailer: {}
- content_length: 420
- uncompressed: false
- body: '{"data":{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254767,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254767,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}'
+ content_length: -1
+ uncompressed: true
+ body: |
+ {"data":{"id":"55r-kwq-jsc","attributes":{"version":1,"name":"ztfkbnhtzk","description":"im a rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747295127867,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747295127867,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"}}
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 573.160792ms
+ duration: 544.87025ms
- id: 1
request:
proto: HTTP/1.1
@@ -53,23 +54,24 @@ interactions:
headers:
Accept:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/13y-c2p-ddm
+ url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/55r-kwq-jsc
method: GET
response:
- proto: HTTP/1.1
- proto_major: 1
- proto_minor: 1
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
transfer_encoding: []
trailer: {}
- content_length: 420
- uncompressed: false
- body: '{"data":{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}'
+ content_length: -1
+ uncompressed: true
+ body: |
+ {"data":{"id":"55r-kwq-jsc","attributes":{"version":1,"name":"ztfkbnhtzk","description":"im a rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747295127867,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747295127867,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"}}
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 188.837667ms
+ duration: 145.4045ms
- id: 2
request:
proto: HTTP/1.1
@@ -86,23 +88,24 @@ interactions:
headers:
Accept:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/13y-c2p-ddm
+ url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/55r-kwq-jsc
method: GET
response:
- proto: HTTP/1.1
- proto_major: 1
- proto_minor: 1
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
transfer_encoding: []
trailer: {}
- content_length: 420
- uncompressed: false
- body: '{"data":{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}'
+ content_length: -1
+ uncompressed: true
+ body: |
+ {"data":{"id":"55r-kwq-jsc","attributes":{"version":1,"name":"ztfkbnhtzk","description":"im a rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747295127867,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747295127867,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"}}
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 270.228458ms
+ duration: 143.204667ms
- id: 3
request:
proto: HTTP/1.1
@@ -119,24 +122,24 @@ interactions:
headers:
Accept:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules
+ url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/55r-kwq-jsc
method: GET
response:
- proto: HTTP/1.1
- proto_major: 1
- proto_minor: 1
- transfer_encoding:
- - chunked
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
+ transfer_encoding: []
trailer: {}
content_length: -1
- uncompressed: false
- body: '{"data":[{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"name":"auditctl_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_config_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"name":"aws_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"name":"azure_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"name":"certutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A newly created file contacted a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.change_time \u003c 60s","filters":["os == \"linux\""],"name":"chatroom_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"name":"common_net_intrusion_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"compile_after_delivery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"name":"compiler_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"credential_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"name":"cryptominer_args","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"name":"cryptominer_envs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"curl_docker_socket","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"name":"exec_whoami","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"name":"exec_wrmsr","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"name":"executable_bit_added","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"name":"gcp_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"interactive_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ip_check_domain","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"name":"iptables_egress_allowed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"name":"jupyter_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"kernel_module_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"name":"kernel_module_load","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"name":"kernel_msr_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","filters":["os == \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"name":"looney_tunables_exploit","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path =~ \"/proc/*\" \u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"mount_proc_hide","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"name":"net_file_download","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-0ra","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"net_util_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"name":"offensive_k8s_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"name":"omigod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-k6i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a conatiner outside of container start_up","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"package_management_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pam_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes were listed using the ps command","enabled":true,"expression":"exec.comm == \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os == \"linux\""],"name":"ps_discovery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ptrace_antidebug","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"name":"python_cli_code","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"rc_scripts_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"name":"read_kubeconfig","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os == \"linux\""],"name":"read_release_info","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"runc_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"name":"sensitive_tracing","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"shell_history_deleted","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"name":"shell_history_symlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"suspicious_container_client","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"name":"tunnel_traffic","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"user_deleted_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"name":"wmi_spawning_shell","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}}]}'
+ uncompressed: true
+ body: |
+ {"data":{"id":"55r-kwq-jsc","attributes":{"version":1,"name":"ztfkbnhtzk","description":"im a rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747295127867,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747295127867,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"}}
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 157.41925ms
+ duration: 144.506417ms
- id: 4
request:
proto: HTTP/1.1
@@ -153,23 +156,24 @@ interactions:
headers:
Accept:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/13y-c2p-ddm
+ url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules
method: GET
response:
- proto: HTTP/1.1
- proto_major: 1
- proto_minor: 1
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
transfer_encoding: []
trailer: {}
- content_length: 420
- uncompressed: false
- body: '{"data":{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}'
+ content_length: -1
+ uncompressed: true
+ body: |
+ {"data":[{"id":"55r-kwq-jsc","attributes":{"version":1,"name":"ztfkbnhtzk","description":"im a rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747295127867,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747295127867,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"vg6-omq-vv4","attributes":{"version":1,"name":"wawhgdyumt","description":"im a rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747295102041,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747295102041,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"3yb-106-xrm","attributes":{"version":3,"name":"my_terraform_rule2","description":"my terraform rule","expression":"bind.addr.ip==1.6.1.9","category":"Kernel Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747140640989,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747141373736,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"rtp-dom-1am","attributes":{"version":1,"name":"agent_rule2","description":"My Agent rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747062863277,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747062863277,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"1vs-h3p-spa","attributes":{"version":1,"name":"000000bangtestnumber","description":"should_work_with_number","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.file.path not in ${processes_accessing}","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1743702433529,"filters":[],"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","ttl":60000000,"append":true}}],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"g5c-vnp-xf2","attributes":{"version":1,"name":"000000bangtest","description":"should_work_with_string","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.file.path not in ${processes_accessing}","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1743702410743,"filters":[],"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","ttl":"60s","append":true}}],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"d4v-xci-tzk","attributes":{"version":1,"name":"000000second","description":"ahahaha","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.file.path not in ${processes_accessing}","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1743701600763,"filters":[],"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","ttl":"60s","append":true}}],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"by5-5gy-ajb","attributes":{"version":2,"name":"kernel_module_load","description":"A kernel module was loaded","expression":"load_module.loaded_from_memory == false && load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1737734329380,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"c5x-fzi-cfu","attributes":{"version":2,"name":"known_dll_registry_key_modified","description":"Windows Known DLLs location registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1737044905726,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fcw-skn-8l6","attributes":{"version":1,"name":"shell_net_connection","description":"A shell made an outbound network connection","expression":"connect.addr.family & (AF_INET|AF_INET6) > 0 && process.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] && connect.addr.is_public == true","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980532395,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jwd-mhg-rzc","attributes":{"version":1,"name":"interpreter_outbound_connection","description":"An interpreter made an outbound network connection","expression":"connect.addr.family & (AF_INET|AF_INET6) > 0 && connect.addr.is_public == true && process.file.name in [~\"python2*\", ~\"python3*\", \"node\", \"perl\", ~\"ruby*\"]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980527270,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7k7-mzh-fhj","attributes":{"version":1,"name":"irc_connection","description":"A process made an outbound IRC connection","expression":"connect.addr.port == 6667 && connect.addr.is_public == true","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980517121,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gff-p0p-hzz","attributes":{"version":1,"name":"p2pinfect_connection","description":"A process made a connection to a port associated with P2PInfect malware","expression":"connect.addr.family & (AF_INET|AF_INET6) > 0 && connect.addr.is_public == true && connect.addr.port >= 60100 && connect.addr.port <= 60150","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980466118,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0yh-tmv-2ir","attributes":{"version":1,"name":"socat_shell","description":"Process arguments indicating possible socat shell detected","expression":"((exec.file.name == \"socat\") || (exec.comm == \"socat\")) && exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\", ~\"*exec*\", ~\"*pty*\", ~\"*setsid*\", ~\"*stderr*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536410363,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zwp-lhw-osb","attributes":{"version":1,"name":"udev_modification","description":"Device rule created","expression":"open.file.path in [~\"/etc/udev/rules.d/*\", ~\"/lib/udev/rules.d/*\", ~\"/usr/lib/udev/rules.d/*\", ~\"/usr/local/lib/udev/rules.d/*\", ~\"/run/udev/rules.d/*\"] && open.flags & O_CREAT > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536405283,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"p4u-oh0-avq","attributes":{"version":1,"name":"devshm_execution","description":"A file executed from /dev/shm/ directory","expression":"exec.file.path == \"/dev/shm/**\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536405258,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jdx-661-6he","attributes":{"version":1,"name":"ssh_nonstandard_connection","description":"SSH initiated a connection on a nonstandard port","expression":"connect.addr.port in [80, 8080, 88, 443, 8443, 4444] && process.file.name == \"ssh\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536395054,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ozf-woz-u9t","attributes":{"version":2,"name":"libpam_ebpf_hook","description":"Library libpam.so hooked using eBPF","expression":"bpf.cmd == BPF_MAP_CREATE && process.args in [r\"libpam\\.so\"]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536395021,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"k02-h52-5kl","attributes":{"version":1,"name":"overwrite_entrypoint","description":"A process attempted to overwrite the container entrypoint","expression":"open.file.path == \"/proc/self/fd/1\" && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0 && container.id != \"\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536389957,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qwh-aci-cax","attributes":{"version":2,"name":"cron_at_job_creation_open","description":"An unauthorized job was added to cron scheduling","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536389882,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cvg-paj-akm","attributes":{"version":2,"name":"cron_at_job_creation_chown","description":"An unauthorized job was added to cron scheduling","expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536379705,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ecq-lqb-dko","attributes":{"version":1,"name":"find_credentials","description":"find command searching for sensitive files","expression":"exec.comm == \"find\" && exec.args in [~\"*credentials*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536374661,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jig-hjw-dqq","attributes":{"version":1,"name":"webdriver_spawned_shell","description":"Browser WebDriver spawned shell","expression":"process.parent.file.name in [~\"chromedriver*\", \"geckodriver\"] && exec.file.name not in [\"chrome\", \"google-chrome\", \"chromium\", \"firefox\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536374638,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cjg-f8o-kp3","attributes":{"version":2,"name":"tunnel_traffic","description":"Tunneling or port forwarding tool used","expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args_flags in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in [\"R\", \"L\", \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" && process.args in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536374597,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ctm-5ct-v09","attributes":{"version":1,"name":"netcat_shell","description":"Process arguments indicating possible netcat shell detected","expression":"exec.file.name in [\"netcat\", \"nc\", \"ncat\"] && ((exec.args_flags in [\"l\"] && exec.args_flags in [\"p\"]) || (exec.args_flags in [\"n\"] && exec.args_flags in [\"v\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536369507,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qyq-78u-ql6","attributes":{"version":1,"name":"cups_spawned_shell","description":"Shell process spawned from print server","expression":"exec.file.name != \"\" && process.parent.file.name == \"foomatic-rip\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536364424,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gdw-b2j-bpy","attributes":{"version":1,"name":"debugfs_in_container","description":"The debugfs was executed in a container","expression":"exec.comm == \"debugfs\" && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536364396,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dt3-f0b-e8d","attributes":{"version":1,"name":"webapp_imds_V1_request","description":"Web application requested IMDSv1 credentials","expression":"imds.aws.is_imds_v2 == false && imds.url =~ \"*/*/meta-data/iam/security-credentials/*\" && (process.ancestors.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.ancestors.file.name =~ \"php*\" || process.ancestors.file.name == \"java\")","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536359279,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dat-hhr-7xk","attributes":{"version":2,"name":"cron_at_job_creation_link","description":"An unauthorized job was added to cron scheduling","expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536359258,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cfe-hyn-s1j","attributes":{"version":1,"name":"release_agent_escape","description":"Container escape attempted by overwriting release_agent","expression":"open.file.name == \"release_agent\" && open.file.path in [\"/tmp/**\", \"/home/**\", \"/root/**\", \"/*\"] && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536354195,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vvo-iqz-sr2","attributes":{"version":1,"name":"file_sync_exfil","description":"The rclone utility was executed","expression":"exec.file.name in [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536354189,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ctm-jbt-ag7","attributes":{"version":1,"name":"unshare_in_container","description":"The unshare utility was executed in a container","expression":"exec.comm == \"unshare\" && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536349072,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rhn-60e-ocl","attributes":{"version":2,"name":"iptables_egress_allowed","description":"Egress traffic allowed using iptables","expression":"exec.comm == \"iptables\" && process.args in [r\"OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] && process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536349046,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ol8-rm4-6j5","attributes":{"version":1,"name":"aws_cli_usage","description":"The AWS CLI utility was executed","expression":"exec.file.name == \"aws\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536343955,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"956-hlb-btg","attributes":{"version":1,"name":"php_shell","description":"Process arguments indicating possible php shell detected","expression":"exec.file.name == \"php\" && exec.args_flags in [\"r\"] && ((exec.args in [~\"*socket_bind*\", ~\"*socket_listen*\", ~\"*socket_accept*\", ~\"*socket_create*\", ~\"*socket_write*\", ~\"*socket_read*\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536343942,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gu9-82k-92p","attributes":{"version":2,"name":"cron_at_job_creation_chmod","description":"An unauthorized job was added to cron scheduling","expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && chmod.file.destination.mode != chmod.file.mode\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536343900,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oad-qwd-via","attributes":{"version":2,"name":"compile_after_delivery","description":"A compiler wrote a suspicious file in a container","expression":"open.flags & O_CREAT > 0\n&& (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n&& (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"])\n&& process.file.name not in [\"pip\", ~\"python*\"]\n&& container.id != \"\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536323502,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vx6-cyx-ksx","attributes":{"version":1,"name":"openssl_backdoor","description":"openssl used to establish backdoor","expression":"exec.comm == \"openssl\" && exec.args =~ \"*s_client*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536318450,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"j4p-qiy-v1g","attributes":{"version":2,"name":"compiler_in_container","description":"A compiler was executed inside of a container","expression":"(exec.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || exec.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || (exec.file.name == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path != \"/usr/bin/cilium-agent\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536318401,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n17-fnl-a6b","attributes":{"version":1,"name":"mount_in_container","description":"The mount utility was executed in a container","expression":"exec.comm == \"mount\" && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536313319,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ylt-39s-jwc","attributes":{"version":2,"name":"cron_at_job_creation_unlink","description":"An unauthorized job was added to cron scheduling","expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536313305,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fyp-ktn-4kd","attributes":{"version":1,"name":"nsenter_in_container","description":"nsenter used to breakout of container","expression":"exec.file.name == \"nsenter\" && exec.args_options in [\"target=1\", \"t=1\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536308211,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mp4-mte-fr7","attributes":{"version":1,"name":"ssh_outbound_connection","description":"A process connected to an SSH server","expression":"connect.addr.port == 22 && connect.addr.family & (AF_INET|AF_INET6) > 0 && connect.addr.ip not in [127.0.0.0/8]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536308194,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jix-kop-8dg","attributes":{"version":2,"name":"ransomware_note","description":"Possible ransomware note created under common user directories","expression":"open.flags & O_CREAT > 0\n&& open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n&& open.file.name in [r\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\"] && open.file.name not in [r\"\\.lock$\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536308136,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x0q-bqb-eo1","attributes":{"version":2,"name":"windows_cryptominer_process","description":"A cryptominer was potentially executed","expression":"exec.cmdline in [~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536303070,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"txo-xll-se0","attributes":{"version":2,"name":"suspicious_dll_write","description":"Dll written to a suspicious directory","expression":"create.file.name =~ \"*.dll\" && create.file.device_path not in [~\"\\Device\\*\\Windows\\System32\\**\", ~\"\\Device\\*\\ProgramData\\docker\\**\"] && process.file.name != \"dockerd.exe\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536297939,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zig-zjk-wem","attributes":{"version":1,"name":"perl_shell","description":"Process arguments indicating possible perl bind shell detected","expression":"exec.file.name == ~\"perl*\" && exec.args_flags in [\"e\"] && ((exec.args in [~\"*socket*\", ~\"*bind*\", ~\"*sockaddr*\", ~\"*listen*\", ~\"*accept\", ~\"*stdin*\", ~\"*stdout\"]) || (exec.args in [~\"*/bin/sh*\", ~\"*/bin/bash*\"]))","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536292914,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qfj-nw1-1zg","attributes":{"version":1,"name":"modified_file_requesting_imds_creds","description":"Recently modified file requested credentials from IMDS","expression":"imds.url =~ \"/*/meta-data/iam/security-credentials/*\" && (process.parent.file.modification_time < 120s || process.file.modification_time < 30s)","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536292897,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yhp-mh7-pgn","attributes":{"version":2,"name":"cron_at_job_creation_rename","description":"An unauthorized job was added to cron scheduling","expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536287823,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ers-kyx-kaq","attributes":{"version":2,"name":"cron_at_job_creation_utimes","description":"An unauthorized job was added to cron scheduling","expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536287800,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sjm-2is-v4s","attributes":{"version":1,"name":"tar_execution","description":"Tar archive created","expression":"exec.file.path == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xhr-7kq-dpo","attributes":{"version":1,"name":"user_deleted_tty","description":"A user was deleted via an interactive session","expression":"exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"d0z-hzd-y7v","attributes":{"version":1,"name":"cryptominer_envs","description":"Process environment variables match cryptocurrency miner","expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"eav-mud-yh0","attributes":{"version":1,"name":"credential_modified_utimes","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"g2j-1lc-iub","attributes":{"version":1,"name":"kernel_module_chown","description":"A new kernel module was added","expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5x8-617-k9v","attributes":{"version":1,"name":"chaussette","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cdy-4sl-0vh","attributes":{"version":1,"name":"dirty_pipe_exploitation","description":"Potential Dirty pipe exploitation","expression":"(splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid != 0 && process.gid != 0)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8fk-hlc-jgx","attributes":{"version":1,"name":"registry_hives_file_path_key_modified","description":"Windows registry hives file location key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ggj-tkx-3i5","attributes":{"version":1,"name":"windows_hosts_file_modified","description":"the windows hosts file was modified","expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\Drivers\\etc\\hosts\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hmg-jnt-cra","attributes":{"version":1,"name":"kernel_module_link","description":"A new kernel module was added","expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"b7q-33d-ehp","attributes":{"version":1,"name":"inveigh_tool_usage","description":"Process executed with arguments common with Inveigh tool usage","expression":"exec.cmdline in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", ~\"*SnifferIP*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bdj-3ys-gul","attributes":{"version":1,"name":"redis_sandbox_escape","description":"Detects CVE-2022-0543","expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" && open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) && process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kof-qfg-4z7","attributes":{"version":1,"name":"certutil_usage","description":"Certutil was executed to transmit or decode a potentially malicious file","expression":"exec.file.name == \"certutil.exe\" && ((exec.cmdline =~ \"*urlcache*\" && exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"u0y-4yq-w99","attributes":{"version":1,"name":"pwnkit_privilege_escalation","description":"A process was spawned with indicators of exploitation of CVE-2021-4034","expression":"(exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yyp-3qo-77g","attributes":{"version":1,"name":"pci_11_5_critical_binaries_utimes","description":"Critical system binaries may have been modified","expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ijj-sdz-ghy","attributes":{"version":1,"name":"nick_new_java_detect","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":[],"actions":[],"agentConstraint":">= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yjg-ztr-xts","attributes":{"version":1,"name":"suspicious_ntdsutil_usage","description":"Suspicious usage of ntdsutil","expression":"exec.file.name == \"ntdsutil.exe\" && exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fqj-dnw-hmo","attributes":{"version":1,"name":"kernel_module_unlink","description":"A new kernel module was added","expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4nd-g5m-1xh","attributes":{"version":1,"name":"mount_proc_hide","description":"Process hidden using mount","expression":"mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wui-ktw-zwv","attributes":{"version":1,"name":"pam_modification_utimes","description":"PAM may have been modified without authorization","expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yrc-jyx-l5i","attributes":{"version":1,"name":"tty_shell_in_container","description":"A shell with a TTY was executed in a container","expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vqh-8ry-vsb","attributes":{"version":1,"name":"pam_modification_link","description":"PAM may have been modified without authorization","expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n4m-q5y-yhu","attributes":{"version":1,"name":"ssl_certificate_tampering_unlink","description":"SSL certificates may have been tampered with","expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8i4-ehq-i3p","attributes":{"version":1,"name":"gcp_imds","description":"An GCP IMDS was called via a network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fje-48p-1n8","attributes":{"version":1,"name":"ssh_authorized_keys_unlink","description":"SSH modified keys may have been modified","expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"luu-gor-cgb","attributes":{"version":1,"name":"sudoers_policy_modified_utimes","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"89r-spf-prk","attributes":{"version":1,"name":"credential_modified_open_v2","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"490-ewn-i16","attributes":{"version":1,"name":"chatroom_request","description":"A DNS request was made for a chatroom domain","expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vzm-iv2-vhs","attributes":{"version":1,"name":"windows_test_default_rule","description":"Execution of a java process on windows","expression":"exec.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pyu-xzd-leo","attributes":{"version":1,"name":"user_created_tty","description":"A user was created via an interactive session","expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && exec.args_flags not in [\"D\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zdm-kv0-gca","attributes":{"version":1,"name":"net_file_download","description":"A suspicious file was written by a network utility","expression":"open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n&& (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5ts-w6u-tfl","attributes":{"version":1,"name":"registry_runkey_modified","description":"A Registry runkey has been modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jgi-rfz-rlb","attributes":{"version":1,"name":"pam_modification_unlink","description":"PAM may have been modified without authorization","expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"coy-qpb-suv","attributes":{"version":1,"name":"credential_modified_unlink","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pxm-9tn-irt","attributes":{"version":1,"name":"ssl_certificate_tampering_link","description":"SSL certificates may have been tampered with","expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dig-cav-hhc","attributes":{"version":1,"name":"kmod_list","description":"Kernel modules were listed using the kmod command","expression":"exec.comm == \"kmod\" && exec.args in [~\"*list*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jlg-roy-9zx","attributes":{"version":1,"name":"auditd_rule_file_modified","description":"The auditd rules file was modified without using auditctl","expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && process.file.name != \"auditctl\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"v83-av9-xuy","attributes":{"version":1,"name":"ntds_in_commandline","description":"NTDS file referenced in commandline","expression":"exec.cmdline =~ \"*ntds.dit*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rnj-nwd-n5v","attributes":{"version":1,"name":"procdump_usage","description":"Testing a default windows agent rule","expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pjn-4hr-bot","attributes":{"version":1,"name":"suspicious_suid_execution","description":"Recently written or modified suid file has been executed","expression":"((process.file.mode & S_ISUID > 0) && process.file.modification_time < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bw8-ud8-qzq","attributes":{"version":1,"name":"net_util_exfiltration","description":"Exfiltration attempt via network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] &&\nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] &&\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4jd-zjb-ybo","attributes":{"version":1,"name":"shell_history_symlink","description":"A symbolic link for shell history was created targeting /dev/null","expression":"exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"can-pva-exd","attributes":{"version":1,"name":"suspicious_container_client","description":"A container management utility was executed in a container","expression":"exec.file.name in [\"docker\", \"kubectl\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bb8-sg5-ful","attributes":{"version":1,"name":"kernel_module_load_container","description":"A container loaded a new kernel module","expression":"load_module.name != \"\" && container.id !=\"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yzz-sm2-0ff","attributes":{"version":1,"name":"pci_11_5_critical_binaries_chmod","description":"Critical system binaries may have been modified","expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7nx-gb8-9t4","attributes":{"version":1,"name":"rc_scripts_modified","description":"RC scripts modified","expression":"(open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"npo-tkf-eex","attributes":{"version":1,"name":"pam_modification_chmod","description":"PAM may have been modified without authorization","expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gw4-kqw-q1l","attributes":{"version":1,"name":"new_new_java_detect_with_real_agent_version","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":[],"actions":[],"agentConstraint":">= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"atm-kqf-qa2","attributes":{"version":1,"name":"systemd_modification_chmod","description":"A service may have been modified without authorization","expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oqc-9gu-uq5","attributes":{"version":1,"name":"ssl_certificate_tampering_utimes","description":"SSL certificates may have been tampered with","expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cfe-7qi-s5j","attributes":{"version":1,"name":"pci_11_5_critical_binaries_unlink","description":"Critical system binaries may have been modified","expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bqm-bp1-dpv","attributes":{"version":1,"name":"nsswitch_conf_mod_link","description":"nsswitch may have been modified without authorization","expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nah-p3m-dgh","attributes":{"version":1,"name":"database_shell_execution","description":"A database application spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) &&\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n!(process.parent.file.name == \"initdb\" &&\nexec.args == \"-c locale -a\") &&\n!(process.parent.file.name == \"postgres\" &&\nexec.args == ~\"*pg_wal*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4mm-9uv-w3t","attributes":{"version":1,"name":"shell_profile_modification","description":"Shell profile was modified","expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"a6q-hmw-lae","attributes":{"version":1,"name":"auditd_config_modified","description":"The auditd configuration file was modified without using auditctl","expression":"open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && process.file.name != \"auditctl\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"brz-yda-nve","attributes":{"version":1,"name":"ssh_authorized_keys_link","description":"SSH modified keys may have been modified","expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4be-qms-wyo","attributes":{"version":1,"name":"windows_update_registry_key_modified","description":"Windows update registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsUpdate*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ttl-6wn-1ke","attributes":{"version":1,"name":"ssh_it_tool_config_write","description":"The configuration directory for an ssh worm","expression":"open.file.path in [~\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n0c-0if-hne","attributes":{"version":1,"name":"nsswitch_conf_mod_chmod","description":"nsswitch may have been modified without authorization","expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) && chmod.file.destination.mode != chmod.file.mode && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ryr-yxl-ilk","attributes":{"version":1,"name":"nsswitch_conf_mod_utimes","description":"nsswitch may have been modified without authorization","expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"61g-xow-oup","attributes":{"version":1,"name":"nsswitch_conf_mod_chown","description":"nsswitch may have been modified without authorization","expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"es9-b6s-upq","attributes":{"version":1,"name":"ssl_certificate_tampering_open_v2","description":"SSL certificates may have been tampered with","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"\n&& container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x79-zfs-0ix","attributes":{"version":1,"name":"omigod","description":"Omiagent spawns a privileged child process","expression":"exec.uid >= 0 && process.ancestors.file.name == \"omiagent\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8ks-vsd-y6y","attributes":{"version":1,"name":"ssl_certificate_tampering_open","description":"SSL certificates may have been tampered with","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zb2-wpx-aff","attributes":{"version":1,"name":"new_binary_execution_in_container","description":"A container executed a new binary not found in the container image","expression":"container.id != \"\" && process.file.in_upper_layer && process.file.modification_time < 30s && exec.file.name != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"k6c-tqa-hjv","attributes":{"version":1,"name":"ssh_authorized_keys_open_v2","description":"SSH modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uwk-qfs-oqe","attributes":{"version":1,"name":"kernel_module_chmod","description":"A new kernel module was added","expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"czs-lbr-7k2","attributes":{"version":1,"name":"ptrace_antidebug","description":"A process uses an anti-debugging technique to block debuggers","expression":"ptrace.request == PTRACE_TRACEME && process.file.name != \"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bpu-wji-3ed","attributes":{"version":1,"name":"exec_lsmod","description":"Kernel modules were listed using the lsmod command","expression":"exec.comm == \"lsmod\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jch-xfg-uak","attributes":{"version":1,"name":"nsswitch_conf_mod_unlink","description":"nsswitch may have been modified without authorization","expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yue-sj6-ucc","attributes":{"version":1,"name":"ssl_certificate_tampering_rename","description":"SSL certificates may have been tampered with","expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rp7-w2i-wnj","attributes":{"version":1,"name":"credential_modified_link","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mcj-rg7-foe","attributes":{"version":1,"name":"credential_modified_rename","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yu3-bwu-ji4","attributes":{"version":1,"name":"nick_new_java_detect_with_real_agent_version","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":[],"actions":[],"agentConstraint":">= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jcr-yly-myj","attributes":{"version":1,"name":"ssl_certificate_tampering_chown","description":"SSL certificates may have been tampered with","expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"llc-wxw-5uh","attributes":{"version":1,"name":"dirty_pipe_attempt","description":"Potential Dirty pipe exploitation attempt","expression":"(splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x7k-bop-jcu","attributes":{"version":1,"name":"windows_com_rpc_debugging_registry_key_modified","description":"Windows RPC COM debugging registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ypb-aen-wts","attributes":{"version":1,"name":"mount_host_fs","description":"The host file system was mounted in a container","expression":"mount.source.path == \"/\" && mount.fs_type != \"overlay\" && container.id != \"\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zjd-e62-fkk","attributes":{"version":1,"name":"release_agent_container_breakout","description":"A process attempted to write to the release_agent file of a cgroup, indicating a potential container breakout attempt","expression":"container.id != \"\" && open.file.name == \"release_agent\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1646684459816,"updateDate":1723206521298,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rgc-7yd-gpm","attributes":{"version":1,"name":"pci_11_5_critical_binaries_rename","description":"Critical system binaries may have been modified","expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bue-96a-bwo","attributes":{"version":1,"name":"pam_modification_rename","description":"PAM may have been modified without authorization","expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nue-ulh-gxb","attributes":{"version":1,"name":"aws_imds","description":"An AWS IMDS was called via a network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", ~\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"55u-gp9-m0k","attributes":{"version":1,"name":"invalid_agent_constraint","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":[],"actions":[],"agentConstraint":"0.0.0 >= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8og-5of-lw8","attributes":{"version":1,"name":"offensive_k8s_tool","description":"A known kubernetes pentesting tool has been executed","expression":"(exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fdj-qws-x9g","attributes":{"version":1,"name":"sudoers_policy_modified_chmod","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (chmod.file.path == \"/etc/sudoers\")\n) && chmod.file.destination.mode != chmod.file.mode && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tqf-gv4-huh","attributes":{"version":1,"name":"windows_test_default_rule_b","description":"Execution of a java process on windows","expression":"exec.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jji-uaq-xqi","attributes":{"version":1,"name":"net_util_in_container","description":"A network utility was executed in a container","expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tj0-f4s-grz","attributes":{"version":1,"name":"pam_modification_chown","description":"PAM may have been modified without authorization","expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mmg-bkt-mx4","attributes":{"version":1,"name":"exec_whoami","description":"The whoami command was executed","expression":"exec.comm == \"whoami\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ao4-966-ahr","attributes":{"version":1,"name":"sensitive_tracing","description":"A process is tracing privileged processes or sshd for possible credential dumping","expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) && ptrace.tracee.euid == 0 && process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mrk-tku-sbc","attributes":{"version":1,"name":"pci_11_5_critical_binaries_chown","description":"Critical system binaries may have been modified","expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nk2-hcg-hf5","attributes":{"version":1,"name":"kernel_module_load_from_memory","description":"A kernel module was loaded from memory","expression":"load_module.loaded_from_memory == true","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hau-g4f-zzo","attributes":{"version":1,"name":"apparmor_modified_tty","description":"An AppArmor profile was modified in an interactive session","expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name !=\"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0gp-zoy-gyb","attributes":{"version":1,"name":"runc_leaky_fd","description":"The container breakout CVE-2024-21626 was successful","expression":"chdir.syscall.path =~ \"/proc/self/fd/*\" && chdir.file.path == \"/sys/fs/cgroup\" && process.file.name =~ \"runc.*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wqb-yxc-mtb","attributes":{"version":1,"name":"pci_11_5_critical_binaries_open_v2","description":"Critical system binaries may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vpa-xoh-cia","attributes":{"version":1,"name":"procdump_execution","description":"A tool used to dump process memory has been executed","expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vlv-1qs-cjz","attributes":{"version":1,"name":"sudoers_policy_modified_rename","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"itl-shq-qre","attributes":{"version":1,"name":"nsswitch_conf_mod_open_v2","description":"nsswitch may have been modified without authorization","expression":"(\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) && container.created_at > 90s && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fpl-fno-4u3","attributes":{"version":1,"name":"aws_eks_service_account_token_accessed","description":"The AWS EKS service account token was accessed","expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3vq-bya-qsj","attributes":{"version":1,"name":"windows_security_essentials_executable_modified","description":"microsoft security essentials executable modified","expression":"write.file.device_path in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"08i-pvz-95h","attributes":{"version":1,"name":"crackmap_exec_executed","description":"Known offensive tool crackmap exec executed","expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme.exe*\", ~\"*cme.py*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gpx-hnf-bc6","attributes":{"version":1,"name":"critical_registry_export","description":"regedit used to export critical registry hive","expression":"exec.file.name in [\"reg.exe\", \"regedit.exe\"] && exec.cmdline in [~\"*hklm*\", ~\"*hkey_local_machine*\", ~\"*system*\", ~\"*sam*\", ~\"*security*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aoh-97n-qus","attributes":{"version":1,"name":"redis_save_module","description":"Redis module has been created","expression":"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name in [\"redis-check-rdb\", \"redis-server\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tqg-9ps-mhw","attributes":{"version":1,"name":"passwd_execution","description":"The passwd or chpasswd utility was used to modify an account password","expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags not in [\"S\", \"status\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"j4r-2xn-ha0","attributes":{"version":1,"name":"sudoers_policy_modified_open","description":"Sudoers policy file may have been modified without authorization","expression":"(open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n(open.file.path == \"/etc/sudoers\")) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"azw-x88-p7j","attributes":{"version":1,"name":"kubernetes_dns_enumeration","description":"Kubernetes DNS enumeration","expression":"dns.question.name == \"any.any.svc.cluster.local\" && dns.question.type == SRV && container.id != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vma-bsh-4d1","attributes":{"version":1,"name":"kernel_msr_write","description":"A process attempted to enable writing to model-specific registers","expression":"exec.comm == \"modprobe\" && process.args =~ \"*msr*allow_writes*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aed-rue-lpr","attributes":{"version":1,"name":"ip_check_domain","description":"A DNS lookup was done for a IP check service","expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"stp-dwk-4j7","attributes":{"version":1,"name":"delete_system_log","description":"A process deleted common system log files","expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] && process.comm not in [\"dockerd\", \"containerd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4s4-ezo-w7q","attributes":{"version":1,"name":"dynamic_linker_config_write","description":"A process wrote to a dynamic linker config file","expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gdc-uhk-mtc","attributes":{"version":1,"name":"ssh_authorized_keys_open","description":"SSH modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rgq-fea-q99","attributes":{"version":1,"name":"windows_system_enviroment_variable_registry_key_modified","description":"Windows environment variable registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n9y-2nc-no0","attributes":{"version":1,"name":"dotnet_dump_execution","description":"Dotnet_dump was used to dump a process memory","expression":"exec.cmdline =~ \"*dotnet-dump*\" && exec.cmdline =~ \"*collect*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"r3m-72r-y8g","attributes":{"version":1,"name":"shell_history_truncated","description":"Shell History was Deleted","expression":"open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && open.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] && open.file.path in [~\"/root/*\", ~\"/home/**\"] && process.file.name == \"truncate\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zqc-vts-wok","attributes":{"version":1,"name":"nsswitch_conf_mod_open","description":"nsswitch may have been modified without authorization","expression":"(\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"usg-zrs-ckt","attributes":{"version":1,"name":"winlogon_registry_key_modified","description":"Windows winlogon registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x4t-j4v-l4r","attributes":{"version":1,"name":"windows_explorer_executable_modified","description":"windows explorer file has been modified","expression":"write.file.device_path in [~\"\\Device\\*\\windows\\explorer.exe\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9mk-a4g-rb5","attributes":{"version":1,"name":"crackmap_exec_usage","description":"Known offensive tool crackmap exec executed","expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cqr-wm9-cjl","attributes":{"version":1,"name":"systemd_modification_open","description":"A service may have been modified without authorization","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cxw-5gm-pid","attributes":{"version":1,"name":"curl_docker_socket","description":"The Docker socket was referenced in a cURL command","expression":"exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args in [~\"*docker.sock*\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gpf-aeq-icx","attributes":{"version":1,"name":"ssh_authorized_keys_chown","description":"SSH modified keys may have been modified","expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"iqk-ui0-v8c","attributes":{"version":1,"name":"hidden_file_executed","description":"A hidden file was executed in a suspicious folder","expression":"exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"s1j-kv4-llt","attributes":{"version":1,"name":"selinux_disable_enforcement","description":"SELinux enforcement status was disabled","expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] && process.ancestors.args != ~\"*BECOME-SUCCESS*\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"a9j-6xn-afo","attributes":{"version":1,"name":"sliver_c2_implant_execution","description":"process arguments match sliver c2 implant","expression":"exec.cmdline =~ \"*NoExit *\" && exec.cmdline =~ \"*Command *\" && exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vb1-l7o-skr","attributes":{"version":1,"name":"ssl_certificate_tampering_chmod","description":"SSL certificates may have been tampered with","expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.mode != chmod.file.destination.mode\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1or-3oo-rag","attributes":{"version":1,"name":"new_java_detect","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qme-vau-bk4","attributes":{"version":1,"name":"potential_web_shell_parent","description":"A web application spawned a shell or shell utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) &&\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7ft-hzb-mpc","attributes":{"version":1,"name":"critical_windows_files_modified","description":"a critical windows file was modified","expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hbd-kty-ixx","attributes":{"version":1,"name":"kernel_module_utimes","description":"A new kernel module was added","expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rly-bqo-sg1","attributes":{"version":1,"name":"systemd_modification_utimes","description":"A service may have been modified without authorization","expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"eda-l1r-hrq","attributes":{"version":1,"name":"relay_attack_tool_execution","description":"Process matches known relay attack tool","expression":"exec.file.name in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rbo-40l-grx","attributes":{"version":1,"name":"net_unusual_request","description":"Network utility executed with suspicious URI","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gci-o39-u6v","attributes":{"version":1,"name":"read_kubeconfig","description":"The kubeconfig file was accessed","expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1uw-i6q-m5n","attributes":{"version":1,"name":"nsswitch_conf_mod_rename","description":"nsswitch may have been modified without authorization","expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ynr-dvw-x2x","attributes":{"version":1,"name":"ssh_authorized_keys_rename","description":"SSH modified keys may have been modified","expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fme-ym2-lwi","attributes":{"version":1,"name":"systemd_modification_link","description":"A service may have been modified without authorization","expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tht-nwe-guf","attributes":{"version":1,"name":"k8s_pod_service_account_token_accessed","description":"The Kubernetes pod service account token was accessed","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"] && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"a6d-gre-qls","attributes":{"version":1,"name":"service_stop","description":"systemctl used to stop a service","expression":"exec.file.name == \"systemctl\" && exec.args in [~\"*stop*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ljs-qkf-c4r","attributes":{"version":1,"name":"pam_modification_open","description":"PAM may have been modified without authorization","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vhj-z63-abi","attributes":{"version":1,"name":"systemd_modification_chown","description":"A service may have been modified without authorization","expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pho-wta-zir","attributes":{"version":1,"name":"net_util","description":"A network utility was executed","expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"m36-fmz-1bi","attributes":{"version":1,"name":"executable_bit_added","description":"The executable bit was added to a newly created file","expression":"chmod.file.in_upper_layer &&\nchmod.file.change_time < 30s &&\ncontainer.id != \"\" &&\nchmod.file.destination.mode != chmod.file.mode &&\nchmod.file.destination.mode & S_IXUSR|S_IXGRP|S_IXOTH > 0 &&\nprocess.argv in [\"+x\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5j0-kon-1hn","attributes":{"version":1,"name":"sudoers_policy_modified_link","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hsw-h1t-p9n","attributes":{"version":1,"name":"suid_file_execution","description":"a SUID file was executed","expression":"(setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \"/usr/bin/sudo\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"da1-a9j-tw9","attributes":{"version":1,"name":"sudoers_policy_modified_unlink","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4tw-oex-wnc","attributes":{"version":1,"name":"cryptominer_args","description":"A process launched with arguments associated with cryptominers","expression":"exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args_flags == \"randomx-1gb-pages\" || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uga-lal-zqb","attributes":{"version":1,"name":"php_spawning_shell","description":"PHP web application spawning shell","expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] && process.parent.file.name in [\"php.exe\",\"php-cgi.exe\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"alv-iwj-sbs","attributes":{"version":1,"name":"systemd_modification_unlink","description":"A service may have been modified without authorization","expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nsy-20w-pj6","attributes":{"version":1,"name":"sharpup_tool_usage","description":"sharpup tool used for local privilege escalation","expression":"exec.file.name == \"sharpup.exe\" && exec.cmdline in [~\"*HijackablePaths*\", ~\"*UnquotedServicePath*\", ~\"*ProcessDLLHijack*\", ~\"*ModifiableServiceBinaries*\", ~\"*ModifiableScheduledTask*\", ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mam-ir1-532","attributes":{"version":1,"name":"windows_cryptographic_blocking_policy_registry_key_modified","description":"Windows cryptographic blocking policy modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllRemoveSignedDataMsg*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tn9-vck-we9","attributes":{"version":1,"name":"shell_history_deleted","description":"Shell History was Deleted","expression":"unlink.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] && unlink.file.path in [~\"/root/**\", ~\"/home/**\"] && process.comm not in [\"dockerd\", \"containerd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ows-d9p-s2b","attributes":{"version":1,"name":"runc_modification","description":"The runc binary was modified in a non-standard way","expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n&& open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"on3-qxk-zeh","attributes":{"version":1,"name":"paste_site","description":"A DNS lookup was done for a pastebin-like site","expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", \"transfer.sh\"] && process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bdi-lzv-pki","attributes":{"version":1,"name":"azure_imds","description":"An Azure IMDS was called via a network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qay-zpa-akb","attributes":{"version":1,"name":"rubeus_execution","description":"process arguments match rubeus credential theft tool","expression":"exec.cmdline in [~\"*asreproast*\", ~\"*/service:krbtgt*\", ~\"*dump /luid:0x*\", ~\"*kerberoast*\", ~\"*createonly /program*\", ~\"*ptt /ticket*\", ~\"*impersonateuser*\", ~\"*renew /ticket*\", ~\"*asktgt /user*\", ~\"*harvest /interval*\", ~\"*s4u /user*\", ~\"*hash /password*\", ~\"*golden /aes256*\", ~\"*silver /user*\", \"*rubeus*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uty-ayo-tpv","attributes":{"version":1,"name":"wmi_spawning_shell","description":"Command executed via WMI","expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] && process.parent.file.name == \"WmiPrvSE.exe\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"icy-i3s-bvd","attributes":{"version":1,"name":"deploy_priv_container","description":"A privileged container was created","expression":"exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted & CAP_SYS_ADMIN > 0","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6du-s2a-foz","attributes":{"version":1,"name":"suspicious_bitsadmin_usage","description":"A suspicious bitsadmin command has been executed","expression":"exec.file.name == \"bitsadmin.exe\" && exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dco-vsp-sto","attributes":{"version":1,"name":"ssh_authorized_keys_chmod","description":"SSH modified keys may have been modified","expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fyc-tp1-xr1","attributes":{"version":1,"name":"windows_boot_registry_key_modified","description":"Windows boot registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\SYSTEM.ini\\boot*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pxm-cg7-96w","attributes":{"version":1,"name":"sudoers_policy_modified_chown","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bft-ikt-sfa","attributes":{"version":1,"name":"registry_service_runkey_modified","description":"Service registry runkey modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\RunServices\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ydm-yqo-f9t","attributes":{"version":1,"name":"looney_tunables_exploit","description":"Looney Tunables (CVE-2023-4911) exploit attempted","expression":"exec.file.mode & S_ISUID > 0 && exec.file.uid == 0 && exec.uid != 0 && exec.envs in [~\"*GLIBC_TUNABLES*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wpy-igs-bcp","attributes":{"version":1,"name":"windows_shell_folders_registry_key_modified","description":"Windows shell folders registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders*\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gyj-yid-n02","attributes":{"version":1,"name":"ptrace_injection","description":"A process attempted to inject code into another process","expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kxe-vss-47x","attributes":{"version":1,"name":"windows_firewall_configuration_registry_key_modified","description":"Windows firewall configuration registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zxv-eui-tgr","attributes":{"version":1,"name":"auditctl_usage","description":"The auditctl command was used to modify auditd","expression":"exec.file.name == \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ccs-c0e-kx6","attributes":{"version":1,"name":"minidump_usage","description":"Process memory was dumped using the minidump function from comsvcs.dll","expression":"exec.cmdline =~ \"*MiniDump*\" && exec.cmdline =~ \"*comsvcs*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"we1-nic-zhp","attributes":{"version":1,"name":"base64_decode","description":"The base64 command was used to decode information","expression":"exec.file.name == \"base64\" && exec.args_flags in [\"d\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mjs-qml-f6e","attributes":{"version":1,"name":"systemd_modification_rename","description":"A service may have been modified without authorization","expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"elg-0ho-jjb","attributes":{"version":1,"name":"powershell_empire_uac_bypass","description":"A process was executed matching arguments for a UAC bypass technique common in powershell empire","expression":"exec.cmdline in [~\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*\", ~\"*-NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dzi-svp-ub2","attributes":{"version":1,"name":"memfd_create","description":"memfd object created","expression":"exec.file.name =~ \"memfd*\" && exec.file.path == \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"iv0-azx-iwi","attributes":{"version":1,"name":"interactive_shell_in_container","description":"An interactive shell was started inside of a container","expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in [\"i\"] && container.id !=\"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mgb-ejl-c5b","attributes":{"version":1,"name":"kernel_module_rename","description":"A new kernel module was added","expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dug-aqp-7zn","attributes":{"version":1,"name":"exec_wrmsr","description":"The wrmsr program executed","expression":"exec.comm == \"wrmsr\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wrz-nq9-pi8","attributes":{"version":1,"name":"mining_pool_lookup","description":"A process resolved a DNS name associated with cryptomining activity","expression":"dns.question.name in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"] && process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"01c-hgk-8x3","attributes":{"version":1,"name":"credential_modified_chmod","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ld1-hxu-zdf","attributes":{"version":1,"name":"nick_new_java_detect_with_agent_version","description":"Execution of a new java process","expression":"exec.file.name == \"foogazi\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"z0y-kio-bf4","attributes":{"version":1,"name":"kernel_module_open","description":"A new kernel module was added","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xtf-uqt-mh0","attributes":{"version":1,"name":"common_net_intrusion_util","description":"A network utility (nmap) commonly used in intrusion attacks was executed","expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"l5b-qmr-hi6","attributes":{"version":1,"name":"ssh_authorized_keys_utimes","description":"SSH modified keys may have been modified","expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qa1-stp-xpl","attributes":{"version":1,"name":"open_msr_writes","description":"A process opened a model-specific register (MSR) configuration file","expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cwr-kgl-5xs","attributes":{"version":1,"name":"credential_modified_chown","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"am6-icr-cgg","attributes":{"version":1,"name":"package_management_in_container","description":"Package management was detected in a container","expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"esx-z8e-qcs","attributes":{"version":1,"name":"safeboot_modification","description":"Safeboot registry modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sdk-dp7-vt0","attributes":{"version":1,"name":"jupyter_shell_execution","description":"A Jupyter notebook executed a shell","expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hnz-ezh-lyu","attributes":{"version":1,"name":"ld_preload_unusual_library_path","description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yjo-mdq-mi1","attributes":{"version":1,"name":"dynamic_linker_config_unlink","description":"A process unlinked a dynamic linker config file","expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"psf-hiy-3ji","attributes":{"version":1,"name":"scheduled_task_creation","description":"A scheduled task was created","expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] && exec.cmdline =~ \"*create*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6vb-fkj-cdc","attributes":{"version":1,"name":"pci_11_5_critical_binaries_open","description":"Critical system binaries may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ktg-ng9-izk","attributes":{"version":1,"name":"kernel_module_load_from_memory_container","description":"A kernel module was loaded from memory inside a container","expression":"load_module.loaded_from_memory == true && container.id !=\"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0qf-cha-qci","attributes":{"version":1,"name":"java_shell_execution_parent","description":"A java process spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n&& process.parent.file.name in [\"java\", \"jspawnhelper\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gz3-l4z-bzr","attributes":{"version":1,"name":"network_sniffing_tool","description":"Local account groups were enumerated after container start up","expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hob-7or-knu","attributes":{"version":1,"name":"python_cli_code","description":"Python code was provided on the command line","expression":"exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", ~\"*-c*pty.spawn*\"] && exec.args !~ \"*setuptools*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"buh-tbl-6k1","attributes":{"version":1,"name":"pci_11_5_critical_binaries_link","description":"Critical system binaries may have been modified","expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521243,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"}]}
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 217.413125ms
+ duration: 278.158458ms
- id: 5
request:
proto: HTTP/1.1
@@ -186,24 +190,24 @@ interactions:
headers:
Accept:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules
+ url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules
method: GET
response:
- proto: HTTP/1.1
- proto_major: 1
- proto_minor: 1
- transfer_encoding:
- - chunked
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
+ transfer_encoding: []
trailer: {}
content_length: -1
- uncompressed: false
- body: '{"data":[{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"name":"auditctl_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_config_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"name":"aws_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"name":"azure_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"name":"certutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A newly created file contacted a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.change_time \u003c 60s","filters":["os == \"linux\""],"name":"chatroom_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"name":"common_net_intrusion_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"compile_after_delivery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"name":"compiler_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"credential_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"name":"cryptominer_args","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"name":"cryptominer_envs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"curl_docker_socket","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"name":"exec_whoami","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"name":"exec_wrmsr","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"name":"executable_bit_added","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"name":"gcp_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"interactive_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ip_check_domain","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"name":"iptables_egress_allowed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"name":"jupyter_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"kernel_module_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"name":"kernel_module_load","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"name":"kernel_msr_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","filters":["os == \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"name":"looney_tunables_exploit","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path =~ \"/proc/*\" \u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"mount_proc_hide","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"name":"net_file_download","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-0ra","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"net_util_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"name":"offensive_k8s_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"name":"omigod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-k6i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a conatiner outside of container start_up","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"package_management_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pam_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes were listed using the ps command","enabled":true,"expression":"exec.comm == \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os == \"linux\""],"name":"ps_discovery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ptrace_antidebug","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"name":"python_cli_code","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"rc_scripts_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"name":"read_kubeconfig","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os == \"linux\""],"name":"read_release_info","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"runc_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"name":"sensitive_tracing","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"shell_history_deleted","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"name":"shell_history_symlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"suspicious_container_client","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"name":"tunnel_traffic","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"user_deleted_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"name":"wmi_spawning_shell","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}}]}'
+ uncompressed: true
+ body: |
+ {"data":[{"id":"55r-kwq-jsc","attributes":{"version":1,"name":"ztfkbnhtzk","description":"im a rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747295127867,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747295127867,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"vg6-omq-vv4","attributes":{"version":1,"name":"wawhgdyumt","description":"im a rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747295102041,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747295102041,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"3yb-106-xrm","attributes":{"version":3,"name":"my_terraform_rule2","description":"my terraform rule","expression":"bind.addr.ip==1.6.1.9","category":"Kernel Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747140640989,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747141373736,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"rtp-dom-1am","attributes":{"version":1,"name":"agent_rule2","description":"My Agent rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747062863277,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747062863277,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"1vs-h3p-spa","attributes":{"version":1,"name":"000000bangtestnumber","description":"should_work_with_number","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.file.path not in ${processes_accessing}","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1743702433529,"filters":[],"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","ttl":60000000,"append":true}}],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"g5c-vnp-xf2","attributes":{"version":1,"name":"000000bangtest","description":"should_work_with_string","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.file.path not in ${processes_accessing}","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1743702410743,"filters":[],"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","ttl":"60s","append":true}}],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"d4v-xci-tzk","attributes":{"version":1,"name":"000000second","description":"ahahaha","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.file.path not in ${processes_accessing}","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1743701600763,"filters":[],"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","ttl":"60s","append":true}}],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"by5-5gy-ajb","attributes":{"version":2,"name":"kernel_module_load","description":"A kernel module was loaded","expression":"load_module.loaded_from_memory == false && load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1737734329380,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"c5x-fzi-cfu","attributes":{"version":2,"name":"known_dll_registry_key_modified","description":"Windows Known DLLs location registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1737044905726,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fcw-skn-8l6","attributes":{"version":1,"name":"shell_net_connection","description":"A shell made an outbound network connection","expression":"connect.addr.family & (AF_INET|AF_INET6) > 0 && process.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] && connect.addr.is_public == true","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980532395,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jwd-mhg-rzc","attributes":{"version":1,"name":"interpreter_outbound_connection","description":"An interpreter made an outbound network connection","expression":"connect.addr.family & (AF_INET|AF_INET6) > 0 && connect.addr.is_public == true && process.file.name in [~\"python2*\", ~\"python3*\", \"node\", \"perl\", ~\"ruby*\"]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980527270,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7k7-mzh-fhj","attributes":{"version":1,"name":"irc_connection","description":"A process made an outbound IRC connection","expression":"connect.addr.port == 6667 && connect.addr.is_public == true","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980517121,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gff-p0p-hzz","attributes":{"version":1,"name":"p2pinfect_connection","description":"A process made a connection to a port associated with P2PInfect malware","expression":"connect.addr.family & (AF_INET|AF_INET6) > 0 && connect.addr.is_public == true && connect.addr.port >= 60100 && connect.addr.port <= 60150","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980466118,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0yh-tmv-2ir","attributes":{"version":1,"name":"socat_shell","description":"Process arguments indicating possible socat shell detected","expression":"((exec.file.name == \"socat\") || (exec.comm == \"socat\")) && exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\", ~\"*exec*\", ~\"*pty*\", ~\"*setsid*\", ~\"*stderr*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536410363,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zwp-lhw-osb","attributes":{"version":1,"name":"udev_modification","description":"Device rule created","expression":"open.file.path in [~\"/etc/udev/rules.d/*\", ~\"/lib/udev/rules.d/*\", ~\"/usr/lib/udev/rules.d/*\", ~\"/usr/local/lib/udev/rules.d/*\", ~\"/run/udev/rules.d/*\"] && open.flags & O_CREAT > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536405283,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"p4u-oh0-avq","attributes":{"version":1,"name":"devshm_execution","description":"A file executed from /dev/shm/ directory","expression":"exec.file.path == \"/dev/shm/**\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536405258,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jdx-661-6he","attributes":{"version":1,"name":"ssh_nonstandard_connection","description":"SSH initiated a connection on a nonstandard port","expression":"connect.addr.port in [80, 8080, 88, 443, 8443, 4444] && process.file.name == \"ssh\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536395054,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ozf-woz-u9t","attributes":{"version":2,"name":"libpam_ebpf_hook","description":"Library libpam.so hooked using eBPF","expression":"bpf.cmd == BPF_MAP_CREATE && process.args in [r\"libpam\\.so\"]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536395021,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"k02-h52-5kl","attributes":{"version":1,"name":"overwrite_entrypoint","description":"A process attempted to overwrite the container entrypoint","expression":"open.file.path == \"/proc/self/fd/1\" && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0 && container.id != \"\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536389957,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qwh-aci-cax","attributes":{"version":2,"name":"cron_at_job_creation_open","description":"An unauthorized job was added to cron scheduling","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536389882,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cvg-paj-akm","attributes":{"version":2,"name":"cron_at_job_creation_chown","description":"An unauthorized job was added to cron scheduling","expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536379705,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ecq-lqb-dko","attributes":{"version":1,"name":"find_credentials","description":"find command searching for sensitive files","expression":"exec.comm == \"find\" && exec.args in [~\"*credentials*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536374661,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jig-hjw-dqq","attributes":{"version":1,"name":"webdriver_spawned_shell","description":"Browser WebDriver spawned shell","expression":"process.parent.file.name in [~\"chromedriver*\", \"geckodriver\"] && exec.file.name not in [\"chrome\", \"google-chrome\", \"chromium\", \"firefox\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536374638,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cjg-f8o-kp3","attributes":{"version":2,"name":"tunnel_traffic","description":"Tunneling or port forwarding tool used","expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args_flags in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in [\"R\", \"L\", \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" && process.args in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536374597,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ctm-5ct-v09","attributes":{"version":1,"name":"netcat_shell","description":"Process arguments indicating possible netcat shell detected","expression":"exec.file.name in [\"netcat\", \"nc\", \"ncat\"] && ((exec.args_flags in [\"l\"] && exec.args_flags in [\"p\"]) || (exec.args_flags in [\"n\"] && exec.args_flags in [\"v\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536369507,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qyq-78u-ql6","attributes":{"version":1,"name":"cups_spawned_shell","description":"Shell process spawned from print server","expression":"exec.file.name != \"\" && process.parent.file.name == \"foomatic-rip\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536364424,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gdw-b2j-bpy","attributes":{"version":1,"name":"debugfs_in_container","description":"The debugfs was executed in a container","expression":"exec.comm == \"debugfs\" && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536364396,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dt3-f0b-e8d","attributes":{"version":1,"name":"webapp_imds_V1_request","description":"Web application requested IMDSv1 credentials","expression":"imds.aws.is_imds_v2 == false && imds.url =~ \"*/*/meta-data/iam/security-credentials/*\" && (process.ancestors.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.ancestors.file.name =~ \"php*\" || process.ancestors.file.name == \"java\")","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536359279,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dat-hhr-7xk","attributes":{"version":2,"name":"cron_at_job_creation_link","description":"An unauthorized job was added to cron scheduling","expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536359258,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cfe-hyn-s1j","attributes":{"version":1,"name":"release_agent_escape","description":"Container escape attempted by overwriting release_agent","expression":"open.file.name == \"release_agent\" && open.file.path in [\"/tmp/**\", \"/home/**\", \"/root/**\", \"/*\"] && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536354195,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vvo-iqz-sr2","attributes":{"version":1,"name":"file_sync_exfil","description":"The rclone utility was executed","expression":"exec.file.name in [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536354189,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ctm-jbt-ag7","attributes":{"version":1,"name":"unshare_in_container","description":"The unshare utility was executed in a container","expression":"exec.comm == \"unshare\" && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536349072,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rhn-60e-ocl","attributes":{"version":2,"name":"iptables_egress_allowed","description":"Egress traffic allowed using iptables","expression":"exec.comm == \"iptables\" && process.args in [r\"OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] && process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536349046,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ol8-rm4-6j5","attributes":{"version":1,"name":"aws_cli_usage","description":"The AWS CLI utility was executed","expression":"exec.file.name == \"aws\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536343955,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"956-hlb-btg","attributes":{"version":1,"name":"php_shell","description":"Process arguments indicating possible php shell detected","expression":"exec.file.name == \"php\" && exec.args_flags in [\"r\"] && ((exec.args in [~\"*socket_bind*\", ~\"*socket_listen*\", ~\"*socket_accept*\", ~\"*socket_create*\", ~\"*socket_write*\", ~\"*socket_read*\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536343942,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gu9-82k-92p","attributes":{"version":2,"name":"cron_at_job_creation_chmod","description":"An unauthorized job was added to cron scheduling","expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && chmod.file.destination.mode != chmod.file.mode\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536343900,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oad-qwd-via","attributes":{"version":2,"name":"compile_after_delivery","description":"A compiler wrote a suspicious file in a container","expression":"open.flags & O_CREAT > 0\n&& (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n&& (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"])\n&& process.file.name not in [\"pip\", ~\"python*\"]\n&& container.id != \"\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536323502,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vx6-cyx-ksx","attributes":{"version":1,"name":"openssl_backdoor","description":"openssl used to establish backdoor","expression":"exec.comm == \"openssl\" && exec.args =~ \"*s_client*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536318450,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"j4p-qiy-v1g","attributes":{"version":2,"name":"compiler_in_container","description":"A compiler was executed inside of a container","expression":"(exec.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || exec.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || (exec.file.name == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path != \"/usr/bin/cilium-agent\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536318401,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n17-fnl-a6b","attributes":{"version":1,"name":"mount_in_container","description":"The mount utility was executed in a container","expression":"exec.comm == \"mount\" && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536313319,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ylt-39s-jwc","attributes":{"version":2,"name":"cron_at_job_creation_unlink","description":"An unauthorized job was added to cron scheduling","expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536313305,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fyp-ktn-4kd","attributes":{"version":1,"name":"nsenter_in_container","description":"nsenter used to breakout of container","expression":"exec.file.name == \"nsenter\" && exec.args_options in [\"target=1\", \"t=1\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536308211,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mp4-mte-fr7","attributes":{"version":1,"name":"ssh_outbound_connection","description":"A process connected to an SSH server","expression":"connect.addr.port == 22 && connect.addr.family & (AF_INET|AF_INET6) > 0 && connect.addr.ip not in [127.0.0.0/8]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536308194,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jix-kop-8dg","attributes":{"version":2,"name":"ransomware_note","description":"Possible ransomware note created under common user directories","expression":"open.flags & O_CREAT > 0\n&& open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n&& open.file.name in [r\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\"] && open.file.name not in [r\"\\.lock$\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536308136,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x0q-bqb-eo1","attributes":{"version":2,"name":"windows_cryptominer_process","description":"A cryptominer was potentially executed","expression":"exec.cmdline in [~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536303070,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"txo-xll-se0","attributes":{"version":2,"name":"suspicious_dll_write","description":"Dll written to a suspicious directory","expression":"create.file.name =~ \"*.dll\" && create.file.device_path not in [~\"\\Device\\*\\Windows\\System32\\**\", ~\"\\Device\\*\\ProgramData\\docker\\**\"] && process.file.name != \"dockerd.exe\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536297939,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zig-zjk-wem","attributes":{"version":1,"name":"perl_shell","description":"Process arguments indicating possible perl bind shell detected","expression":"exec.file.name == ~\"perl*\" && exec.args_flags in [\"e\"] && ((exec.args in [~\"*socket*\", ~\"*bind*\", ~\"*sockaddr*\", ~\"*listen*\", ~\"*accept\", ~\"*stdin*\", ~\"*stdout\"]) || (exec.args in [~\"*/bin/sh*\", ~\"*/bin/bash*\"]))","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536292914,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qfj-nw1-1zg","attributes":{"version":1,"name":"modified_file_requesting_imds_creds","description":"Recently modified file requested credentials from IMDS","expression":"imds.url =~ \"/*/meta-data/iam/security-credentials/*\" && (process.parent.file.modification_time < 120s || process.file.modification_time < 30s)","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536292897,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yhp-mh7-pgn","attributes":{"version":2,"name":"cron_at_job_creation_rename","description":"An unauthorized job was added to cron scheduling","expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536287823,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ers-kyx-kaq","attributes":{"version":2,"name":"cron_at_job_creation_utimes","description":"An unauthorized job was added to cron scheduling","expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536287800,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sjm-2is-v4s","attributes":{"version":1,"name":"tar_execution","description":"Tar archive created","expression":"exec.file.path == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xhr-7kq-dpo","attributes":{"version":1,"name":"user_deleted_tty","description":"A user was deleted via an interactive session","expression":"exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"d0z-hzd-y7v","attributes":{"version":1,"name":"cryptominer_envs","description":"Process environment variables match cryptocurrency miner","expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"eav-mud-yh0","attributes":{"version":1,"name":"credential_modified_utimes","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"g2j-1lc-iub","attributes":{"version":1,"name":"kernel_module_chown","description":"A new kernel module was added","expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5x8-617-k9v","attributes":{"version":1,"name":"chaussette","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cdy-4sl-0vh","attributes":{"version":1,"name":"dirty_pipe_exploitation","description":"Potential Dirty pipe exploitation","expression":"(splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid != 0 && process.gid != 0)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8fk-hlc-jgx","attributes":{"version":1,"name":"registry_hives_file_path_key_modified","description":"Windows registry hives file location key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ggj-tkx-3i5","attributes":{"version":1,"name":"windows_hosts_file_modified","description":"the windows hosts file was modified","expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\Drivers\\etc\\hosts\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hmg-jnt-cra","attributes":{"version":1,"name":"kernel_module_link","description":"A new kernel module was added","expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"b7q-33d-ehp","attributes":{"version":1,"name":"inveigh_tool_usage","description":"Process executed with arguments common with Inveigh tool usage","expression":"exec.cmdline in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", ~\"*SnifferIP*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bdj-3ys-gul","attributes":{"version":1,"name":"redis_sandbox_escape","description":"Detects CVE-2022-0543","expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" && open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) && process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kof-qfg-4z7","attributes":{"version":1,"name":"certutil_usage","description":"Certutil was executed to transmit or decode a potentially malicious file","expression":"exec.file.name == \"certutil.exe\" && ((exec.cmdline =~ \"*urlcache*\" && exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"u0y-4yq-w99","attributes":{"version":1,"name":"pwnkit_privilege_escalation","description":"A process was spawned with indicators of exploitation of CVE-2021-4034","expression":"(exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yyp-3qo-77g","attributes":{"version":1,"name":"pci_11_5_critical_binaries_utimes","description":"Critical system binaries may have been modified","expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ijj-sdz-ghy","attributes":{"version":1,"name":"nick_new_java_detect","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":[],"actions":[],"agentConstraint":">= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yjg-ztr-xts","attributes":{"version":1,"name":"suspicious_ntdsutil_usage","description":"Suspicious usage of ntdsutil","expression":"exec.file.name == \"ntdsutil.exe\" && exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fqj-dnw-hmo","attributes":{"version":1,"name":"kernel_module_unlink","description":"A new kernel module was added","expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4nd-g5m-1xh","attributes":{"version":1,"name":"mount_proc_hide","description":"Process hidden using mount","expression":"mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wui-ktw-zwv","attributes":{"version":1,"name":"pam_modification_utimes","description":"PAM may have been modified without authorization","expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yrc-jyx-l5i","attributes":{"version":1,"name":"tty_shell_in_container","description":"A shell with a TTY was executed in a container","expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vqh-8ry-vsb","attributes":{"version":1,"name":"pam_modification_link","description":"PAM may have been modified without authorization","expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n4m-q5y-yhu","attributes":{"version":1,"name":"ssl_certificate_tampering_unlink","description":"SSL certificates may have been tampered with","expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8i4-ehq-i3p","attributes":{"version":1,"name":"gcp_imds","description":"An GCP IMDS was called via a network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fje-48p-1n8","attributes":{"version":1,"name":"ssh_authorized_keys_unlink","description":"SSH modified keys may have been modified","expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"luu-gor-cgb","attributes":{"version":1,"name":"sudoers_policy_modified_utimes","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"89r-spf-prk","attributes":{"version":1,"name":"credential_modified_open_v2","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"490-ewn-i16","attributes":{"version":1,"name":"chatroom_request","description":"A DNS request was made for a chatroom domain","expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vzm-iv2-vhs","attributes":{"version":1,"name":"windows_test_default_rule","description":"Execution of a java process on windows","expression":"exec.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pyu-xzd-leo","attributes":{"version":1,"name":"user_created_tty","description":"A user was created via an interactive session","expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && exec.args_flags not in [\"D\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zdm-kv0-gca","attributes":{"version":1,"name":"net_file_download","description":"A suspicious file was written by a network utility","expression":"open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n&& (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5ts-w6u-tfl","attributes":{"version":1,"name":"registry_runkey_modified","description":"A Registry runkey has been modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jgi-rfz-rlb","attributes":{"version":1,"name":"pam_modification_unlink","description":"PAM may have been modified without authorization","expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"coy-qpb-suv","attributes":{"version":1,"name":"credential_modified_unlink","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pxm-9tn-irt","attributes":{"version":1,"name":"ssl_certificate_tampering_link","description":"SSL certificates may have been tampered with","expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dig-cav-hhc","attributes":{"version":1,"name":"kmod_list","description":"Kernel modules were listed using the kmod command","expression":"exec.comm == \"kmod\" && exec.args in [~\"*list*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jlg-roy-9zx","attributes":{"version":1,"name":"auditd_rule_file_modified","description":"The auditd rules file was modified without using auditctl","expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && process.file.name != \"auditctl\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"v83-av9-xuy","attributes":{"version":1,"name":"ntds_in_commandline","description":"NTDS file referenced in commandline","expression":"exec.cmdline =~ \"*ntds.dit*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rnj-nwd-n5v","attributes":{"version":1,"name":"procdump_usage","description":"Testing a default windows agent rule","expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pjn-4hr-bot","attributes":{"version":1,"name":"suspicious_suid_execution","description":"Recently written or modified suid file has been executed","expression":"((process.file.mode & S_ISUID > 0) && process.file.modification_time < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bw8-ud8-qzq","attributes":{"version":1,"name":"net_util_exfiltration","description":"Exfiltration attempt via network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] &&\nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] &&\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4jd-zjb-ybo","attributes":{"version":1,"name":"shell_history_symlink","description":"A symbolic link for shell history was created targeting /dev/null","expression":"exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"can-pva-exd","attributes":{"version":1,"name":"suspicious_container_client","description":"A container management utility was executed in a container","expression":"exec.file.name in [\"docker\", \"kubectl\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bb8-sg5-ful","attributes":{"version":1,"name":"kernel_module_load_container","description":"A container loaded a new kernel module","expression":"load_module.name != \"\" && container.id !=\"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yzz-sm2-0ff","attributes":{"version":1,"name":"pci_11_5_critical_binaries_chmod","description":"Critical system binaries may have been modified","expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7nx-gb8-9t4","attributes":{"version":1,"name":"rc_scripts_modified","description":"RC scripts modified","expression":"(open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"npo-tkf-eex","attributes":{"version":1,"name":"pam_modification_chmod","description":"PAM may have been modified without authorization","expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gw4-kqw-q1l","attributes":{"version":1,"name":"new_new_java_detect_with_real_agent_version","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":[],"actions":[],"agentConstraint":">= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"atm-kqf-qa2","attributes":{"version":1,"name":"systemd_modification_chmod","description":"A service may have been modified without authorization","expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oqc-9gu-uq5","attributes":{"version":1,"name":"ssl_certificate_tampering_utimes","description":"SSL certificates may have been tampered with","expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cfe-7qi-s5j","attributes":{"version":1,"name":"pci_11_5_critical_binaries_unlink","description":"Critical system binaries may have been modified","expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bqm-bp1-dpv","attributes":{"version":1,"name":"nsswitch_conf_mod_link","description":"nsswitch may have been modified without authorization","expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nah-p3m-dgh","attributes":{"version":1,"name":"database_shell_execution","description":"A database application spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) &&\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n!(process.parent.file.name == \"initdb\" &&\nexec.args == \"-c locale -a\") &&\n!(process.parent.file.name == \"postgres\" &&\nexec.args == ~\"*pg_wal*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4mm-9uv-w3t","attributes":{"version":1,"name":"shell_profile_modification","description":"Shell profile was modified","expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"a6q-hmw-lae","attributes":{"version":1,"name":"auditd_config_modified","description":"The auditd configuration file was modified without using auditctl","expression":"open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && process.file.name != \"auditctl\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"brz-yda-nve","attributes":{"version":1,"name":"ssh_authorized_keys_link","description":"SSH modified keys may have been modified","expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4be-qms-wyo","attributes":{"version":1,"name":"windows_update_registry_key_modified","description":"Windows update registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsUpdate*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ttl-6wn-1ke","attributes":{"version":1,"name":"ssh_it_tool_config_write","description":"The configuration directory for an ssh worm","expression":"open.file.path in [~\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n0c-0if-hne","attributes":{"version":1,"name":"nsswitch_conf_mod_chmod","description":"nsswitch may have been modified without authorization","expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) && chmod.file.destination.mode != chmod.file.mode && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ryr-yxl-ilk","attributes":{"version":1,"name":"nsswitch_conf_mod_utimes","description":"nsswitch may have been modified without authorization","expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"61g-xow-oup","attributes":{"version":1,"name":"nsswitch_conf_mod_chown","description":"nsswitch may have been modified without authorization","expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"es9-b6s-upq","attributes":{"version":1,"name":"ssl_certificate_tampering_open_v2","description":"SSL certificates may have been tampered with","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"\n&& container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x79-zfs-0ix","attributes":{"version":1,"name":"omigod","description":"Omiagent spawns a privileged child process","expression":"exec.uid >= 0 && process.ancestors.file.name == \"omiagent\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8ks-vsd-y6y","attributes":{"version":1,"name":"ssl_certificate_tampering_open","description":"SSL certificates may have been tampered with","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zb2-wpx-aff","attributes":{"version":1,"name":"new_binary_execution_in_container","description":"A container executed a new binary not found in the container image","expression":"container.id != \"\" && process.file.in_upper_layer && process.file.modification_time < 30s && exec.file.name != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"k6c-tqa-hjv","attributes":{"version":1,"name":"ssh_authorized_keys_open_v2","description":"SSH modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uwk-qfs-oqe","attributes":{"version":1,"name":"kernel_module_chmod","description":"A new kernel module was added","expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"czs-lbr-7k2","attributes":{"version":1,"name":"ptrace_antidebug","description":"A process uses an anti-debugging technique to block debuggers","expression":"ptrace.request == PTRACE_TRACEME && process.file.name != \"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bpu-wji-3ed","attributes":{"version":1,"name":"exec_lsmod","description":"Kernel modules were listed using the lsmod command","expression":"exec.comm == \"lsmod\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jch-xfg-uak","attributes":{"version":1,"name":"nsswitch_conf_mod_unlink","description":"nsswitch may have been modified without authorization","expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yue-sj6-ucc","attributes":{"version":1,"name":"ssl_certificate_tampering_rename","description":"SSL certificates may have been tampered with","expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rp7-w2i-wnj","attributes":{"version":1,"name":"credential_modified_link","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mcj-rg7-foe","attributes":{"version":1,"name":"credential_modified_rename","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yu3-bwu-ji4","attributes":{"version":1,"name":"nick_new_java_detect_with_real_agent_version","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":[],"actions":[],"agentConstraint":">= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jcr-yly-myj","attributes":{"version":1,"name":"ssl_certificate_tampering_chown","description":"SSL certificates may have been tampered with","expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"llc-wxw-5uh","attributes":{"version":1,"name":"dirty_pipe_attempt","description":"Potential Dirty pipe exploitation attempt","expression":"(splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x7k-bop-jcu","attributes":{"version":1,"name":"windows_com_rpc_debugging_registry_key_modified","description":"Windows RPC COM debugging registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ypb-aen-wts","attributes":{"version":1,"name":"mount_host_fs","description":"The host file system was mounted in a container","expression":"mount.source.path == \"/\" && mount.fs_type != \"overlay\" && container.id != \"\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zjd-e62-fkk","attributes":{"version":1,"name":"release_agent_container_breakout","description":"A process attempted to write to the release_agent file of a cgroup, indicating a potential container breakout attempt","expression":"container.id != \"\" && open.file.name == \"release_agent\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1646684459816,"updateDate":1723206521298,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rgc-7yd-gpm","attributes":{"version":1,"name":"pci_11_5_critical_binaries_rename","description":"Critical system binaries may have been modified","expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bue-96a-bwo","attributes":{"version":1,"name":"pam_modification_rename","description":"PAM may have been modified without authorization","expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nue-ulh-gxb","attributes":{"version":1,"name":"aws_imds","description":"An AWS IMDS was called via a network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", ~\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"55u-gp9-m0k","attributes":{"version":1,"name":"invalid_agent_constraint","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":[],"actions":[],"agentConstraint":"0.0.0 >= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8og-5of-lw8","attributes":{"version":1,"name":"offensive_k8s_tool","description":"A known kubernetes pentesting tool has been executed","expression":"(exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fdj-qws-x9g","attributes":{"version":1,"name":"sudoers_policy_modified_chmod","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (chmod.file.path == \"/etc/sudoers\")\n) && chmod.file.destination.mode != chmod.file.mode && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tqf-gv4-huh","attributes":{"version":1,"name":"windows_test_default_rule_b","description":"Execution of a java process on windows","expression":"exec.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jji-uaq-xqi","attributes":{"version":1,"name":"net_util_in_container","description":"A network utility was executed in a container","expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tj0-f4s-grz","attributes":{"version":1,"name":"pam_modification_chown","description":"PAM may have been modified without authorization","expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mmg-bkt-mx4","attributes":{"version":1,"name":"exec_whoami","description":"The whoami command was executed","expression":"exec.comm == \"whoami\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ao4-966-ahr","attributes":{"version":1,"name":"sensitive_tracing","description":"A process is tracing privileged processes or sshd for possible credential dumping","expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) && ptrace.tracee.euid == 0 && process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mrk-tku-sbc","attributes":{"version":1,"name":"pci_11_5_critical_binaries_chown","description":"Critical system binaries may have been modified","expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nk2-hcg-hf5","attributes":{"version":1,"name":"kernel_module_load_from_memory","description":"A kernel module was loaded from memory","expression":"load_module.loaded_from_memory == true","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hau-g4f-zzo","attributes":{"version":1,"name":"apparmor_modified_tty","description":"An AppArmor profile was modified in an interactive session","expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name !=\"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0gp-zoy-gyb","attributes":{"version":1,"name":"runc_leaky_fd","description":"The container breakout CVE-2024-21626 was successful","expression":"chdir.syscall.path =~ \"/proc/self/fd/*\" && chdir.file.path == \"/sys/fs/cgroup\" && process.file.name =~ \"runc.*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wqb-yxc-mtb","attributes":{"version":1,"name":"pci_11_5_critical_binaries_open_v2","description":"Critical system binaries may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vpa-xoh-cia","attributes":{"version":1,"name":"procdump_execution","description":"A tool used to dump process memory has been executed","expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vlv-1qs-cjz","attributes":{"version":1,"name":"sudoers_policy_modified_rename","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"itl-shq-qre","attributes":{"version":1,"name":"nsswitch_conf_mod_open_v2","description":"nsswitch may have been modified without authorization","expression":"(\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) && container.created_at > 90s && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fpl-fno-4u3","attributes":{"version":1,"name":"aws_eks_service_account_token_accessed","description":"The AWS EKS service account token was accessed","expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3vq-bya-qsj","attributes":{"version":1,"name":"windows_security_essentials_executable_modified","description":"microsoft security essentials executable modified","expression":"write.file.device_path in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"08i-pvz-95h","attributes":{"version":1,"name":"crackmap_exec_executed","description":"Known offensive tool crackmap exec executed","expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme.exe*\", ~\"*cme.py*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gpx-hnf-bc6","attributes":{"version":1,"name":"critical_registry_export","description":"regedit used to export critical registry hive","expression":"exec.file.name in [\"reg.exe\", \"regedit.exe\"] && exec.cmdline in [~\"*hklm*\", ~\"*hkey_local_machine*\", ~\"*system*\", ~\"*sam*\", ~\"*security*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aoh-97n-qus","attributes":{"version":1,"name":"redis_save_module","description":"Redis module has been created","expression":"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name in [\"redis-check-rdb\", \"redis-server\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tqg-9ps-mhw","attributes":{"version":1,"name":"passwd_execution","description":"The passwd or chpasswd utility was used to modify an account password","expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags not in [\"S\", \"status\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"j4r-2xn-ha0","attributes":{"version":1,"name":"sudoers_policy_modified_open","description":"Sudoers policy file may have been modified without authorization","expression":"(open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n(open.file.path == \"/etc/sudoers\")) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"azw-x88-p7j","attributes":{"version":1,"name":"kubernetes_dns_enumeration","description":"Kubernetes DNS enumeration","expression":"dns.question.name == \"any.any.svc.cluster.local\" && dns.question.type == SRV && container.id != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vma-bsh-4d1","attributes":{"version":1,"name":"kernel_msr_write","description":"A process attempted to enable writing to model-specific registers","expression":"exec.comm == \"modprobe\" && process.args =~ \"*msr*allow_writes*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aed-rue-lpr","attributes":{"version":1,"name":"ip_check_domain","description":"A DNS lookup was done for a IP check service","expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"stp-dwk-4j7","attributes":{"version":1,"name":"delete_system_log","description":"A process deleted common system log files","expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] && process.comm not in [\"dockerd\", \"containerd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4s4-ezo-w7q","attributes":{"version":1,"name":"dynamic_linker_config_write","description":"A process wrote to a dynamic linker config file","expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gdc-uhk-mtc","attributes":{"version":1,"name":"ssh_authorized_keys_open","description":"SSH modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rgq-fea-q99","attributes":{"version":1,"name":"windows_system_enviroment_variable_registry_key_modified","description":"Windows environment variable registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n9y-2nc-no0","attributes":{"version":1,"name":"dotnet_dump_execution","description":"Dotnet_dump was used to dump a process memory","expression":"exec.cmdline =~ \"*dotnet-dump*\" && exec.cmdline =~ \"*collect*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"r3m-72r-y8g","attributes":{"version":1,"name":"shell_history_truncated","description":"Shell History was Deleted","expression":"open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && open.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] && open.file.path in [~\"/root/*\", ~\"/home/**\"] && process.file.name == \"truncate\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zqc-vts-wok","attributes":{"version":1,"name":"nsswitch_conf_mod_open","description":"nsswitch may have been modified without authorization","expression":"(\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"usg-zrs-ckt","attributes":{"version":1,"name":"winlogon_registry_key_modified","description":"Windows winlogon registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x4t-j4v-l4r","attributes":{"version":1,"name":"windows_explorer_executable_modified","description":"windows explorer file has been modified","expression":"write.file.device_path in [~\"\\Device\\*\\windows\\explorer.exe\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9mk-a4g-rb5","attributes":{"version":1,"name":"crackmap_exec_usage","description":"Known offensive tool crackmap exec executed","expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cqr-wm9-cjl","attributes":{"version":1,"name":"systemd_modification_open","description":"A service may have been modified without authorization","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cxw-5gm-pid","attributes":{"version":1,"name":"curl_docker_socket","description":"The Docker socket was referenced in a cURL command","expression":"exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args in [~\"*docker.sock*\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gpf-aeq-icx","attributes":{"version":1,"name":"ssh_authorized_keys_chown","description":"SSH modified keys may have been modified","expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"iqk-ui0-v8c","attributes":{"version":1,"name":"hidden_file_executed","description":"A hidden file was executed in a suspicious folder","expression":"exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"s1j-kv4-llt","attributes":{"version":1,"name":"selinux_disable_enforcement","description":"SELinux enforcement status was disabled","expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] && process.ancestors.args != ~\"*BECOME-SUCCESS*\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"a9j-6xn-afo","attributes":{"version":1,"name":"sliver_c2_implant_execution","description":"process arguments match sliver c2 implant","expression":"exec.cmdline =~ \"*NoExit *\" && exec.cmdline =~ \"*Command *\" && exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vb1-l7o-skr","attributes":{"version":1,"name":"ssl_certificate_tampering_chmod","description":"SSL certificates may have been tampered with","expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.mode != chmod.file.destination.mode\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1or-3oo-rag","attributes":{"version":1,"name":"new_java_detect","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qme-vau-bk4","attributes":{"version":1,"name":"potential_web_shell_parent","description":"A web application spawned a shell or shell utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) &&\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7ft-hzb-mpc","attributes":{"version":1,"name":"critical_windows_files_modified","description":"a critical windows file was modified","expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hbd-kty-ixx","attributes":{"version":1,"name":"kernel_module_utimes","description":"A new kernel module was added","expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rly-bqo-sg1","attributes":{"version":1,"name":"systemd_modification_utimes","description":"A service may have been modified without authorization","expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"eda-l1r-hrq","attributes":{"version":1,"name":"relay_attack_tool_execution","description":"Process matches known relay attack tool","expression":"exec.file.name in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rbo-40l-grx","attributes":{"version":1,"name":"net_unusual_request","description":"Network utility executed with suspicious URI","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gci-o39-u6v","attributes":{"version":1,"name":"read_kubeconfig","description":"The kubeconfig file was accessed","expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1uw-i6q-m5n","attributes":{"version":1,"name":"nsswitch_conf_mod_rename","description":"nsswitch may have been modified without authorization","expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ynr-dvw-x2x","attributes":{"version":1,"name":"ssh_authorized_keys_rename","description":"SSH modified keys may have been modified","expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fme-ym2-lwi","attributes":{"version":1,"name":"systemd_modification_link","description":"A service may have been modified without authorization","expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tht-nwe-guf","attributes":{"version":1,"name":"k8s_pod_service_account_token_accessed","description":"The Kubernetes pod service account token was accessed","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"] && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"a6d-gre-qls","attributes":{"version":1,"name":"service_stop","description":"systemctl used to stop a service","expression":"exec.file.name == \"systemctl\" && exec.args in [~\"*stop*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ljs-qkf-c4r","attributes":{"version":1,"name":"pam_modification_open","description":"PAM may have been modified without authorization","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vhj-z63-abi","attributes":{"version":1,"name":"systemd_modification_chown","description":"A service may have been modified without authorization","expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pho-wta-zir","attributes":{"version":1,"name":"net_util","description":"A network utility was executed","expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"m36-fmz-1bi","attributes":{"version":1,"name":"executable_bit_added","description":"The executable bit was added to a newly created file","expression":"chmod.file.in_upper_layer &&\nchmod.file.change_time < 30s &&\ncontainer.id != \"\" &&\nchmod.file.destination.mode != chmod.file.mode &&\nchmod.file.destination.mode & S_IXUSR|S_IXGRP|S_IXOTH > 0 &&\nprocess.argv in [\"+x\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5j0-kon-1hn","attributes":{"version":1,"name":"sudoers_policy_modified_link","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hsw-h1t-p9n","attributes":{"version":1,"name":"suid_file_execution","description":"a SUID file was executed","expression":"(setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \"/usr/bin/sudo\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"da1-a9j-tw9","attributes":{"version":1,"name":"sudoers_policy_modified_unlink","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4tw-oex-wnc","attributes":{"version":1,"name":"cryptominer_args","description":"A process launched with arguments associated with cryptominers","expression":"exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args_flags == \"randomx-1gb-pages\" || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uga-lal-zqb","attributes":{"version":1,"name":"php_spawning_shell","description":"PHP web application spawning shell","expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] && process.parent.file.name in [\"php.exe\",\"php-cgi.exe\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"alv-iwj-sbs","attributes":{"version":1,"name":"systemd_modification_unlink","description":"A service may have been modified without authorization","expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nsy-20w-pj6","attributes":{"version":1,"name":"sharpup_tool_usage","description":"sharpup tool used for local privilege escalation","expression":"exec.file.name == \"sharpup.exe\" && exec.cmdline in [~\"*HijackablePaths*\", ~\"*UnquotedServicePath*\", ~\"*ProcessDLLHijack*\", ~\"*ModifiableServiceBinaries*\", ~\"*ModifiableScheduledTask*\", ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mam-ir1-532","attributes":{"version":1,"name":"windows_cryptographic_blocking_policy_registry_key_modified","description":"Windows cryptographic blocking policy modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllRemoveSignedDataMsg*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tn9-vck-we9","attributes":{"version":1,"name":"shell_history_deleted","description":"Shell History was Deleted","expression":"unlink.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] && unlink.file.path in [~\"/root/**\", ~\"/home/**\"] && process.comm not in [\"dockerd\", \"containerd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ows-d9p-s2b","attributes":{"version":1,"name":"runc_modification","description":"The runc binary was modified in a non-standard way","expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n&& open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"on3-qxk-zeh","attributes":{"version":1,"name":"paste_site","description":"A DNS lookup was done for a pastebin-like site","expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", \"transfer.sh\"] && process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bdi-lzv-pki","attributes":{"version":1,"name":"azure_imds","description":"An Azure IMDS was called via a network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qay-zpa-akb","attributes":{"version":1,"name":"rubeus_execution","description":"process arguments match rubeus credential theft tool","expression":"exec.cmdline in [~\"*asreproast*\", ~\"*/service:krbtgt*\", ~\"*dump /luid:0x*\", ~\"*kerberoast*\", ~\"*createonly /program*\", ~\"*ptt /ticket*\", ~\"*impersonateuser*\", ~\"*renew /ticket*\", ~\"*asktgt /user*\", ~\"*harvest /interval*\", ~\"*s4u /user*\", ~\"*hash /password*\", ~\"*golden /aes256*\", ~\"*silver /user*\", \"*rubeus*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uty-ayo-tpv","attributes":{"version":1,"name":"wmi_spawning_shell","description":"Command executed via WMI","expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] && process.parent.file.name == \"WmiPrvSE.exe\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"icy-i3s-bvd","attributes":{"version":1,"name":"deploy_priv_container","description":"A privileged container was created","expression":"exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted & CAP_SYS_ADMIN > 0","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6du-s2a-foz","attributes":{"version":1,"name":"suspicious_bitsadmin_usage","description":"A suspicious bitsadmin command has been executed","expression":"exec.file.name == \"bitsadmin.exe\" && exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dco-vsp-sto","attributes":{"version":1,"name":"ssh_authorized_keys_chmod","description":"SSH modified keys may have been modified","expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fyc-tp1-xr1","attributes":{"version":1,"name":"windows_boot_registry_key_modified","description":"Windows boot registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\SYSTEM.ini\\boot*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pxm-cg7-96w","attributes":{"version":1,"name":"sudoers_policy_modified_chown","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bft-ikt-sfa","attributes":{"version":1,"name":"registry_service_runkey_modified","description":"Service registry runkey modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\RunServices\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ydm-yqo-f9t","attributes":{"version":1,"name":"looney_tunables_exploit","description":"Looney Tunables (CVE-2023-4911) exploit attempted","expression":"exec.file.mode & S_ISUID > 0 && exec.file.uid == 0 && exec.uid != 0 && exec.envs in [~\"*GLIBC_TUNABLES*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wpy-igs-bcp","attributes":{"version":1,"name":"windows_shell_folders_registry_key_modified","description":"Windows shell folders registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders*\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gyj-yid-n02","attributes":{"version":1,"name":"ptrace_injection","description":"A process attempted to inject code into another process","expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kxe-vss-47x","attributes":{"version":1,"name":"windows_firewall_configuration_registry_key_modified","description":"Windows firewall configuration registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zxv-eui-tgr","attributes":{"version":1,"name":"auditctl_usage","description":"The auditctl command was used to modify auditd","expression":"exec.file.name == \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ccs-c0e-kx6","attributes":{"version":1,"name":"minidump_usage","description":"Process memory was dumped using the minidump function from comsvcs.dll","expression":"exec.cmdline =~ \"*MiniDump*\" && exec.cmdline =~ \"*comsvcs*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"we1-nic-zhp","attributes":{"version":1,"name":"base64_decode","description":"The base64 command was used to decode information","expression":"exec.file.name == \"base64\" && exec.args_flags in [\"d\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mjs-qml-f6e","attributes":{"version":1,"name":"systemd_modification_rename","description":"A service may have been modified without authorization","expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"elg-0ho-jjb","attributes":{"version":1,"name":"powershell_empire_uac_bypass","description":"A process was executed matching arguments for a UAC bypass technique common in powershell empire","expression":"exec.cmdline in [~\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*\", ~\"*-NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dzi-svp-ub2","attributes":{"version":1,"name":"memfd_create","description":"memfd object created","expression":"exec.file.name =~ \"memfd*\" && exec.file.path == \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"iv0-azx-iwi","attributes":{"version":1,"name":"interactive_shell_in_container","description":"An interactive shell was started inside of a container","expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in [\"i\"] && container.id !=\"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mgb-ejl-c5b","attributes":{"version":1,"name":"kernel_module_rename","description":"A new kernel module was added","expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dug-aqp-7zn","attributes":{"version":1,"name":"exec_wrmsr","description":"The wrmsr program executed","expression":"exec.comm == \"wrmsr\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wrz-nq9-pi8","attributes":{"version":1,"name":"mining_pool_lookup","description":"A process resolved a DNS name associated with cryptomining activity","expression":"dns.question.name in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"] && process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"01c-hgk-8x3","attributes":{"version":1,"name":"credential_modified_chmod","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ld1-hxu-zdf","attributes":{"version":1,"name":"nick_new_java_detect_with_agent_version","description":"Execution of a new java process","expression":"exec.file.name == \"foogazi\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"z0y-kio-bf4","attributes":{"version":1,"name":"kernel_module_open","description":"A new kernel module was added","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xtf-uqt-mh0","attributes":{"version":1,"name":"common_net_intrusion_util","description":"A network utility (nmap) commonly used in intrusion attacks was executed","expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"l5b-qmr-hi6","attributes":{"version":1,"name":"ssh_authorized_keys_utimes","description":"SSH modified keys may have been modified","expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qa1-stp-xpl","attributes":{"version":1,"name":"open_msr_writes","description":"A process opened a model-specific register (MSR) configuration file","expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cwr-kgl-5xs","attributes":{"version":1,"name":"credential_modified_chown","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"am6-icr-cgg","attributes":{"version":1,"name":"package_management_in_container","description":"Package management was detected in a container","expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"esx-z8e-qcs","attributes":{"version":1,"name":"safeboot_modification","description":"Safeboot registry modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sdk-dp7-vt0","attributes":{"version":1,"name":"jupyter_shell_execution","description":"A Jupyter notebook executed a shell","expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hnz-ezh-lyu","attributes":{"version":1,"name":"ld_preload_unusual_library_path","description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yjo-mdq-mi1","attributes":{"version":1,"name":"dynamic_linker_config_unlink","description":"A process unlinked a dynamic linker config file","expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"psf-hiy-3ji","attributes":{"version":1,"name":"scheduled_task_creation","description":"A scheduled task was created","expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] && exec.cmdline =~ \"*create*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6vb-fkj-cdc","attributes":{"version":1,"name":"pci_11_5_critical_binaries_open","description":"Critical system binaries may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ktg-ng9-izk","attributes":{"version":1,"name":"kernel_module_load_from_memory_container","description":"A kernel module was loaded from memory inside a container","expression":"load_module.loaded_from_memory == true && container.id !=\"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0qf-cha-qci","attributes":{"version":1,"name":"java_shell_execution_parent","description":"A java process spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n&& process.parent.file.name in [\"java\", \"jspawnhelper\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gz3-l4z-bzr","attributes":{"version":1,"name":"network_sniffing_tool","description":"Local account groups were enumerated after container start up","expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hob-7or-knu","attributes":{"version":1,"name":"python_cli_code","description":"Python code was provided on the command line","expression":"exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", ~\"*-c*pty.spawn*\"] && exec.args !~ \"*setuptools*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"buh-tbl-6k1","attributes":{"version":1,"name":"pci_11_5_critical_binaries_link","description":"Critical system binaries may have been modified","expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521243,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"}]}
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 131.34875ms
+ duration: 182.42925ms
- id: 6
request:
proto: HTTP/1.1
@@ -220,24 +224,24 @@ interactions:
headers:
Accept:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules
+ url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules
method: GET
response:
- proto: HTTP/1.1
- proto_major: 1
- proto_minor: 1
- transfer_encoding:
- - chunked
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
+ transfer_encoding: []
trailer: {}
content_length: -1
- uncompressed: false
- body: '{"data":[{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"name":"auditctl_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_config_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"name":"aws_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"name":"azure_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"name":"certutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A newly created file contacted a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.change_time \u003c 60s","filters":["os == \"linux\""],"name":"chatroom_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"name":"common_net_intrusion_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"compile_after_delivery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"name":"compiler_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"credential_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"name":"cryptominer_args","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"name":"cryptominer_envs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"curl_docker_socket","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"name":"exec_whoami","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"name":"exec_wrmsr","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"name":"executable_bit_added","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"name":"gcp_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"interactive_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ip_check_domain","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"name":"iptables_egress_allowed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"name":"jupyter_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"kernel_module_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"name":"kernel_module_load","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"name":"kernel_msr_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","filters":["os == \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"name":"looney_tunables_exploit","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path =~ \"/proc/*\" \u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"mount_proc_hide","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"name":"net_file_download","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-0ra","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"net_util_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"name":"offensive_k8s_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"name":"omigod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-k6i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a conatiner outside of container start_up","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"package_management_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pam_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes were listed using the ps command","enabled":true,"expression":"exec.comm == \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os == \"linux\""],"name":"ps_discovery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ptrace_antidebug","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"name":"python_cli_code","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"rc_scripts_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"name":"read_kubeconfig","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os == \"linux\""],"name":"read_release_info","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"runc_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"name":"sensitive_tracing","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"shell_history_deleted","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"name":"shell_history_symlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"suspicious_container_client","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"name":"tunnel_traffic","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"user_deleted_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"name":"wmi_spawning_shell","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}}]}'
+ uncompressed: true
+ body: |
+ {"data":[{"id":"55r-kwq-jsc","attributes":{"version":1,"name":"ztfkbnhtzk","description":"im a rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747295127867,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747295127867,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"vg6-omq-vv4","attributes":{"version":1,"name":"wawhgdyumt","description":"im a rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747295102041,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747295102041,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"3yb-106-xrm","attributes":{"version":3,"name":"my_terraform_rule2","description":"my terraform rule","expression":"bind.addr.ip==1.6.1.9","category":"Kernel Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747140640989,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747141373736,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"rtp-dom-1am","attributes":{"version":1,"name":"agent_rule2","description":"My Agent rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747062863277,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747062863277,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"1vs-h3p-spa","attributes":{"version":1,"name":"000000bangtestnumber","description":"should_work_with_number","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.file.path not in ${processes_accessing}","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1743702433529,"filters":[],"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","ttl":60000000,"append":true}}],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"g5c-vnp-xf2","attributes":{"version":1,"name":"000000bangtest","description":"should_work_with_string","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.file.path not in ${processes_accessing}","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1743702410743,"filters":[],"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","ttl":"60s","append":true}}],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"d4v-xci-tzk","attributes":{"version":1,"name":"000000second","description":"ahahaha","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.file.path not in ${processes_accessing}","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1743701600763,"filters":[],"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","ttl":"60s","append":true}}],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"by5-5gy-ajb","attributes":{"version":2,"name":"kernel_module_load","description":"A kernel module was loaded","expression":"load_module.loaded_from_memory == false && load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1737734329380,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"c5x-fzi-cfu","attributes":{"version":2,"name":"known_dll_registry_key_modified","description":"Windows Known DLLs location registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1737044905726,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fcw-skn-8l6","attributes":{"version":1,"name":"shell_net_connection","description":"A shell made an outbound network connection","expression":"connect.addr.family & (AF_INET|AF_INET6) > 0 && process.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] && connect.addr.is_public == true","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980532395,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jwd-mhg-rzc","attributes":{"version":1,"name":"interpreter_outbound_connection","description":"An interpreter made an outbound network connection","expression":"connect.addr.family & (AF_INET|AF_INET6) > 0 && connect.addr.is_public == true && process.file.name in [~\"python2*\", ~\"python3*\", \"node\", \"perl\", ~\"ruby*\"]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980527270,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7k7-mzh-fhj","attributes":{"version":1,"name":"irc_connection","description":"A process made an outbound IRC connection","expression":"connect.addr.port == 6667 && connect.addr.is_public == true","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980517121,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gff-p0p-hzz","attributes":{"version":1,"name":"p2pinfect_connection","description":"A process made a connection to a port associated with P2PInfect malware","expression":"connect.addr.family & (AF_INET|AF_INET6) > 0 && connect.addr.is_public == true && connect.addr.port >= 60100 && connect.addr.port <= 60150","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980466118,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0yh-tmv-2ir","attributes":{"version":1,"name":"socat_shell","description":"Process arguments indicating possible socat shell detected","expression":"((exec.file.name == \"socat\") || (exec.comm == \"socat\")) && exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\", ~\"*exec*\", ~\"*pty*\", ~\"*setsid*\", ~\"*stderr*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536410363,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zwp-lhw-osb","attributes":{"version":1,"name":"udev_modification","description":"Device rule created","expression":"open.file.path in [~\"/etc/udev/rules.d/*\", ~\"/lib/udev/rules.d/*\", ~\"/usr/lib/udev/rules.d/*\", ~\"/usr/local/lib/udev/rules.d/*\", ~\"/run/udev/rules.d/*\"] && open.flags & O_CREAT > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536405283,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"p4u-oh0-avq","attributes":{"version":1,"name":"devshm_execution","description":"A file executed from /dev/shm/ directory","expression":"exec.file.path == \"/dev/shm/**\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536405258,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jdx-661-6he","attributes":{"version":1,"name":"ssh_nonstandard_connection","description":"SSH initiated a connection on a nonstandard port","expression":"connect.addr.port in [80, 8080, 88, 443, 8443, 4444] && process.file.name == \"ssh\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536395054,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ozf-woz-u9t","attributes":{"version":2,"name":"libpam_ebpf_hook","description":"Library libpam.so hooked using eBPF","expression":"bpf.cmd == BPF_MAP_CREATE && process.args in [r\"libpam\\.so\"]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536395021,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"k02-h52-5kl","attributes":{"version":1,"name":"overwrite_entrypoint","description":"A process attempted to overwrite the container entrypoint","expression":"open.file.path == \"/proc/self/fd/1\" && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0 && container.id != \"\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536389957,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qwh-aci-cax","attributes":{"version":2,"name":"cron_at_job_creation_open","description":"An unauthorized job was added to cron scheduling","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536389882,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cvg-paj-akm","attributes":{"version":2,"name":"cron_at_job_creation_chown","description":"An unauthorized job was added to cron scheduling","expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536379705,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ecq-lqb-dko","attributes":{"version":1,"name":"find_credentials","description":"find command searching for sensitive files","expression":"exec.comm == \"find\" && exec.args in [~\"*credentials*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536374661,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jig-hjw-dqq","attributes":{"version":1,"name":"webdriver_spawned_shell","description":"Browser WebDriver spawned shell","expression":"process.parent.file.name in [~\"chromedriver*\", \"geckodriver\"] && exec.file.name not in [\"chrome\", \"google-chrome\", \"chromium\", \"firefox\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536374638,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cjg-f8o-kp3","attributes":{"version":2,"name":"tunnel_traffic","description":"Tunneling or port forwarding tool used","expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args_flags in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in [\"R\", \"L\", \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" && process.args in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536374597,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ctm-5ct-v09","attributes":{"version":1,"name":"netcat_shell","description":"Process arguments indicating possible netcat shell detected","expression":"exec.file.name in [\"netcat\", \"nc\", \"ncat\"] && ((exec.args_flags in [\"l\"] && exec.args_flags in [\"p\"]) || (exec.args_flags in [\"n\"] && exec.args_flags in [\"v\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536369507,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qyq-78u-ql6","attributes":{"version":1,"name":"cups_spawned_shell","description":"Shell process spawned from print server","expression":"exec.file.name != \"\" && process.parent.file.name == \"foomatic-rip\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536364424,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gdw-b2j-bpy","attributes":{"version":1,"name":"debugfs_in_container","description":"The debugfs was executed in a container","expression":"exec.comm == \"debugfs\" && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536364396,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dt3-f0b-e8d","attributes":{"version":1,"name":"webapp_imds_V1_request","description":"Web application requested IMDSv1 credentials","expression":"imds.aws.is_imds_v2 == false && imds.url =~ \"*/*/meta-data/iam/security-credentials/*\" && (process.ancestors.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.ancestors.file.name =~ \"php*\" || process.ancestors.file.name == \"java\")","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536359279,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dat-hhr-7xk","attributes":{"version":2,"name":"cron_at_job_creation_link","description":"An unauthorized job was added to cron scheduling","expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536359258,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cfe-hyn-s1j","attributes":{"version":1,"name":"release_agent_escape","description":"Container escape attempted by overwriting release_agent","expression":"open.file.name == \"release_agent\" && open.file.path in [\"/tmp/**\", \"/home/**\", \"/root/**\", \"/*\"] && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536354195,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vvo-iqz-sr2","attributes":{"version":1,"name":"file_sync_exfil","description":"The rclone utility was executed","expression":"exec.file.name in [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536354189,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ctm-jbt-ag7","attributes":{"version":1,"name":"unshare_in_container","description":"The unshare utility was executed in a container","expression":"exec.comm == \"unshare\" && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536349072,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rhn-60e-ocl","attributes":{"version":2,"name":"iptables_egress_allowed","description":"Egress traffic allowed using iptables","expression":"exec.comm == \"iptables\" && process.args in [r\"OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] && process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536349046,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ol8-rm4-6j5","attributes":{"version":1,"name":"aws_cli_usage","description":"The AWS CLI utility was executed","expression":"exec.file.name == \"aws\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536343955,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"956-hlb-btg","attributes":{"version":1,"name":"php_shell","description":"Process arguments indicating possible php shell detected","expression":"exec.file.name == \"php\" && exec.args_flags in [\"r\"] && ((exec.args in [~\"*socket_bind*\", ~\"*socket_listen*\", ~\"*socket_accept*\", ~\"*socket_create*\", ~\"*socket_write*\", ~\"*socket_read*\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536343942,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gu9-82k-92p","attributes":{"version":2,"name":"cron_at_job_creation_chmod","description":"An unauthorized job was added to cron scheduling","expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && chmod.file.destination.mode != chmod.file.mode\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536343900,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oad-qwd-via","attributes":{"version":2,"name":"compile_after_delivery","description":"A compiler wrote a suspicious file in a container","expression":"open.flags & O_CREAT > 0\n&& (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n&& (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"])\n&& process.file.name not in [\"pip\", ~\"python*\"]\n&& container.id != \"\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536323502,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vx6-cyx-ksx","attributes":{"version":1,"name":"openssl_backdoor","description":"openssl used to establish backdoor","expression":"exec.comm == \"openssl\" && exec.args =~ \"*s_client*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536318450,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"j4p-qiy-v1g","attributes":{"version":2,"name":"compiler_in_container","description":"A compiler was executed inside of a container","expression":"(exec.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || exec.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || (exec.file.name == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path != \"/usr/bin/cilium-agent\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536318401,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n17-fnl-a6b","attributes":{"version":1,"name":"mount_in_container","description":"The mount utility was executed in a container","expression":"exec.comm == \"mount\" && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536313319,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ylt-39s-jwc","attributes":{"version":2,"name":"cron_at_job_creation_unlink","description":"An unauthorized job was added to cron scheduling","expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536313305,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fyp-ktn-4kd","attributes":{"version":1,"name":"nsenter_in_container","description":"nsenter used to breakout of container","expression":"exec.file.name == \"nsenter\" && exec.args_options in [\"target=1\", \"t=1\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536308211,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mp4-mte-fr7","attributes":{"version":1,"name":"ssh_outbound_connection","description":"A process connected to an SSH server","expression":"connect.addr.port == 22 && connect.addr.family & (AF_INET|AF_INET6) > 0 && connect.addr.ip not in [127.0.0.0/8]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536308194,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jix-kop-8dg","attributes":{"version":2,"name":"ransomware_note","description":"Possible ransomware note created under common user directories","expression":"open.flags & O_CREAT > 0\n&& open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n&& open.file.name in [r\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\"] && open.file.name not in [r\"\\.lock$\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536308136,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x0q-bqb-eo1","attributes":{"version":2,"name":"windows_cryptominer_process","description":"A cryptominer was potentially executed","expression":"exec.cmdline in [~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536303070,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"txo-xll-se0","attributes":{"version":2,"name":"suspicious_dll_write","description":"Dll written to a suspicious directory","expression":"create.file.name =~ \"*.dll\" && create.file.device_path not in [~\"\\Device\\*\\Windows\\System32\\**\", ~\"\\Device\\*\\ProgramData\\docker\\**\"] && process.file.name != \"dockerd.exe\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536297939,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zig-zjk-wem","attributes":{"version":1,"name":"perl_shell","description":"Process arguments indicating possible perl bind shell detected","expression":"exec.file.name == ~\"perl*\" && exec.args_flags in [\"e\"] && ((exec.args in [~\"*socket*\", ~\"*bind*\", ~\"*sockaddr*\", ~\"*listen*\", ~\"*accept\", ~\"*stdin*\", ~\"*stdout\"]) || (exec.args in [~\"*/bin/sh*\", ~\"*/bin/bash*\"]))","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536292914,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qfj-nw1-1zg","attributes":{"version":1,"name":"modified_file_requesting_imds_creds","description":"Recently modified file requested credentials from IMDS","expression":"imds.url =~ \"/*/meta-data/iam/security-credentials/*\" && (process.parent.file.modification_time < 120s || process.file.modification_time < 30s)","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536292897,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yhp-mh7-pgn","attributes":{"version":2,"name":"cron_at_job_creation_rename","description":"An unauthorized job was added to cron scheduling","expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536287823,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ers-kyx-kaq","attributes":{"version":2,"name":"cron_at_job_creation_utimes","description":"An unauthorized job was added to cron scheduling","expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536287800,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sjm-2is-v4s","attributes":{"version":1,"name":"tar_execution","description":"Tar archive created","expression":"exec.file.path == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xhr-7kq-dpo","attributes":{"version":1,"name":"user_deleted_tty","description":"A user was deleted via an interactive session","expression":"exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"d0z-hzd-y7v","attributes":{"version":1,"name":"cryptominer_envs","description":"Process environment variables match cryptocurrency miner","expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"eav-mud-yh0","attributes":{"version":1,"name":"credential_modified_utimes","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"g2j-1lc-iub","attributes":{"version":1,"name":"kernel_module_chown","description":"A new kernel module was added","expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5x8-617-k9v","attributes":{"version":1,"name":"chaussette","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cdy-4sl-0vh","attributes":{"version":1,"name":"dirty_pipe_exploitation","description":"Potential Dirty pipe exploitation","expression":"(splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid != 0 && process.gid != 0)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8fk-hlc-jgx","attributes":{"version":1,"name":"registry_hives_file_path_key_modified","description":"Windows registry hives file location key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ggj-tkx-3i5","attributes":{"version":1,"name":"windows_hosts_file_modified","description":"the windows hosts file was modified","expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\Drivers\\etc\\hosts\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hmg-jnt-cra","attributes":{"version":1,"name":"kernel_module_link","description":"A new kernel module was added","expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"b7q-33d-ehp","attributes":{"version":1,"name":"inveigh_tool_usage","description":"Process executed with arguments common with Inveigh tool usage","expression":"exec.cmdline in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", ~\"*SnifferIP*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bdj-3ys-gul","attributes":{"version":1,"name":"redis_sandbox_escape","description":"Detects CVE-2022-0543","expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" && open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) && process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kof-qfg-4z7","attributes":{"version":1,"name":"certutil_usage","description":"Certutil was executed to transmit or decode a potentially malicious file","expression":"exec.file.name == \"certutil.exe\" && ((exec.cmdline =~ \"*urlcache*\" && exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"u0y-4yq-w99","attributes":{"version":1,"name":"pwnkit_privilege_escalation","description":"A process was spawned with indicators of exploitation of CVE-2021-4034","expression":"(exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yyp-3qo-77g","attributes":{"version":1,"name":"pci_11_5_critical_binaries_utimes","description":"Critical system binaries may have been modified","expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ijj-sdz-ghy","attributes":{"version":1,"name":"nick_new_java_detect","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":[],"actions":[],"agentConstraint":">= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yjg-ztr-xts","attributes":{"version":1,"name":"suspicious_ntdsutil_usage","description":"Suspicious usage of ntdsutil","expression":"exec.file.name == \"ntdsutil.exe\" && exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fqj-dnw-hmo","attributes":{"version":1,"name":"kernel_module_unlink","description":"A new kernel module was added","expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4nd-g5m-1xh","attributes":{"version":1,"name":"mount_proc_hide","description":"Process hidden using mount","expression":"mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wui-ktw-zwv","attributes":{"version":1,"name":"pam_modification_utimes","description":"PAM may have been modified without authorization","expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yrc-jyx-l5i","attributes":{"version":1,"name":"tty_shell_in_container","description":"A shell with a TTY was executed in a container","expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vqh-8ry-vsb","attributes":{"version":1,"name":"pam_modification_link","description":"PAM may have been modified without authorization","expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n4m-q5y-yhu","attributes":{"version":1,"name":"ssl_certificate_tampering_unlink","description":"SSL certificates may have been tampered with","expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8i4-ehq-i3p","attributes":{"version":1,"name":"gcp_imds","description":"An GCP IMDS was called via a network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fje-48p-1n8","attributes":{"version":1,"name":"ssh_authorized_keys_unlink","description":"SSH modified keys may have been modified","expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"luu-gor-cgb","attributes":{"version":1,"name":"sudoers_policy_modified_utimes","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"89r-spf-prk","attributes":{"version":1,"name":"credential_modified_open_v2","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"490-ewn-i16","attributes":{"version":1,"name":"chatroom_request","description":"A DNS request was made for a chatroom domain","expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vzm-iv2-vhs","attributes":{"version":1,"name":"windows_test_default_rule","description":"Execution of a java process on windows","expression":"exec.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pyu-xzd-leo","attributes":{"version":1,"name":"user_created_tty","description":"A user was created via an interactive session","expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && exec.args_flags not in [\"D\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zdm-kv0-gca","attributes":{"version":1,"name":"net_file_download","description":"A suspicious file was written by a network utility","expression":"open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n&& (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5ts-w6u-tfl","attributes":{"version":1,"name":"registry_runkey_modified","description":"A Registry runkey has been modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jgi-rfz-rlb","attributes":{"version":1,"name":"pam_modification_unlink","description":"PAM may have been modified without authorization","expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"coy-qpb-suv","attributes":{"version":1,"name":"credential_modified_unlink","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pxm-9tn-irt","attributes":{"version":1,"name":"ssl_certificate_tampering_link","description":"SSL certificates may have been tampered with","expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dig-cav-hhc","attributes":{"version":1,"name":"kmod_list","description":"Kernel modules were listed using the kmod command","expression":"exec.comm == \"kmod\" && exec.args in [~\"*list*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jlg-roy-9zx","attributes":{"version":1,"name":"auditd_rule_file_modified","description":"The auditd rules file was modified without using auditctl","expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && process.file.name != \"auditctl\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"v83-av9-xuy","attributes":{"version":1,"name":"ntds_in_commandline","description":"NTDS file referenced in commandline","expression":"exec.cmdline =~ \"*ntds.dit*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rnj-nwd-n5v","attributes":{"version":1,"name":"procdump_usage","description":"Testing a default windows agent rule","expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pjn-4hr-bot","attributes":{"version":1,"name":"suspicious_suid_execution","description":"Recently written or modified suid file has been executed","expression":"((process.file.mode & S_ISUID > 0) && process.file.modification_time < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bw8-ud8-qzq","attributes":{"version":1,"name":"net_util_exfiltration","description":"Exfiltration attempt via network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] &&\nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] &&\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4jd-zjb-ybo","attributes":{"version":1,"name":"shell_history_symlink","description":"A symbolic link for shell history was created targeting /dev/null","expression":"exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"can-pva-exd","attributes":{"version":1,"name":"suspicious_container_client","description":"A container management utility was executed in a container","expression":"exec.file.name in [\"docker\", \"kubectl\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bb8-sg5-ful","attributes":{"version":1,"name":"kernel_module_load_container","description":"A container loaded a new kernel module","expression":"load_module.name != \"\" && container.id !=\"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yzz-sm2-0ff","attributes":{"version":1,"name":"pci_11_5_critical_binaries_chmod","description":"Critical system binaries may have been modified","expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7nx-gb8-9t4","attributes":{"version":1,"name":"rc_scripts_modified","description":"RC scripts modified","expression":"(open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"npo-tkf-eex","attributes":{"version":1,"name":"pam_modification_chmod","description":"PAM may have been modified without authorization","expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gw4-kqw-q1l","attributes":{"version":1,"name":"new_new_java_detect_with_real_agent_version","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":[],"actions":[],"agentConstraint":">= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"atm-kqf-qa2","attributes":{"version":1,"name":"systemd_modification_chmod","description":"A service may have been modified without authorization","expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oqc-9gu-uq5","attributes":{"version":1,"name":"ssl_certificate_tampering_utimes","description":"SSL certificates may have been tampered with","expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cfe-7qi-s5j","attributes":{"version":1,"name":"pci_11_5_critical_binaries_unlink","description":"Critical system binaries may have been modified","expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bqm-bp1-dpv","attributes":{"version":1,"name":"nsswitch_conf_mod_link","description":"nsswitch may have been modified without authorization","expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nah-p3m-dgh","attributes":{"version":1,"name":"database_shell_execution","description":"A database application spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) &&\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n!(process.parent.file.name == \"initdb\" &&\nexec.args == \"-c locale -a\") &&\n!(process.parent.file.name == \"postgres\" &&\nexec.args == ~\"*pg_wal*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4mm-9uv-w3t","attributes":{"version":1,"name":"shell_profile_modification","description":"Shell profile was modified","expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"a6q-hmw-lae","attributes":{"version":1,"name":"auditd_config_modified","description":"The auditd configuration file was modified without using auditctl","expression":"open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && process.file.name != \"auditctl\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"brz-yda-nve","attributes":{"version":1,"name":"ssh_authorized_keys_link","description":"SSH modified keys may have been modified","expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4be-qms-wyo","attributes":{"version":1,"name":"windows_update_registry_key_modified","description":"Windows update registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsUpdate*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ttl-6wn-1ke","attributes":{"version":1,"name":"ssh_it_tool_config_write","description":"The configuration directory for an ssh worm","expression":"open.file.path in [~\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n0c-0if-hne","attributes":{"version":1,"name":"nsswitch_conf_mod_chmod","description":"nsswitch may have been modified without authorization","expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) && chmod.file.destination.mode != chmod.file.mode && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ryr-yxl-ilk","attributes":{"version":1,"name":"nsswitch_conf_mod_utimes","description":"nsswitch may have been modified without authorization","expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"61g-xow-oup","attributes":{"version":1,"name":"nsswitch_conf_mod_chown","description":"nsswitch may have been modified without authorization","expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"es9-b6s-upq","attributes":{"version":1,"name":"ssl_certificate_tampering_open_v2","description":"SSL certificates may have been tampered with","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"\n&& container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x79-zfs-0ix","attributes":{"version":1,"name":"omigod","description":"Omiagent spawns a privileged child process","expression":"exec.uid >= 0 && process.ancestors.file.name == \"omiagent\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8ks-vsd-y6y","attributes":{"version":1,"name":"ssl_certificate_tampering_open","description":"SSL certificates may have been tampered with","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zb2-wpx-aff","attributes":{"version":1,"name":"new_binary_execution_in_container","description":"A container executed a new binary not found in the container image","expression":"container.id != \"\" && process.file.in_upper_layer && process.file.modification_time < 30s && exec.file.name != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"k6c-tqa-hjv","attributes":{"version":1,"name":"ssh_authorized_keys_open_v2","description":"SSH modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uwk-qfs-oqe","attributes":{"version":1,"name":"kernel_module_chmod","description":"A new kernel module was added","expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"czs-lbr-7k2","attributes":{"version":1,"name":"ptrace_antidebug","description":"A process uses an anti-debugging technique to block debuggers","expression":"ptrace.request == PTRACE_TRACEME && process.file.name != \"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bpu-wji-3ed","attributes":{"version":1,"name":"exec_lsmod","description":"Kernel modules were listed using the lsmod command","expression":"exec.comm == \"lsmod\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jch-xfg-uak","attributes":{"version":1,"name":"nsswitch_conf_mod_unlink","description":"nsswitch may have been modified without authorization","expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yue-sj6-ucc","attributes":{"version":1,"name":"ssl_certificate_tampering_rename","description":"SSL certificates may have been tampered with","expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rp7-w2i-wnj","attributes":{"version":1,"name":"credential_modified_link","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mcj-rg7-foe","attributes":{"version":1,"name":"credential_modified_rename","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yu3-bwu-ji4","attributes":{"version":1,"name":"nick_new_java_detect_with_real_agent_version","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":[],"actions":[],"agentConstraint":">= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jcr-yly-myj","attributes":{"version":1,"name":"ssl_certificate_tampering_chown","description":"SSL certificates may have been tampered with","expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"llc-wxw-5uh","attributes":{"version":1,"name":"dirty_pipe_attempt","description":"Potential Dirty pipe exploitation attempt","expression":"(splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x7k-bop-jcu","attributes":{"version":1,"name":"windows_com_rpc_debugging_registry_key_modified","description":"Windows RPC COM debugging registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ypb-aen-wts","attributes":{"version":1,"name":"mount_host_fs","description":"The host file system was mounted in a container","expression":"mount.source.path == \"/\" && mount.fs_type != \"overlay\" && container.id != \"\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zjd-e62-fkk","attributes":{"version":1,"name":"release_agent_container_breakout","description":"A process attempted to write to the release_agent file of a cgroup, indicating a potential container breakout attempt","expression":"container.id != \"\" && open.file.name == \"release_agent\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1646684459816,"updateDate":1723206521298,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rgc-7yd-gpm","attributes":{"version":1,"name":"pci_11_5_critical_binaries_rename","description":"Critical system binaries may have been modified","expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bue-96a-bwo","attributes":{"version":1,"name":"pam_modification_rename","description":"PAM may have been modified without authorization","expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nue-ulh-gxb","attributes":{"version":1,"name":"aws_imds","description":"An AWS IMDS was called via a network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", ~\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"55u-gp9-m0k","attributes":{"version":1,"name":"invalid_agent_constraint","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":[],"actions":[],"agentConstraint":"0.0.0 >= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8og-5of-lw8","attributes":{"version":1,"name":"offensive_k8s_tool","description":"A known kubernetes pentesting tool has been executed","expression":"(exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fdj-qws-x9g","attributes":{"version":1,"name":"sudoers_policy_modified_chmod","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (chmod.file.path == \"/etc/sudoers\")\n) && chmod.file.destination.mode != chmod.file.mode && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tqf-gv4-huh","attributes":{"version":1,"name":"windows_test_default_rule_b","description":"Execution of a java process on windows","expression":"exec.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jji-uaq-xqi","attributes":{"version":1,"name":"net_util_in_container","description":"A network utility was executed in a container","expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tj0-f4s-grz","attributes":{"version":1,"name":"pam_modification_chown","description":"PAM may have been modified without authorization","expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mmg-bkt-mx4","attributes":{"version":1,"name":"exec_whoami","description":"The whoami command was executed","expression":"exec.comm == \"whoami\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ao4-966-ahr","attributes":{"version":1,"name":"sensitive_tracing","description":"A process is tracing privileged processes or sshd for possible credential dumping","expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) && ptrace.tracee.euid == 0 && process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mrk-tku-sbc","attributes":{"version":1,"name":"pci_11_5_critical_binaries_chown","description":"Critical system binaries may have been modified","expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nk2-hcg-hf5","attributes":{"version":1,"name":"kernel_module_load_from_memory","description":"A kernel module was loaded from memory","expression":"load_module.loaded_from_memory == true","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hau-g4f-zzo","attributes":{"version":1,"name":"apparmor_modified_tty","description":"An AppArmor profile was modified in an interactive session","expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name !=\"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0gp-zoy-gyb","attributes":{"version":1,"name":"runc_leaky_fd","description":"The container breakout CVE-2024-21626 was successful","expression":"chdir.syscall.path =~ \"/proc/self/fd/*\" && chdir.file.path == \"/sys/fs/cgroup\" && process.file.name =~ \"runc.*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wqb-yxc-mtb","attributes":{"version":1,"name":"pci_11_5_critical_binaries_open_v2","description":"Critical system binaries may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vpa-xoh-cia","attributes":{"version":1,"name":"procdump_execution","description":"A tool used to dump process memory has been executed","expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vlv-1qs-cjz","attributes":{"version":1,"name":"sudoers_policy_modified_rename","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"itl-shq-qre","attributes":{"version":1,"name":"nsswitch_conf_mod_open_v2","description":"nsswitch may have been modified without authorization","expression":"(\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) && container.created_at > 90s && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fpl-fno-4u3","attributes":{"version":1,"name":"aws_eks_service_account_token_accessed","description":"The AWS EKS service account token was accessed","expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3vq-bya-qsj","attributes":{"version":1,"name":"windows_security_essentials_executable_modified","description":"microsoft security essentials executable modified","expression":"write.file.device_path in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"08i-pvz-95h","attributes":{"version":1,"name":"crackmap_exec_executed","description":"Known offensive tool crackmap exec executed","expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme.exe*\", ~\"*cme.py*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gpx-hnf-bc6","attributes":{"version":1,"name":"critical_registry_export","description":"regedit used to export critical registry hive","expression":"exec.file.name in [\"reg.exe\", \"regedit.exe\"] && exec.cmdline in [~\"*hklm*\", ~\"*hkey_local_machine*\", ~\"*system*\", ~\"*sam*\", ~\"*security*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aoh-97n-qus","attributes":{"version":1,"name":"redis_save_module","description":"Redis module has been created","expression":"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name in [\"redis-check-rdb\", \"redis-server\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tqg-9ps-mhw","attributes":{"version":1,"name":"passwd_execution","description":"The passwd or chpasswd utility was used to modify an account password","expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags not in [\"S\", \"status\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"j4r-2xn-ha0","attributes":{"version":1,"name":"sudoers_policy_modified_open","description":"Sudoers policy file may have been modified without authorization","expression":"(open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n(open.file.path == \"/etc/sudoers\")) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"azw-x88-p7j","attributes":{"version":1,"name":"kubernetes_dns_enumeration","description":"Kubernetes DNS enumeration","expression":"dns.question.name == \"any.any.svc.cluster.local\" && dns.question.type == SRV && container.id != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vma-bsh-4d1","attributes":{"version":1,"name":"kernel_msr_write","description":"A process attempted to enable writing to model-specific registers","expression":"exec.comm == \"modprobe\" && process.args =~ \"*msr*allow_writes*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aed-rue-lpr","attributes":{"version":1,"name":"ip_check_domain","description":"A DNS lookup was done for a IP check service","expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"stp-dwk-4j7","attributes":{"version":1,"name":"delete_system_log","description":"A process deleted common system log files","expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] && process.comm not in [\"dockerd\", \"containerd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4s4-ezo-w7q","attributes":{"version":1,"name":"dynamic_linker_config_write","description":"A process wrote to a dynamic linker config file","expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gdc-uhk-mtc","attributes":{"version":1,"name":"ssh_authorized_keys_open","description":"SSH modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rgq-fea-q99","attributes":{"version":1,"name":"windows_system_enviroment_variable_registry_key_modified","description":"Windows environment variable registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n9y-2nc-no0","attributes":{"version":1,"name":"dotnet_dump_execution","description":"Dotnet_dump was used to dump a process memory","expression":"exec.cmdline =~ \"*dotnet-dump*\" && exec.cmdline =~ \"*collect*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"r3m-72r-y8g","attributes":{"version":1,"name":"shell_history_truncated","description":"Shell History was Deleted","expression":"open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && open.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] && open.file.path in [~\"/root/*\", ~\"/home/**\"] && process.file.name == \"truncate\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zqc-vts-wok","attributes":{"version":1,"name":"nsswitch_conf_mod_open","description":"nsswitch may have been modified without authorization","expression":"(\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"usg-zrs-ckt","attributes":{"version":1,"name":"winlogon_registry_key_modified","description":"Windows winlogon registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x4t-j4v-l4r","attributes":{"version":1,"name":"windows_explorer_executable_modified","description":"windows explorer file has been modified","expression":"write.file.device_path in [~\"\\Device\\*\\windows\\explorer.exe\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9mk-a4g-rb5","attributes":{"version":1,"name":"crackmap_exec_usage","description":"Known offensive tool crackmap exec executed","expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cqr-wm9-cjl","attributes":{"version":1,"name":"systemd_modification_open","description":"A service may have been modified without authorization","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cxw-5gm-pid","attributes":{"version":1,"name":"curl_docker_socket","description":"The Docker socket was referenced in a cURL command","expression":"exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args in [~\"*docker.sock*\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gpf-aeq-icx","attributes":{"version":1,"name":"ssh_authorized_keys_chown","description":"SSH modified keys may have been modified","expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"iqk-ui0-v8c","attributes":{"version":1,"name":"hidden_file_executed","description":"A hidden file was executed in a suspicious folder","expression":"exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"s1j-kv4-llt","attributes":{"version":1,"name":"selinux_disable_enforcement","description":"SELinux enforcement status was disabled","expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] && process.ancestors.args != ~\"*BECOME-SUCCESS*\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"a9j-6xn-afo","attributes":{"version":1,"name":"sliver_c2_implant_execution","description":"process arguments match sliver c2 implant","expression":"exec.cmdline =~ \"*NoExit *\" && exec.cmdline =~ \"*Command *\" && exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vb1-l7o-skr","attributes":{"version":1,"name":"ssl_certificate_tampering_chmod","description":"SSL certificates may have been tampered with","expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.mode != chmod.file.destination.mode\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1or-3oo-rag","attributes":{"version":1,"name":"new_java_detect","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qme-vau-bk4","attributes":{"version":1,"name":"potential_web_shell_parent","description":"A web application spawned a shell or shell utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) &&\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7ft-hzb-mpc","attributes":{"version":1,"name":"critical_windows_files_modified","description":"a critical windows file was modified","expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hbd-kty-ixx","attributes":{"version":1,"name":"kernel_module_utimes","description":"A new kernel module was added","expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rly-bqo-sg1","attributes":{"version":1,"name":"systemd_modification_utimes","description":"A service may have been modified without authorization","expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"eda-l1r-hrq","attributes":{"version":1,"name":"relay_attack_tool_execution","description":"Process matches known relay attack tool","expression":"exec.file.name in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rbo-40l-grx","attributes":{"version":1,"name":"net_unusual_request","description":"Network utility executed with suspicious URI","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gci-o39-u6v","attributes":{"version":1,"name":"read_kubeconfig","description":"The kubeconfig file was accessed","expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1uw-i6q-m5n","attributes":{"version":1,"name":"nsswitch_conf_mod_rename","description":"nsswitch may have been modified without authorization","expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ynr-dvw-x2x","attributes":{"version":1,"name":"ssh_authorized_keys_rename","description":"SSH modified keys may have been modified","expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fme-ym2-lwi","attributes":{"version":1,"name":"systemd_modification_link","description":"A service may have been modified without authorization","expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tht-nwe-guf","attributes":{"version":1,"name":"k8s_pod_service_account_token_accessed","description":"The Kubernetes pod service account token was accessed","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"] && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"a6d-gre-qls","attributes":{"version":1,"name":"service_stop","description":"systemctl used to stop a service","expression":"exec.file.name == \"systemctl\" && exec.args in [~\"*stop*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ljs-qkf-c4r","attributes":{"version":1,"name":"pam_modification_open","description":"PAM may have been modified without authorization","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vhj-z63-abi","attributes":{"version":1,"name":"systemd_modification_chown","description":"A service may have been modified without authorization","expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pho-wta-zir","attributes":{"version":1,"name":"net_util","description":"A network utility was executed","expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"m36-fmz-1bi","attributes":{"version":1,"name":"executable_bit_added","description":"The executable bit was added to a newly created file","expression":"chmod.file.in_upper_layer &&\nchmod.file.change_time < 30s &&\ncontainer.id != \"\" &&\nchmod.file.destination.mode != chmod.file.mode &&\nchmod.file.destination.mode & S_IXUSR|S_IXGRP|S_IXOTH > 0 &&\nprocess.argv in [\"+x\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5j0-kon-1hn","attributes":{"version":1,"name":"sudoers_policy_modified_link","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hsw-h1t-p9n","attributes":{"version":1,"name":"suid_file_execution","description":"a SUID file was executed","expression":"(setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \"/usr/bin/sudo\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"da1-a9j-tw9","attributes":{"version":1,"name":"sudoers_policy_modified_unlink","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4tw-oex-wnc","attributes":{"version":1,"name":"cryptominer_args","description":"A process launched with arguments associated with cryptominers","expression":"exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args_flags == \"randomx-1gb-pages\" || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uga-lal-zqb","attributes":{"version":1,"name":"php_spawning_shell","description":"PHP web application spawning shell","expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] && process.parent.file.name in [\"php.exe\",\"php-cgi.exe\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"alv-iwj-sbs","attributes":{"version":1,"name":"systemd_modification_unlink","description":"A service may have been modified without authorization","expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nsy-20w-pj6","attributes":{"version":1,"name":"sharpup_tool_usage","description":"sharpup tool used for local privilege escalation","expression":"exec.file.name == \"sharpup.exe\" && exec.cmdline in [~\"*HijackablePaths*\", ~\"*UnquotedServicePath*\", ~\"*ProcessDLLHijack*\", ~\"*ModifiableServiceBinaries*\", ~\"*ModifiableScheduledTask*\", ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mam-ir1-532","attributes":{"version":1,"name":"windows_cryptographic_blocking_policy_registry_key_modified","description":"Windows cryptographic blocking policy modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllRemoveSignedDataMsg*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tn9-vck-we9","attributes":{"version":1,"name":"shell_history_deleted","description":"Shell History was Deleted","expression":"unlink.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] && unlink.file.path in [~\"/root/**\", ~\"/home/**\"] && process.comm not in [\"dockerd\", \"containerd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ows-d9p-s2b","attributes":{"version":1,"name":"runc_modification","description":"The runc binary was modified in a non-standard way","expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n&& open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"on3-qxk-zeh","attributes":{"version":1,"name":"paste_site","description":"A DNS lookup was done for a pastebin-like site","expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", \"transfer.sh\"] && process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bdi-lzv-pki","attributes":{"version":1,"name":"azure_imds","description":"An Azure IMDS was called via a network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qay-zpa-akb","attributes":{"version":1,"name":"rubeus_execution","description":"process arguments match rubeus credential theft tool","expression":"exec.cmdline in [~\"*asreproast*\", ~\"*/service:krbtgt*\", ~\"*dump /luid:0x*\", ~\"*kerberoast*\", ~\"*createonly /program*\", ~\"*ptt /ticket*\", ~\"*impersonateuser*\", ~\"*renew /ticket*\", ~\"*asktgt /user*\", ~\"*harvest /interval*\", ~\"*s4u /user*\", ~\"*hash /password*\", ~\"*golden /aes256*\", ~\"*silver /user*\", \"*rubeus*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uty-ayo-tpv","attributes":{"version":1,"name":"wmi_spawning_shell","description":"Command executed via WMI","expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] && process.parent.file.name == \"WmiPrvSE.exe\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"icy-i3s-bvd","attributes":{"version":1,"name":"deploy_priv_container","description":"A privileged container was created","expression":"exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted & CAP_SYS_ADMIN > 0","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6du-s2a-foz","attributes":{"version":1,"name":"suspicious_bitsadmin_usage","description":"A suspicious bitsadmin command has been executed","expression":"exec.file.name == \"bitsadmin.exe\" && exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dco-vsp-sto","attributes":{"version":1,"name":"ssh_authorized_keys_chmod","description":"SSH modified keys may have been modified","expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fyc-tp1-xr1","attributes":{"version":1,"name":"windows_boot_registry_key_modified","description":"Windows boot registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\SYSTEM.ini\\boot*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pxm-cg7-96w","attributes":{"version":1,"name":"sudoers_policy_modified_chown","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bft-ikt-sfa","attributes":{"version":1,"name":"registry_service_runkey_modified","description":"Service registry runkey modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\RunServices\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ydm-yqo-f9t","attributes":{"version":1,"name":"looney_tunables_exploit","description":"Looney Tunables (CVE-2023-4911) exploit attempted","expression":"exec.file.mode & S_ISUID > 0 && exec.file.uid == 0 && exec.uid != 0 && exec.envs in [~\"*GLIBC_TUNABLES*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wpy-igs-bcp","attributes":{"version":1,"name":"windows_shell_folders_registry_key_modified","description":"Windows shell folders registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders*\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gyj-yid-n02","attributes":{"version":1,"name":"ptrace_injection","description":"A process attempted to inject code into another process","expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kxe-vss-47x","attributes":{"version":1,"name":"windows_firewall_configuration_registry_key_modified","description":"Windows firewall configuration registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zxv-eui-tgr","attributes":{"version":1,"name":"auditctl_usage","description":"The auditctl command was used to modify auditd","expression":"exec.file.name == \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ccs-c0e-kx6","attributes":{"version":1,"name":"minidump_usage","description":"Process memory was dumped using the minidump function from comsvcs.dll","expression":"exec.cmdline =~ \"*MiniDump*\" && exec.cmdline =~ \"*comsvcs*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"we1-nic-zhp","attributes":{"version":1,"name":"base64_decode","description":"The base64 command was used to decode information","expression":"exec.file.name == \"base64\" && exec.args_flags in [\"d\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mjs-qml-f6e","attributes":{"version":1,"name":"systemd_modification_rename","description":"A service may have been modified without authorization","expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"elg-0ho-jjb","attributes":{"version":1,"name":"powershell_empire_uac_bypass","description":"A process was executed matching arguments for a UAC bypass technique common in powershell empire","expression":"exec.cmdline in [~\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*\", ~\"*-NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dzi-svp-ub2","attributes":{"version":1,"name":"memfd_create","description":"memfd object created","expression":"exec.file.name =~ \"memfd*\" && exec.file.path == \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"iv0-azx-iwi","attributes":{"version":1,"name":"interactive_shell_in_container","description":"An interactive shell was started inside of a container","expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in [\"i\"] && container.id !=\"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mgb-ejl-c5b","attributes":{"version":1,"name":"kernel_module_rename","description":"A new kernel module was added","expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dug-aqp-7zn","attributes":{"version":1,"name":"exec_wrmsr","description":"The wrmsr program executed","expression":"exec.comm == \"wrmsr\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wrz-nq9-pi8","attributes":{"version":1,"name":"mining_pool_lookup","description":"A process resolved a DNS name associated with cryptomining activity","expression":"dns.question.name in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"] && process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"01c-hgk-8x3","attributes":{"version":1,"name":"credential_modified_chmod","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ld1-hxu-zdf","attributes":{"version":1,"name":"nick_new_java_detect_with_agent_version","description":"Execution of a new java process","expression":"exec.file.name == \"foogazi\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"z0y-kio-bf4","attributes":{"version":1,"name":"kernel_module_open","description":"A new kernel module was added","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xtf-uqt-mh0","attributes":{"version":1,"name":"common_net_intrusion_util","description":"A network utility (nmap) commonly used in intrusion attacks was executed","expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"l5b-qmr-hi6","attributes":{"version":1,"name":"ssh_authorized_keys_utimes","description":"SSH modified keys may have been modified","expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qa1-stp-xpl","attributes":{"version":1,"name":"open_msr_writes","description":"A process opened a model-specific register (MSR) configuration file","expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cwr-kgl-5xs","attributes":{"version":1,"name":"credential_modified_chown","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"am6-icr-cgg","attributes":{"version":1,"name":"package_management_in_container","description":"Package management was detected in a container","expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"esx-z8e-qcs","attributes":{"version":1,"name":"safeboot_modification","description":"Safeboot registry modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sdk-dp7-vt0","attributes":{"version":1,"name":"jupyter_shell_execution","description":"A Jupyter notebook executed a shell","expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hnz-ezh-lyu","attributes":{"version":1,"name":"ld_preload_unusual_library_path","description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yjo-mdq-mi1","attributes":{"version":1,"name":"dynamic_linker_config_unlink","description":"A process unlinked a dynamic linker config file","expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"psf-hiy-3ji","attributes":{"version":1,"name":"scheduled_task_creation","description":"A scheduled task was created","expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] && exec.cmdline =~ \"*create*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6vb-fkj-cdc","attributes":{"version":1,"name":"pci_11_5_critical_binaries_open","description":"Critical system binaries may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ktg-ng9-izk","attributes":{"version":1,"name":"kernel_module_load_from_memory_container","description":"A kernel module was loaded from memory inside a container","expression":"load_module.loaded_from_memory == true && container.id !=\"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0qf-cha-qci","attributes":{"version":1,"name":"java_shell_execution_parent","description":"A java process spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n&& process.parent.file.name in [\"java\", \"jspawnhelper\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gz3-l4z-bzr","attributes":{"version":1,"name":"network_sniffing_tool","description":"Local account groups were enumerated after container start up","expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hob-7or-knu","attributes":{"version":1,"name":"python_cli_code","description":"Python code was provided on the command line","expression":"exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", ~\"*-c*pty.spawn*\"] && exec.args !~ \"*setuptools*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"buh-tbl-6k1","attributes":{"version":1,"name":"pci_11_5_critical_binaries_link","description":"Critical system binaries may have been modified","expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521243,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"}]}
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 157.204709ms
+ duration: 197.368917ms
- id: 7
request:
proto: HTTP/1.1
@@ -254,24 +258,24 @@ interactions:
headers:
Accept:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules
+ url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/55r-kwq-jsc
method: GET
response:
- proto: HTTP/1.1
- proto_major: 1
- proto_minor: 1
- transfer_encoding:
- - chunked
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
+ transfer_encoding: []
trailer: {}
content_length: -1
- uncompressed: false
- body: '{"data":[{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"name":"auditctl_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_config_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"name":"aws_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"name":"azure_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"name":"certutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A newly created file contacted a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.change_time \u003c 60s","filters":["os == \"linux\""],"name":"chatroom_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"name":"common_net_intrusion_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"compile_after_delivery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"name":"compiler_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"credential_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"name":"cryptominer_args","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"name":"cryptominer_envs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"curl_docker_socket","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"name":"exec_whoami","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"name":"exec_wrmsr","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"name":"executable_bit_added","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"name":"gcp_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"interactive_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ip_check_domain","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"name":"iptables_egress_allowed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"name":"jupyter_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"kernel_module_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"name":"kernel_module_load","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"name":"kernel_msr_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","filters":["os == \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"name":"looney_tunables_exploit","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path =~ \"/proc/*\" \u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"mount_proc_hide","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"name":"net_file_download","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-0ra","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"net_util_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"name":"offensive_k8s_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"name":"omigod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-k6i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a conatiner outside of container start_up","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"package_management_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pam_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes were listed using the ps command","enabled":true,"expression":"exec.comm == \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os == \"linux\""],"name":"ps_discovery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ptrace_antidebug","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"name":"python_cli_code","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"rc_scripts_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"name":"read_kubeconfig","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os == \"linux\""],"name":"read_release_info","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"runc_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"name":"sensitive_tracing","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"shell_history_deleted","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"name":"shell_history_symlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"suspicious_container_client","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"name":"tunnel_traffic","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"user_deleted_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"name":"wmi_spawning_shell","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}}]}'
+ uncompressed: true
+ body: |
+ {"data":{"id":"55r-kwq-jsc","attributes":{"version":1,"name":"ztfkbnhtzk","description":"im a rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747295127867,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747295127867,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"}}
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 133.282208ms
+ duration: 150.064042ms
- id: 8
request:
proto: HTTP/1.1
@@ -288,92 +292,25 @@ interactions:
headers:
Accept:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/13y-c2p-ddm
+ url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules
method: GET
response:
- proto: HTTP/1.1
- proto_major: 1
- proto_minor: 1
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
transfer_encoding: []
trailer: {}
- content_length: 420
- uncompressed: false
- body: '{"data":{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}'
- headers:
- Content-Type:
- - application/json
- status: 200 OK
- code: 200
- duration: 150.326625ms
- - id: 9
- request:
- proto: HTTP/1.1
- proto_major: 1
- proto_minor: 1
- content_length: 0
- transfer_encoding: []
- trailer: {}
- host: api.datadoghq.com
- remote_addr: ""
- request_uri: ""
- body: ""
- form: {}
- headers:
- Accept:
- - application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules
- method: GET
- response:
- proto: HTTP/1.1
- proto_major: 1
- proto_minor: 1
- transfer_encoding:
- - chunked
- trailer: {}
content_length: -1
- uncompressed: false
- body: '{"data":[{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"name":"auditctl_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_config_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"name":"aws_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"name":"azure_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"name":"certutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A newly created file contacted a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.change_time \u003c 60s","filters":["os == \"linux\""],"name":"chatroom_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"name":"common_net_intrusion_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"compile_after_delivery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"name":"compiler_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"credential_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"name":"cryptominer_args","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"name":"cryptominer_envs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"curl_docker_socket","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"name":"exec_whoami","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"name":"exec_wrmsr","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"name":"executable_bit_added","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"name":"gcp_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"interactive_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ip_check_domain","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"name":"iptables_egress_allowed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"name":"jupyter_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"kernel_module_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"name":"kernel_module_load","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"name":"kernel_msr_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","filters":["os == \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"name":"looney_tunables_exploit","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path =~ \"/proc/*\" \u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"mount_proc_hide","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"name":"net_file_download","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-0ra","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"net_util_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"name":"offensive_k8s_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"name":"omigod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-k6i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a conatiner outside of container start_up","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"package_management_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pam_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes were listed using the ps command","enabled":true,"expression":"exec.comm == \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os == \"linux\""],"name":"ps_discovery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ptrace_antidebug","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"name":"python_cli_code","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"rc_scripts_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"name":"read_kubeconfig","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os == \"linux\""],"name":"read_release_info","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"runc_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"name":"sensitive_tracing","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"shell_history_deleted","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"name":"shell_history_symlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"suspicious_container_client","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"name":"tunnel_traffic","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"user_deleted_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"name":"wmi_spawning_shell","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}}]}'
- headers:
- Content-Type:
- - application/json
- status: 200 OK
- code: 200
- duration: 158.481ms
- - id: 10
- request:
- proto: HTTP/1.1
- proto_major: 1
- proto_minor: 1
- content_length: 0
- transfer_encoding: []
- trailer: {}
- host: api.datadoghq.com
- remote_addr: ""
- request_uri: ""
- body: ""
- form: {}
- headers:
- Accept:
- - application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules
- method: GET
- response:
- proto: HTTP/1.1
- proto_major: 1
- proto_minor: 1
- transfer_encoding:
- - chunked
- trailer: {}
- content_length: -1
- uncompressed: false
- body: '{"data":[{"id":"13y-c2p-ddm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435254000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":false,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"jsgajmagfh","updateDate":1710435254000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"name":"auditctl_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_config_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"name":"aws_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"name":"azure_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"name":"certutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A newly created file contacted a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"] \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.change_time \u003c 60s","filters":["os == \"linux\""],"name":"chatroom_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"name":"common_net_intrusion_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"compile_after_delivery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"name":"compiler_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"credential_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"name":"cryptominer_args","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"name":"cryptominer_envs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"curl_docker_socket","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"name":"exec_whoami","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"name":"exec_wrmsr","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"name":"executable_bit_added","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"name":"gcp_imds","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"interactive_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ip_check_domain","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"name":"iptables_egress_allowed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"name":"jupyter_shell_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"kernel_module_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"name":"kernel_module_load","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"name":"kernel_msr_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","filters":["os == \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"name":"looney_tunables_exploit","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path =~ \"/proc/*\" \u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"mount_proc_hide","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"name":"net_file_download","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-0ra","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"net_util_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"name":"offensive_k8s_tool","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"name":"omigod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-k6i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package management was detected in a conatiner outside of container start_up","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"package_management_in_container_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pam_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes were listed using the ps command","enabled":true,"expression":"exec.comm == \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os == \"linux\""],"name":"ps_discovery","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"ptrace_antidebug","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"name":"python_cli_code","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"rc_scripts_modified","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"name":"read_kubeconfig","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os == \"linux\""],"name":"read_release_info","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"runc_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"name":"sensitive_tracing","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"shell_history_deleted","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"name":"shell_history_symlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"suspicious_container_client","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_link","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_open","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_rename","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_unlink","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_utimes","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args in [r\".*(-L|-C|-R).*\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args in [r\".*(-R|-L|-D|w).*\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args in [r\".*(-r|--remote|-l|--listen).*\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"name":"tunnel_traffic","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"user_deleted_tty","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1707493323000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"name":"wmi_spawning_shell","updateDate":1707493323000,"updater":{"name":"Detection Engineer","handle":""}}}]}'
+ uncompressed: true
+ body: |
+ {"data":[{"id":"55r-kwq-jsc","attributes":{"version":1,"name":"ztfkbnhtzk","description":"im a rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747295127867,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747295127867,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"vg6-omq-vv4","attributes":{"version":1,"name":"wawhgdyumt","description":"im a rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747295102041,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747295102041,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"3yb-106-xrm","attributes":{"version":3,"name":"my_terraform_rule2","description":"my terraform rule","expression":"bind.addr.ip==1.6.1.9","category":"Kernel Activity","defaultRule":false,"enabled":false,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747140640989,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747141373736,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"rtp-dom-1am","attributes":{"version":1,"name":"agent_rule2","description":"My Agent rule","expression":"open.file.name == \"etc/shadow/password\"","category":"File Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","creationDate":1747062863277,"updateAuthorUuId":"a54eca49-cf2e-11ef-8941-5e02e132a7ae","updateDate":1747062863277,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"},"updater":{"name":"Quentin Guillard","handle":"quentin.guillard@datadoghq.com"}},"type":"agent_rule"},{"id":"1vs-h3p-spa","attributes":{"version":1,"name":"000000bangtestnumber","description":"should_work_with_number","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.file.path not in ${processes_accessing}","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1743702433529,"filters":[],"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","ttl":60000000,"append":true}}],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"g5c-vnp-xf2","attributes":{"version":1,"name":"000000bangtest","description":"should_work_with_string","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.file.path not in ${processes_accessing}","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1743702410743,"filters":[],"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","ttl":"60s","append":true}}],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"d4v-xci-tzk","attributes":{"version":1,"name":"000000second","description":"ahahaha","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.file.path not in ${processes_accessing}","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1743701600763,"filters":[],"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","ttl":"60s","append":true}}],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"by5-5gy-ajb","attributes":{"version":2,"name":"kernel_module_load","description":"A kernel module was loaded","expression":"load_module.loaded_from_memory == false && load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1737734329380,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"c5x-fzi-cfu","attributes":{"version":2,"name":"known_dll_registry_key_modified","description":"Windows Known DLLs location registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1737044905726,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fcw-skn-8l6","attributes":{"version":1,"name":"shell_net_connection","description":"A shell made an outbound network connection","expression":"connect.addr.family & (AF_INET|AF_INET6) > 0 && process.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] && connect.addr.is_public == true","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980532395,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jwd-mhg-rzc","attributes":{"version":1,"name":"interpreter_outbound_connection","description":"An interpreter made an outbound network connection","expression":"connect.addr.family & (AF_INET|AF_INET6) > 0 && connect.addr.is_public == true && process.file.name in [~\"python2*\", ~\"python3*\", \"node\", \"perl\", ~\"ruby*\"]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980527270,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7k7-mzh-fhj","attributes":{"version":1,"name":"irc_connection","description":"A process made an outbound IRC connection","expression":"connect.addr.port == 6667 && connect.addr.is_public == true","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980517121,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gff-p0p-hzz","attributes":{"version":1,"name":"p2pinfect_connection","description":"A process made a connection to a port associated with P2PInfect malware","expression":"connect.addr.family & (AF_INET|AF_INET6) > 0 && connect.addr.is_public == true && connect.addr.port >= 60100 && connect.addr.port <= 60150","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736980466118,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0yh-tmv-2ir","attributes":{"version":1,"name":"socat_shell","description":"Process arguments indicating possible socat shell detected","expression":"((exec.file.name == \"socat\") || (exec.comm == \"socat\")) && exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\", ~\"*exec*\", ~\"*pty*\", ~\"*setsid*\", ~\"*stderr*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536410363,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zwp-lhw-osb","attributes":{"version":1,"name":"udev_modification","description":"Device rule created","expression":"open.file.path in [~\"/etc/udev/rules.d/*\", ~\"/lib/udev/rules.d/*\", ~\"/usr/lib/udev/rules.d/*\", ~\"/usr/local/lib/udev/rules.d/*\", ~\"/run/udev/rules.d/*\"] && open.flags & O_CREAT > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536405283,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"p4u-oh0-avq","attributes":{"version":1,"name":"devshm_execution","description":"A file executed from /dev/shm/ directory","expression":"exec.file.path == \"/dev/shm/**\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536405258,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jdx-661-6he","attributes":{"version":1,"name":"ssh_nonstandard_connection","description":"SSH initiated a connection on a nonstandard port","expression":"connect.addr.port in [80, 8080, 88, 443, 8443, 4444] && process.file.name == \"ssh\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536395054,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ozf-woz-u9t","attributes":{"version":2,"name":"libpam_ebpf_hook","description":"Library libpam.so hooked using eBPF","expression":"bpf.cmd == BPF_MAP_CREATE && process.args in [r\"libpam\\.so\"]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536395021,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"k02-h52-5kl","attributes":{"version":1,"name":"overwrite_entrypoint","description":"A process attempted to overwrite the container entrypoint","expression":"open.file.path == \"/proc/self/fd/1\" && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0 && container.id != \"\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536389957,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qwh-aci-cax","attributes":{"version":2,"name":"cron_at_job_creation_open","description":"An unauthorized job was added to cron scheduling","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536389882,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cvg-paj-akm","attributes":{"version":2,"name":"cron_at_job_creation_chown","description":"An unauthorized job was added to cron scheduling","expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536379705,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ecq-lqb-dko","attributes":{"version":1,"name":"find_credentials","description":"find command searching for sensitive files","expression":"exec.comm == \"find\" && exec.args in [~\"*credentials*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536374661,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jig-hjw-dqq","attributes":{"version":1,"name":"webdriver_spawned_shell","description":"Browser WebDriver spawned shell","expression":"process.parent.file.name in [~\"chromedriver*\", \"geckodriver\"] && exec.file.name not in [\"chrome\", \"google-chrome\", \"chromium\", \"firefox\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536374638,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cjg-f8o-kp3","attributes":{"version":2,"name":"tunnel_traffic","description":"Tunneling or port forwarding tool used","expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args_flags in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in [\"R\", \"L\", \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" && process.args in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536374597,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ctm-5ct-v09","attributes":{"version":1,"name":"netcat_shell","description":"Process arguments indicating possible netcat shell detected","expression":"exec.file.name in [\"netcat\", \"nc\", \"ncat\"] && ((exec.args_flags in [\"l\"] && exec.args_flags in [\"p\"]) || (exec.args_flags in [\"n\"] && exec.args_flags in [\"v\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536369507,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qyq-78u-ql6","attributes":{"version":1,"name":"cups_spawned_shell","description":"Shell process spawned from print server","expression":"exec.file.name != \"\" && process.parent.file.name == \"foomatic-rip\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536364424,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gdw-b2j-bpy","attributes":{"version":1,"name":"debugfs_in_container","description":"The debugfs was executed in a container","expression":"exec.comm == \"debugfs\" && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536364396,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dt3-f0b-e8d","attributes":{"version":1,"name":"webapp_imds_V1_request","description":"Web application requested IMDSv1 credentials","expression":"imds.aws.is_imds_v2 == false && imds.url =~ \"*/*/meta-data/iam/security-credentials/*\" && (process.ancestors.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.ancestors.file.name =~ \"php*\" || process.ancestors.file.name == \"java\")","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536359279,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dat-hhr-7xk","attributes":{"version":2,"name":"cron_at_job_creation_link","description":"An unauthorized job was added to cron scheduling","expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536359258,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cfe-hyn-s1j","attributes":{"version":1,"name":"release_agent_escape","description":"Container escape attempted by overwriting release_agent","expression":"open.file.name == \"release_agent\" && open.file.path in [\"/tmp/**\", \"/home/**\", \"/root/**\", \"/*\"] && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536354195,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vvo-iqz-sr2","attributes":{"version":1,"name":"file_sync_exfil","description":"The rclone utility was executed","expression":"exec.file.name in [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536354189,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ctm-jbt-ag7","attributes":{"version":1,"name":"unshare_in_container","description":"The unshare utility was executed in a container","expression":"exec.comm == \"unshare\" && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536349072,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rhn-60e-ocl","attributes":{"version":2,"name":"iptables_egress_allowed","description":"Egress traffic allowed using iptables","expression":"exec.comm == \"iptables\" && process.args in [r\"OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] && process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536349046,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ol8-rm4-6j5","attributes":{"version":1,"name":"aws_cli_usage","description":"The AWS CLI utility was executed","expression":"exec.file.name == \"aws\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536343955,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"956-hlb-btg","attributes":{"version":1,"name":"php_shell","description":"Process arguments indicating possible php shell detected","expression":"exec.file.name == \"php\" && exec.args_flags in [\"r\"] && ((exec.args in [~\"*socket_bind*\", ~\"*socket_listen*\", ~\"*socket_accept*\", ~\"*socket_create*\", ~\"*socket_write*\", ~\"*socket_read*\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536343942,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gu9-82k-92p","attributes":{"version":2,"name":"cron_at_job_creation_chmod","description":"An unauthorized job was added to cron scheduling","expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && chmod.file.destination.mode != chmod.file.mode\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536343900,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oad-qwd-via","attributes":{"version":2,"name":"compile_after_delivery","description":"A compiler wrote a suspicious file in a container","expression":"open.flags & O_CREAT > 0\n&& (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n&& (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"])\n&& process.file.name not in [\"pip\", ~\"python*\"]\n&& container.id != \"\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536323502,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vx6-cyx-ksx","attributes":{"version":1,"name":"openssl_backdoor","description":"openssl used to establish backdoor","expression":"exec.comm == \"openssl\" && exec.args =~ \"*s_client*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536318450,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"j4p-qiy-v1g","attributes":{"version":2,"name":"compiler_in_container","description":"A compiler was executed inside of a container","expression":"(exec.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || exec.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || (exec.file.name == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path != \"/usr/bin/cilium-agent\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536318401,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n17-fnl-a6b","attributes":{"version":1,"name":"mount_in_container","description":"The mount utility was executed in a container","expression":"exec.comm == \"mount\" && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536313319,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ylt-39s-jwc","attributes":{"version":2,"name":"cron_at_job_creation_unlink","description":"An unauthorized job was added to cron scheduling","expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536313305,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fyp-ktn-4kd","attributes":{"version":1,"name":"nsenter_in_container","description":"nsenter used to breakout of container","expression":"exec.file.name == \"nsenter\" && exec.args_options in [\"target=1\", \"t=1\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536308211,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mp4-mte-fr7","attributes":{"version":1,"name":"ssh_outbound_connection","description":"A process connected to an SSH server","expression":"connect.addr.port == 22 && connect.addr.family & (AF_INET|AF_INET6) > 0 && connect.addr.ip not in [127.0.0.0/8]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536308194,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jix-kop-8dg","attributes":{"version":2,"name":"ransomware_note","description":"Possible ransomware note created under common user directories","expression":"open.flags & O_CREAT > 0\n&& open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n&& open.file.name in [r\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\"] && open.file.name not in [r\"\\.lock$\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536308136,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x0q-bqb-eo1","attributes":{"version":2,"name":"windows_cryptominer_process","description":"A cryptominer was potentially executed","expression":"exec.cmdline in [~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536303070,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"txo-xll-se0","attributes":{"version":2,"name":"suspicious_dll_write","description":"Dll written to a suspicious directory","expression":"create.file.name =~ \"*.dll\" && create.file.device_path not in [~\"\\Device\\*\\Windows\\System32\\**\", ~\"\\Device\\*\\ProgramData\\docker\\**\"] && process.file.name != \"dockerd.exe\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536297939,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zig-zjk-wem","attributes":{"version":1,"name":"perl_shell","description":"Process arguments indicating possible perl bind shell detected","expression":"exec.file.name == ~\"perl*\" && exec.args_flags in [\"e\"] && ((exec.args in [~\"*socket*\", ~\"*bind*\", ~\"*sockaddr*\", ~\"*listen*\", ~\"*accept\", ~\"*stdin*\", ~\"*stdout\"]) || (exec.args in [~\"*/bin/sh*\", ~\"*/bin/bash*\"]))","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536292914,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qfj-nw1-1zg","attributes":{"version":1,"name":"modified_file_requesting_imds_creds","description":"Recently modified file requested credentials from IMDS","expression":"imds.url =~ \"/*/meta-data/iam/security-credentials/*\" && (process.parent.file.modification_time < 120s || process.file.modification_time < 30s)","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536292897,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yhp-mh7-pgn","attributes":{"version":2,"name":"cron_at_job_creation_rename","description":"An unauthorized job was added to cron scheduling","expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536287823,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ers-kyx-kaq","attributes":{"version":2,"name":"cron_at_job_creation_utimes","description":"An unauthorized job was added to cron scheduling","expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1736536287800,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sjm-2is-v4s","attributes":{"version":1,"name":"tar_execution","description":"Tar archive created","expression":"exec.file.path == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xhr-7kq-dpo","attributes":{"version":1,"name":"user_deleted_tty","description":"A user was deleted via an interactive session","expression":"exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"d0z-hzd-y7v","attributes":{"version":1,"name":"cryptominer_envs","description":"Process environment variables match cryptocurrency miner","expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"eav-mud-yh0","attributes":{"version":1,"name":"credential_modified_utimes","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"g2j-1lc-iub","attributes":{"version":1,"name":"kernel_module_chown","description":"A new kernel module was added","expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5x8-617-k9v","attributes":{"version":1,"name":"chaussette","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cdy-4sl-0vh","attributes":{"version":1,"name":"dirty_pipe_exploitation","description":"Potential Dirty pipe exploitation","expression":"(splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid != 0 && process.gid != 0)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8fk-hlc-jgx","attributes":{"version":1,"name":"registry_hives_file_path_key_modified","description":"Windows registry hives file location key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ggj-tkx-3i5","attributes":{"version":1,"name":"windows_hosts_file_modified","description":"the windows hosts file was modified","expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\Drivers\\etc\\hosts\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hmg-jnt-cra","attributes":{"version":1,"name":"kernel_module_link","description":"A new kernel module was added","expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"b7q-33d-ehp","attributes":{"version":1,"name":"inveigh_tool_usage","description":"Process executed with arguments common with Inveigh tool usage","expression":"exec.cmdline in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", ~\"*SnifferIP*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bdj-3ys-gul","attributes":{"version":1,"name":"redis_sandbox_escape","description":"Detects CVE-2022-0543","expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" && open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) && process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kof-qfg-4z7","attributes":{"version":1,"name":"certutil_usage","description":"Certutil was executed to transmit or decode a potentially malicious file","expression":"exec.file.name == \"certutil.exe\" && ((exec.cmdline =~ \"*urlcache*\" && exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521303,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"u0y-4yq-w99","attributes":{"version":1,"name":"pwnkit_privilege_escalation","description":"A process was spawned with indicators of exploitation of CVE-2021-4034","expression":"(exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yyp-3qo-77g","attributes":{"version":1,"name":"pci_11_5_critical_binaries_utimes","description":"Critical system binaries may have been modified","expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ijj-sdz-ghy","attributes":{"version":1,"name":"nick_new_java_detect","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":[],"actions":[],"agentConstraint":">= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yjg-ztr-xts","attributes":{"version":1,"name":"suspicious_ntdsutil_usage","description":"Suspicious usage of ntdsutil","expression":"exec.file.name == \"ntdsutil.exe\" && exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fqj-dnw-hmo","attributes":{"version":1,"name":"kernel_module_unlink","description":"A new kernel module was added","expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4nd-g5m-1xh","attributes":{"version":1,"name":"mount_proc_hide","description":"Process hidden using mount","expression":"mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wui-ktw-zwv","attributes":{"version":1,"name":"pam_modification_utimes","description":"PAM may have been modified without authorization","expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yrc-jyx-l5i","attributes":{"version":1,"name":"tty_shell_in_container","description":"A shell with a TTY was executed in a container","expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vqh-8ry-vsb","attributes":{"version":1,"name":"pam_modification_link","description":"PAM may have been modified without authorization","expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n4m-q5y-yhu","attributes":{"version":1,"name":"ssl_certificate_tampering_unlink","description":"SSL certificates may have been tampered with","expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8i4-ehq-i3p","attributes":{"version":1,"name":"gcp_imds","description":"An GCP IMDS was called via a network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fje-48p-1n8","attributes":{"version":1,"name":"ssh_authorized_keys_unlink","description":"SSH modified keys may have been modified","expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"luu-gor-cgb","attributes":{"version":1,"name":"sudoers_policy_modified_utimes","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"89r-spf-prk","attributes":{"version":1,"name":"credential_modified_open_v2","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"490-ewn-i16","attributes":{"version":1,"name":"chatroom_request","description":"A DNS request was made for a chatroom domain","expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vzm-iv2-vhs","attributes":{"version":1,"name":"windows_test_default_rule","description":"Execution of a java process on windows","expression":"exec.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pyu-xzd-leo","attributes":{"version":1,"name":"user_created_tty","description":"A user was created via an interactive session","expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && exec.args_flags not in [\"D\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zdm-kv0-gca","attributes":{"version":1,"name":"net_file_download","description":"A suspicious file was written by a network utility","expression":"open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n&& (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5ts-w6u-tfl","attributes":{"version":1,"name":"registry_runkey_modified","description":"A Registry runkey has been modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521302,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jgi-rfz-rlb","attributes":{"version":1,"name":"pam_modification_unlink","description":"PAM may have been modified without authorization","expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"coy-qpb-suv","attributes":{"version":1,"name":"credential_modified_unlink","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pxm-9tn-irt","attributes":{"version":1,"name":"ssl_certificate_tampering_link","description":"SSL certificates may have been tampered with","expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dig-cav-hhc","attributes":{"version":1,"name":"kmod_list","description":"Kernel modules were listed using the kmod command","expression":"exec.comm == \"kmod\" && exec.args in [~\"*list*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jlg-roy-9zx","attributes":{"version":1,"name":"auditd_rule_file_modified","description":"The auditd rules file was modified without using auditctl","expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && process.file.name != \"auditctl\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"v83-av9-xuy","attributes":{"version":1,"name":"ntds_in_commandline","description":"NTDS file referenced in commandline","expression":"exec.cmdline =~ \"*ntds.dit*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rnj-nwd-n5v","attributes":{"version":1,"name":"procdump_usage","description":"Testing a default windows agent rule","expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pjn-4hr-bot","attributes":{"version":1,"name":"suspicious_suid_execution","description":"Recently written or modified suid file has been executed","expression":"((process.file.mode & S_ISUID > 0) && process.file.modification_time < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bw8-ud8-qzq","attributes":{"version":1,"name":"net_util_exfiltration","description":"Exfiltration attempt via network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] &&\nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] &&\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4jd-zjb-ybo","attributes":{"version":1,"name":"shell_history_symlink","description":"A symbolic link for shell history was created targeting /dev/null","expression":"exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"can-pva-exd","attributes":{"version":1,"name":"suspicious_container_client","description":"A container management utility was executed in a container","expression":"exec.file.name in [\"docker\", \"kubectl\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bb8-sg5-ful","attributes":{"version":1,"name":"kernel_module_load_container","description":"A container loaded a new kernel module","expression":"load_module.name != \"\" && container.id !=\"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yzz-sm2-0ff","attributes":{"version":1,"name":"pci_11_5_critical_binaries_chmod","description":"Critical system binaries may have been modified","expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7nx-gb8-9t4","attributes":{"version":1,"name":"rc_scripts_modified","description":"RC scripts modified","expression":"(open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"npo-tkf-eex","attributes":{"version":1,"name":"pam_modification_chmod","description":"PAM may have been modified without authorization","expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gw4-kqw-q1l","attributes":{"version":1,"name":"new_new_java_detect_with_real_agent_version","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":[],"actions":[],"agentConstraint":">= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"atm-kqf-qa2","attributes":{"version":1,"name":"systemd_modification_chmod","description":"A service may have been modified without authorization","expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521301,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oqc-9gu-uq5","attributes":{"version":1,"name":"ssl_certificate_tampering_utimes","description":"SSL certificates may have been tampered with","expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cfe-7qi-s5j","attributes":{"version":1,"name":"pci_11_5_critical_binaries_unlink","description":"Critical system binaries may have been modified","expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bqm-bp1-dpv","attributes":{"version":1,"name":"nsswitch_conf_mod_link","description":"nsswitch may have been modified without authorization","expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nah-p3m-dgh","attributes":{"version":1,"name":"database_shell_execution","description":"A database application spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) &&\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n!(process.parent.file.name == \"initdb\" &&\nexec.args == \"-c locale -a\") &&\n!(process.parent.file.name == \"postgres\" &&\nexec.args == ~\"*pg_wal*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4mm-9uv-w3t","attributes":{"version":1,"name":"shell_profile_modification","description":"Shell profile was modified","expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"a6q-hmw-lae","attributes":{"version":1,"name":"auditd_config_modified","description":"The auditd configuration file was modified without using auditctl","expression":"open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && process.file.name != \"auditctl\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"brz-yda-nve","attributes":{"version":1,"name":"ssh_authorized_keys_link","description":"SSH modified keys may have been modified","expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4be-qms-wyo","attributes":{"version":1,"name":"windows_update_registry_key_modified","description":"Windows update registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsUpdate*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ttl-6wn-1ke","attributes":{"version":1,"name":"ssh_it_tool_config_write","description":"The configuration directory for an ssh worm","expression":"open.file.path in [~\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n0c-0if-hne","attributes":{"version":1,"name":"nsswitch_conf_mod_chmod","description":"nsswitch may have been modified without authorization","expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) && chmod.file.destination.mode != chmod.file.mode && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ryr-yxl-ilk","attributes":{"version":1,"name":"nsswitch_conf_mod_utimes","description":"nsswitch may have been modified without authorization","expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"61g-xow-oup","attributes":{"version":1,"name":"nsswitch_conf_mod_chown","description":"nsswitch may have been modified without authorization","expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"es9-b6s-upq","attributes":{"version":1,"name":"ssl_certificate_tampering_open_v2","description":"SSL certificates may have been tampered with","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"\n&& container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x79-zfs-0ix","attributes":{"version":1,"name":"omigod","description":"Omiagent spawns a privileged child process","expression":"exec.uid >= 0 && process.ancestors.file.name == \"omiagent\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8ks-vsd-y6y","attributes":{"version":1,"name":"ssl_certificate_tampering_open","description":"SSL certificates may have been tampered with","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521300,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zb2-wpx-aff","attributes":{"version":1,"name":"new_binary_execution_in_container","description":"A container executed a new binary not found in the container image","expression":"container.id != \"\" && process.file.in_upper_layer && process.file.modification_time < 30s && exec.file.name != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"k6c-tqa-hjv","attributes":{"version":1,"name":"ssh_authorized_keys_open_v2","description":"SSH modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uwk-qfs-oqe","attributes":{"version":1,"name":"kernel_module_chmod","description":"A new kernel module was added","expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"czs-lbr-7k2","attributes":{"version":1,"name":"ptrace_antidebug","description":"A process uses an anti-debugging technique to block debuggers","expression":"ptrace.request == PTRACE_TRACEME && process.file.name != \"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bpu-wji-3ed","attributes":{"version":1,"name":"exec_lsmod","description":"Kernel modules were listed using the lsmod command","expression":"exec.comm == \"lsmod\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jch-xfg-uak","attributes":{"version":1,"name":"nsswitch_conf_mod_unlink","description":"nsswitch may have been modified without authorization","expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yue-sj6-ucc","attributes":{"version":1,"name":"ssl_certificate_tampering_rename","description":"SSL certificates may have been tampered with","expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rp7-w2i-wnj","attributes":{"version":1,"name":"credential_modified_link","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mcj-rg7-foe","attributes":{"version":1,"name":"credential_modified_rename","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yu3-bwu-ji4","attributes":{"version":1,"name":"nick_new_java_detect_with_real_agent_version","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":[],"actions":[],"agentConstraint":">= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jcr-yly-myj","attributes":{"version":1,"name":"ssl_certificate_tampering_chown","description":"SSL certificates may have been tampered with","expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"llc-wxw-5uh","attributes":{"version":1,"name":"dirty_pipe_attempt","description":"Potential Dirty pipe exploitation attempt","expression":"(splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x7k-bop-jcu","attributes":{"version":1,"name":"windows_com_rpc_debugging_registry_key_modified","description":"Windows RPC COM debugging registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ypb-aen-wts","attributes":{"version":1,"name":"mount_host_fs","description":"The host file system was mounted in a container","expression":"mount.source.path == \"/\" && mount.fs_type != \"overlay\" && container.id != \"\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521299,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zjd-e62-fkk","attributes":{"version":1,"name":"release_agent_container_breakout","description":"A process attempted to write to the release_agent file of a cgroup, indicating a potential container breakout attempt","expression":"container.id != \"\" && open.file.name == \"release_agent\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1646684459816,"updateDate":1723206521298,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rgc-7yd-gpm","attributes":{"version":1,"name":"pci_11_5_critical_binaries_rename","description":"Critical system binaries may have been modified","expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bue-96a-bwo","attributes":{"version":1,"name":"pam_modification_rename","description":"PAM may have been modified without authorization","expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nue-ulh-gxb","attributes":{"version":1,"name":"aws_imds","description":"An AWS IMDS was called via a network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", ~\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"55u-gp9-m0k","attributes":{"version":1,"name":"invalid_agent_constraint","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":[],"actions":[],"agentConstraint":"0.0.0 >= 7.0.0","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8og-5of-lw8","attributes":{"version":1,"name":"offensive_k8s_tool","description":"A known kubernetes pentesting tool has been executed","expression":"(exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fdj-qws-x9g","attributes":{"version":1,"name":"sudoers_policy_modified_chmod","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (chmod.file.path == \"/etc/sudoers\")\n) && chmod.file.destination.mode != chmod.file.mode && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tqf-gv4-huh","attributes":{"version":1,"name":"windows_test_default_rule_b","description":"Execution of a java process on windows","expression":"exec.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jji-uaq-xqi","attributes":{"version":1,"name":"net_util_in_container","description":"A network utility was executed in a container","expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tj0-f4s-grz","attributes":{"version":1,"name":"pam_modification_chown","description":"PAM may have been modified without authorization","expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mmg-bkt-mx4","attributes":{"version":1,"name":"exec_whoami","description":"The whoami command was executed","expression":"exec.comm == \"whoami\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ao4-966-ahr","attributes":{"version":1,"name":"sensitive_tracing","description":"A process is tracing privileged processes or sshd for possible credential dumping","expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) && ptrace.tracee.euid == 0 && process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mrk-tku-sbc","attributes":{"version":1,"name":"pci_11_5_critical_binaries_chown","description":"Critical system binaries may have been modified","expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nk2-hcg-hf5","attributes":{"version":1,"name":"kernel_module_load_from_memory","description":"A kernel module was loaded from memory","expression":"load_module.loaded_from_memory == true","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hau-g4f-zzo","attributes":{"version":1,"name":"apparmor_modified_tty","description":"An AppArmor profile was modified in an interactive session","expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name !=\"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0gp-zoy-gyb","attributes":{"version":1,"name":"runc_leaky_fd","description":"The container breakout CVE-2024-21626 was successful","expression":"chdir.syscall.path =~ \"/proc/self/fd/*\" && chdir.file.path == \"/sys/fs/cgroup\" && process.file.name =~ \"runc.*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wqb-yxc-mtb","attributes":{"version":1,"name":"pci_11_5_critical_binaries_open_v2","description":"Critical system binaries may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && container.created_at > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vpa-xoh-cia","attributes":{"version":1,"name":"procdump_execution","description":"A tool used to dump process memory has been executed","expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vlv-1qs-cjz","attributes":{"version":1,"name":"sudoers_policy_modified_rename","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"itl-shq-qre","attributes":{"version":1,"name":"nsswitch_conf_mod_open_v2","description":"nsswitch may have been modified without authorization","expression":"(\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) && container.created_at > 90s && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521298,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fpl-fno-4u3","attributes":{"version":1,"name":"aws_eks_service_account_token_accessed","description":"The AWS EKS service account token was accessed","expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3vq-bya-qsj","attributes":{"version":1,"name":"windows_security_essentials_executable_modified","description":"microsoft security essentials executable modified","expression":"write.file.device_path in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"08i-pvz-95h","attributes":{"version":1,"name":"crackmap_exec_executed","description":"Known offensive tool crackmap exec executed","expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme.exe*\", ~\"*cme.py*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gpx-hnf-bc6","attributes":{"version":1,"name":"critical_registry_export","description":"regedit used to export critical registry hive","expression":"exec.file.name in [\"reg.exe\", \"regedit.exe\"] && exec.cmdline in [~\"*hklm*\", ~\"*hkey_local_machine*\", ~\"*system*\", ~\"*sam*\", ~\"*security*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aoh-97n-qus","attributes":{"version":1,"name":"redis_save_module","description":"Redis module has been created","expression":"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name in [\"redis-check-rdb\", \"redis-server\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tqg-9ps-mhw","attributes":{"version":1,"name":"passwd_execution","description":"The passwd or chpasswd utility was used to modify an account password","expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags not in [\"S\", \"status\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"j4r-2xn-ha0","attributes":{"version":1,"name":"sudoers_policy_modified_open","description":"Sudoers policy file may have been modified without authorization","expression":"(open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n(open.file.path == \"/etc/sudoers\")) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"azw-x88-p7j","attributes":{"version":1,"name":"kubernetes_dns_enumeration","description":"Kubernetes DNS enumeration","expression":"dns.question.name == \"any.any.svc.cluster.local\" && dns.question.type == SRV && container.id != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vma-bsh-4d1","attributes":{"version":1,"name":"kernel_msr_write","description":"A process attempted to enable writing to model-specific registers","expression":"exec.comm == \"modprobe\" && process.args =~ \"*msr*allow_writes*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aed-rue-lpr","attributes":{"version":1,"name":"ip_check_domain","description":"A DNS lookup was done for a IP check service","expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"stp-dwk-4j7","attributes":{"version":1,"name":"delete_system_log","description":"A process deleted common system log files","expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] && process.comm not in [\"dockerd\", \"containerd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4s4-ezo-w7q","attributes":{"version":1,"name":"dynamic_linker_config_write","description":"A process wrote to a dynamic linker config file","expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gdc-uhk-mtc","attributes":{"version":1,"name":"ssh_authorized_keys_open","description":"SSH modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rgq-fea-q99","attributes":{"version":1,"name":"windows_system_enviroment_variable_registry_key_modified","description":"Windows environment variable registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"n9y-2nc-no0","attributes":{"version":1,"name":"dotnet_dump_execution","description":"Dotnet_dump was used to dump a process memory","expression":"exec.cmdline =~ \"*dotnet-dump*\" && exec.cmdline =~ \"*collect*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"r3m-72r-y8g","attributes":{"version":1,"name":"shell_history_truncated","description":"Shell History was Deleted","expression":"open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && open.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] && open.file.path in [~\"/root/*\", ~\"/home/**\"] && process.file.name == \"truncate\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zqc-vts-wok","attributes":{"version":1,"name":"nsswitch_conf_mod_open","description":"nsswitch may have been modified without authorization","expression":"(\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"usg-zrs-ckt","attributes":{"version":1,"name":"winlogon_registry_key_modified","description":"Windows winlogon registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x4t-j4v-l4r","attributes":{"version":1,"name":"windows_explorer_executable_modified","description":"windows explorer file has been modified","expression":"write.file.device_path in [~\"\\Device\\*\\windows\\explorer.exe\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9mk-a4g-rb5","attributes":{"version":1,"name":"crackmap_exec_usage","description":"Known offensive tool crackmap exec executed","expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cqr-wm9-cjl","attributes":{"version":1,"name":"systemd_modification_open","description":"A service may have been modified without authorization","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cxw-5gm-pid","attributes":{"version":1,"name":"curl_docker_socket","description":"The Docker socket was referenced in a cURL command","expression":"exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args in [~\"*docker.sock*\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gpf-aeq-icx","attributes":{"version":1,"name":"ssh_authorized_keys_chown","description":"SSH modified keys may have been modified","expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521297,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"iqk-ui0-v8c","attributes":{"version":1,"name":"hidden_file_executed","description":"A hidden file was executed in a suspicious folder","expression":"exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"s1j-kv4-llt","attributes":{"version":1,"name":"selinux_disable_enforcement","description":"SELinux enforcement status was disabled","expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] && process.ancestors.args != ~\"*BECOME-SUCCESS*\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"a9j-6xn-afo","attributes":{"version":1,"name":"sliver_c2_implant_execution","description":"process arguments match sliver c2 implant","expression":"exec.cmdline =~ \"*NoExit *\" && exec.cmdline =~ \"*Command *\" && exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vb1-l7o-skr","attributes":{"version":1,"name":"ssl_certificate_tampering_chmod","description":"SSL certificates may have been tampered with","expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.mode != chmod.file.destination.mode\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1or-3oo-rag","attributes":{"version":1,"name":"new_java_detect","description":"Execution of a new java process","expression":"exec.file.name == \"new_java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qme-vau-bk4","attributes":{"version":1,"name":"potential_web_shell_parent","description":"A web application spawned a shell or shell utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) &&\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7ft-hzb-mpc","attributes":{"version":1,"name":"critical_windows_files_modified","description":"a critical windows file was modified","expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hbd-kty-ixx","attributes":{"version":1,"name":"kernel_module_utimes","description":"A new kernel module was added","expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rly-bqo-sg1","attributes":{"version":1,"name":"systemd_modification_utimes","description":"A service may have been modified without authorization","expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"eda-l1r-hrq","attributes":{"version":1,"name":"relay_attack_tool_execution","description":"Process matches known relay attack tool","expression":"exec.file.name in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rbo-40l-grx","attributes":{"version":1,"name":"net_unusual_request","description":"Network utility executed with suspicious URI","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gci-o39-u6v","attributes":{"version":1,"name":"read_kubeconfig","description":"The kubeconfig file was accessed","expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1uw-i6q-m5n","attributes":{"version":1,"name":"nsswitch_conf_mod_rename","description":"nsswitch may have been modified without authorization","expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ynr-dvw-x2x","attributes":{"version":1,"name":"ssh_authorized_keys_rename","description":"SSH modified keys may have been modified","expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521296,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fme-ym2-lwi","attributes":{"version":1,"name":"systemd_modification_link","description":"A service may have been modified without authorization","expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tht-nwe-guf","attributes":{"version":1,"name":"k8s_pod_service_account_token_accessed","description":"The Kubernetes pod service account token was accessed","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"] && process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"a6d-gre-qls","attributes":{"version":1,"name":"service_stop","description":"systemctl used to stop a service","expression":"exec.file.name == \"systemctl\" && exec.args in [~\"*stop*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ljs-qkf-c4r","attributes":{"version":1,"name":"pam_modification_open","description":"PAM may have been modified without authorization","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vhj-z63-abi","attributes":{"version":1,"name":"systemd_modification_chown","description":"A service may have been modified without authorization","expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pho-wta-zir","attributes":{"version":1,"name":"net_util","description":"A network utility was executed","expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"m36-fmz-1bi","attributes":{"version":1,"name":"executable_bit_added","description":"The executable bit was added to a newly created file","expression":"chmod.file.in_upper_layer &&\nchmod.file.change_time < 30s &&\ncontainer.id != \"\" &&\nchmod.file.destination.mode != chmod.file.mode &&\nchmod.file.destination.mode & S_IXUSR|S_IXGRP|S_IXOTH > 0 &&\nprocess.argv in [\"+x\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"5j0-kon-1hn","attributes":{"version":1,"name":"sudoers_policy_modified_link","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hsw-h1t-p9n","attributes":{"version":1,"name":"suid_file_execution","description":"a SUID file was executed","expression":"(setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \"/usr/bin/sudo\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"da1-a9j-tw9","attributes":{"version":1,"name":"sudoers_policy_modified_unlink","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4tw-oex-wnc","attributes":{"version":1,"name":"cryptominer_args","description":"A process launched with arguments associated with cryptominers","expression":"exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args_flags == \"randomx-1gb-pages\" || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uga-lal-zqb","attributes":{"version":1,"name":"php_spawning_shell","description":"PHP web application spawning shell","expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] && process.parent.file.name in [\"php.exe\",\"php-cgi.exe\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"alv-iwj-sbs","attributes":{"version":1,"name":"systemd_modification_unlink","description":"A service may have been modified without authorization","expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nsy-20w-pj6","attributes":{"version":1,"name":"sharpup_tool_usage","description":"sharpup tool used for local privilege escalation","expression":"exec.file.name == \"sharpup.exe\" && exec.cmdline in [~\"*HijackablePaths*\", ~\"*UnquotedServicePath*\", ~\"*ProcessDLLHijack*\", ~\"*ModifiableServiceBinaries*\", ~\"*ModifiableScheduledTask*\", ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mam-ir1-532","attributes":{"version":1,"name":"windows_cryptographic_blocking_policy_registry_key_modified","description":"Windows cryptographic blocking policy modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllRemoveSignedDataMsg*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tn9-vck-we9","attributes":{"version":1,"name":"shell_history_deleted","description":"Shell History was Deleted","expression":"unlink.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] && unlink.file.path in [~\"/root/**\", ~\"/home/**\"] && process.comm not in [\"dockerd\", \"containerd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ows-d9p-s2b","attributes":{"version":1,"name":"runc_modification","description":"The runc binary was modified in a non-standard way","expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n&& open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"on3-qxk-zeh","attributes":{"version":1,"name":"paste_site","description":"A DNS lookup was done for a pastebin-like site","expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", \"transfer.sh\"] && process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bdi-lzv-pki","attributes":{"version":1,"name":"azure_imds","description":"An Azure IMDS was called via a network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qay-zpa-akb","attributes":{"version":1,"name":"rubeus_execution","description":"process arguments match rubeus credential theft tool","expression":"exec.cmdline in [~\"*asreproast*\", ~\"*/service:krbtgt*\", ~\"*dump /luid:0x*\", ~\"*kerberoast*\", ~\"*createonly /program*\", ~\"*ptt /ticket*\", ~\"*impersonateuser*\", ~\"*renew /ticket*\", ~\"*asktgt /user*\", ~\"*harvest /interval*\", ~\"*s4u /user*\", ~\"*hash /password*\", ~\"*golden /aes256*\", ~\"*silver /user*\", \"*rubeus*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521295,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uty-ayo-tpv","attributes":{"version":1,"name":"wmi_spawning_shell","description":"Command executed via WMI","expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] && process.parent.file.name == \"WmiPrvSE.exe\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"icy-i3s-bvd","attributes":{"version":1,"name":"deploy_priv_container","description":"A privileged container was created","expression":"exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted & CAP_SYS_ADMIN > 0","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6du-s2a-foz","attributes":{"version":1,"name":"suspicious_bitsadmin_usage","description":"A suspicious bitsadmin command has been executed","expression":"exec.file.name == \"bitsadmin.exe\" && exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dco-vsp-sto","attributes":{"version":1,"name":"ssh_authorized_keys_chmod","description":"SSH modified keys may have been modified","expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fyc-tp1-xr1","attributes":{"version":1,"name":"windows_boot_registry_key_modified","description":"Windows boot registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\SYSTEM.ini\\boot*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pxm-cg7-96w","attributes":{"version":1,"name":"sudoers_policy_modified_chown","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bft-ikt-sfa","attributes":{"version":1,"name":"registry_service_runkey_modified","description":"Service registry runkey modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\RunServices\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ydm-yqo-f9t","attributes":{"version":1,"name":"looney_tunables_exploit","description":"Looney Tunables (CVE-2023-4911) exploit attempted","expression":"exec.file.mode & S_ISUID > 0 && exec.file.uid == 0 && exec.uid != 0 && exec.envs in [~\"*GLIBC_TUNABLES*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wpy-igs-bcp","attributes":{"version":1,"name":"windows_shell_folders_registry_key_modified","description":"Windows shell folders registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders*\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gyj-yid-n02","attributes":{"version":1,"name":"ptrace_injection","description":"A process attempted to inject code into another process","expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kxe-vss-47x","attributes":{"version":1,"name":"windows_firewall_configuration_registry_key_modified","description":"Windows firewall configuration registry key modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zxv-eui-tgr","attributes":{"version":1,"name":"auditctl_usage","description":"The auditctl command was used to modify auditd","expression":"exec.file.name == \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ccs-c0e-kx6","attributes":{"version":1,"name":"minidump_usage","description":"Process memory was dumped using the minidump function from comsvcs.dll","expression":"exec.cmdline =~ \"*MiniDump*\" && exec.cmdline =~ \"*comsvcs*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"we1-nic-zhp","attributes":{"version":1,"name":"base64_decode","description":"The base64 command was used to decode information","expression":"exec.file.name == \"base64\" && exec.args_flags in [\"d\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mjs-qml-f6e","attributes":{"version":1,"name":"systemd_modification_rename","description":"A service may have been modified without authorization","expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"elg-0ho-jjb","attributes":{"version":1,"name":"powershell_empire_uac_bypass","description":"A process was executed matching arguments for a UAC bypass technique common in powershell empire","expression":"exec.cmdline in [~\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*\", ~\"*-NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dzi-svp-ub2","attributes":{"version":1,"name":"memfd_create","description":"memfd object created","expression":"exec.file.name =~ \"memfd*\" && exec.file.path == \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"iv0-azx-iwi","attributes":{"version":1,"name":"interactive_shell_in_container","description":"An interactive shell was started inside of a container","expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in [\"i\"] && container.id !=\"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mgb-ejl-c5b","attributes":{"version":1,"name":"kernel_module_rename","description":"A new kernel module was added","expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521294,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dug-aqp-7zn","attributes":{"version":1,"name":"exec_wrmsr","description":"The wrmsr program executed","expression":"exec.comm == \"wrmsr\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wrz-nq9-pi8","attributes":{"version":1,"name":"mining_pool_lookup","description":"A process resolved a DNS name associated with cryptomining activity","expression":"dns.question.name in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"] && process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"01c-hgk-8x3","attributes":{"version":1,"name":"credential_modified_chmod","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ld1-hxu-zdf","attributes":{"version":1,"name":"nick_new_java_detect_with_agent_version","description":"Execution of a new java process","expression":"exec.file.name == \"foogazi\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"z0y-kio-bf4","attributes":{"version":1,"name":"kernel_module_open","description":"A new kernel module was added","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"xtf-uqt-mh0","attributes":{"version":1,"name":"common_net_intrusion_util","description":"A network utility (nmap) commonly used in intrusion attacks was executed","expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"l5b-qmr-hi6","attributes":{"version":1,"name":"ssh_authorized_keys_utimes","description":"SSH modified keys may have been modified","expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qa1-stp-xpl","attributes":{"version":1,"name":"open_msr_writes","description":"A process opened a model-specific register (MSR) configuration file","expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cwr-kgl-5xs","attributes":{"version":1,"name":"credential_modified_chown","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"am6-icr-cgg","attributes":{"version":1,"name":"package_management_in_container","description":"Package management was detected in a container","expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"esx-z8e-qcs","attributes":{"version":1,"name":"safeboot_modification","description":"Safeboot registry modified","expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sdk-dp7-vt0","attributes":{"version":1,"name":"jupyter_shell_execution","description":"A Jupyter notebook executed a shell","expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hnz-ezh-lyu","attributes":{"version":1,"name":"ld_preload_unusual_library_path","description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yjo-mdq-mi1","attributes":{"version":1,"name":"dynamic_linker_config_unlink","description":"A process unlinked a dynamic linker config file","expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"psf-hiy-3ji","attributes":{"version":1,"name":"scheduled_task_creation","description":"A scheduled task was created","expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] && exec.cmdline =~ \"*create*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6vb-fkj-cdc","attributes":{"version":1,"name":"pci_11_5_critical_binaries_open","description":"Critical system binaries may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521293,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ktg-ng9-izk","attributes":{"version":1,"name":"kernel_module_load_from_memory_container","description":"A kernel module was loaded from memory inside a container","expression":"load_module.loaded_from_memory == true && container.id !=\"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0qf-cha-qci","attributes":{"version":1,"name":"java_shell_execution_parent","description":"A java process spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n&& process.parent.file.name in [\"java\", \"jspawnhelper\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gz3-l4z-bzr","attributes":{"version":1,"name":"network_sniffing_tool","description":"Local account groups were enumerated after container start up","expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hob-7or-knu","attributes":{"version":1,"name":"python_cli_code","description":"Python code was provided on the command line","expression":"exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", ~\"*-c*pty.spawn*\"] && exec.args !~ \"*setuptools*\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521292,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"buh-tbl-6k1","attributes":{"version":1,"name":"pci_11_5_critical_binaries_link","description":"Critical system binaries may have been modified","expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1723206521243,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"}]}
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 123.345208ms
- - id: 11
+ duration: 172.904584ms
+ - id: 9
request:
proto: HTTP/1.1
proto_major: 1
@@ -389,24 +326,22 @@ interactions:
headers:
Accept:
- '*/*'
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/13y-c2p-ddm
+ url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/55r-kwq-jsc
method: DELETE
response:
- proto: HTTP/1.1
- proto_major: 1
- proto_minor: 1
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
transfer_encoding: []
trailer: {}
content_length: 0
uncompressed: false
body: ""
- headers:
- Content-Type:
- - application/json
+ headers: {}
status: 204 No Content
code: 204
- duration: 273.049167ms
- - id: 12
+ duration: 141.437458ms
+ - id: 10
request:
proto: HTTP/1.1
proto_major: 1
@@ -422,21 +357,21 @@ interactions:
headers:
Accept:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/13y-c2p-ddm
+ url: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/55r-kwq-jsc
method: GET
response:
- proto: HTTP/1.1
- proto_major: 1
- proto_minor: 1
+ proto: HTTP/2.0
+ proto_major: 2
+ proto_minor: 0
transfer_encoding: []
trailer: {}
- content_length: 44
- uncompressed: false
+ content_length: -1
+ uncompressed: true
body: |
- {"errors":[{"title":"failed to get rule"}]}
+ {"errors":["not_found(Agent rule not found: agentRuleId=55r-kwq-jsc)"]}
headers:
Content-Type:
- application/json
status: 404 Not Found
code: 404
- duration: 128.301417ms
+ duration: 139.559459ms
diff --git a/datadog/tests/cassettes/TestAccCSMThreatsAgentRule_CreateAndUpdate.freeze b/datadog/tests/cassettes/TestAccCSMThreatsAgentRule_CreateAndUpdate.freeze
index a64e5b270..7868ce357 100644
--- a/datadog/tests/cassettes/TestAccCSMThreatsAgentRule_CreateAndUpdate.freeze
+++ b/datadog/tests/cassettes/TestAccCSMThreatsAgentRule_CreateAndUpdate.freeze
@@ -1 +1 @@
-2024-03-14T12:54:20.016507-04:00
\ No newline at end of file
+2025-05-22T10:38:29.722541+02:00
\ No newline at end of file
diff --git a/datadog/tests/cassettes/TestAccCSMThreatsAgentRule_CreateAndUpdate.yaml b/datadog/tests/cassettes/TestAccCSMThreatsAgentRule_CreateAndUpdate.yaml
index 0f5d4ae75..1567f41a1 100644
--- a/datadog/tests/cassettes/TestAccCSMThreatsAgentRule_CreateAndUpdate.yaml
+++ b/datadog/tests/cassettes/TestAccCSMThreatsAgentRule_CreateAndUpdate.yaml
@@ -6,21 +6,21 @@ interactions:
proto: HTTP/1.1
proto_major: 1
proto_minor: 1
- content_length: 164
+ content_length: 140
transfer_encoding: []
trailer: {}
host: api.datadoghq.com
remote_addr: ""
request_uri: ""
body: |
- {"data":{"attributes":{"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","name":"txrpiwrxcp"},"type":"agent_rule"}}
+ {"data":{"attributes":{"description":"im a policy","enabled":true,"hostTags":["host_name:test_host"],"name":"mjmmwxercs"},"type":"policy"}}
form: {}
headers:
Accept:
- application/json
Content-Type:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy
method: POST
response:
proto: HTTP/1.1
@@ -28,15 +28,15 @@ interactions:
proto_minor: 1
transfer_encoding: []
trailer: {}
- content_length: 419
+ content_length: 395
uncompressed: false
- body: '{"data":{"id":"253-34a-t2k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435260867,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"txrpiwrxcp","updateDate":1710435260867,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}'
+ body: '{"data":{"id":"1jz-yq7-oge","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":225,"name":"mjmmwxercs","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903111399,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 622.032292ms
+ duration: 841.974625ms
- id: 1
request:
proto: HTTP/1.1
@@ -53,7 +53,7 @@ interactions:
headers:
Accept:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1jz-yq7-oge
method: GET
response:
proto: HTTP/1.1
@@ -61,15 +61,15 @@ interactions:
proto_minor: 1
transfer_encoding: []
trailer: {}
- content_length: 419
+ content_length: 395
uncompressed: false
- body: '{"data":{"id":"253-34a-t2k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435260000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"txrpiwrxcp","updateDate":1710435260000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}'
+ body: '{"data":{"id":"1jz-yq7-oge","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":225,"name":"mjmmwxercs","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903111399,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 204.511083ms
+ duration: 443.38675ms
- id: 2
request:
proto: HTTP/1.1
@@ -86,7 +86,7 @@ interactions:
headers:
Accept:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1jz-yq7-oge
method: GET
response:
proto: HTTP/1.1
@@ -94,15 +94,15 @@ interactions:
proto_minor: 1
transfer_encoding: []
trailer: {}
- content_length: 419
+ content_length: 395
uncompressed: false
- body: '{"data":{"id":"253-34a-t2k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435260000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"txrpiwrxcp","updateDate":1710435260000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}'
+ body: '{"data":{"id":"1jz-yq7-oge","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":225,"name":"mjmmwxercs","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903111399,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 216.713042ms
+ duration: 396.779917ms
- id: 3
request:
proto: HTTP/1.1
@@ -119,7 +119,7 @@ interactions:
headers:
Accept:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1jz-yq7-oge
method: GET
response:
proto: HTTP/1.1
@@ -127,51 +127,51 @@ interactions:
proto_minor: 1
transfer_encoding: []
trailer: {}
- content_length: 419
+ content_length: 395
uncompressed: false
- body: '{"data":{"id":"253-34a-t2k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435260000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"txrpiwrxcp","updateDate":1710435260000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}'
+ body: '{"data":{"id":"1jz-yq7-oge","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":225,"name":"mjmmwxercs","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903111399,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 166.602958ms
+ duration: 378.898791ms
- id: 4
request:
proto: HTTP/1.1
proto_major: 1
proto_minor: 1
- content_length: 143
+ content_length: 238
transfer_encoding: []
trailer: {}
host: api.datadoghq.com
remote_addr: ""
request_uri: ""
body: |
- {"data":{"attributes":{"description":"updated agent rule for terraform provider test","enabled":true},"id":"253-34a-t2k","type":"agent_rule"}}
+ {"data":{"attributes":{"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","name":"mjmmwxercs","policy_id":"1jz-yq7-oge","product_tags":["compliance_framework:PCI-DSS"]},"type":"agent_rule"}}
form: {}
headers:
Accept:
- application/json
Content-Type:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k
- method: PATCH
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules
+ method: POST
response:
proto: HTTP/1.1
proto_major: 1
proto_minor: 1
transfer_encoding: []
trailer: {}
- content_length: 456
+ content_length: 504
uncompressed: false
- body: '{"data":{"id":"253-34a-t2k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435260000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"updated agent rule for terraform provider test","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"txrpiwrxcp","updateDate":1710435263631,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}'
+ body: '{"data":{"id":"wnb-ha7-wsh","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903114478,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["1jz-yq7-oge"],"name":"mjmmwxercs","product_tags":["compliance_framework:PCI-DSS"],"updateDate":1747903114478,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 528.792708ms
+ duration: 632.769625ms
- id: 5
request:
proto: HTTP/1.1
@@ -188,7 +188,7 @@ interactions:
headers:
Accept:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/wnb-ha7-wsh?policy_id=1jz-yq7-oge
method: GET
response:
proto: HTTP/1.1
@@ -196,15 +196,15 @@ interactions:
proto_minor: 1
transfer_encoding: []
trailer: {}
- content_length: 456
+ content_length: 504
uncompressed: false
- body: '{"data":{"id":"253-34a-t2k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435260000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"updated agent rule for terraform provider test","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"txrpiwrxcp","updateDate":1710435263000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}'
+ body: '{"data":{"id":"wnb-ha7-wsh","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903114478,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["1jz-yq7-oge"],"name":"mjmmwxercs","product_tags":["compliance_framework:PCI-DSS"],"updateDate":1747903114478,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 192.504541ms
+ duration: 321.259833ms
- id: 6
request:
proto: HTTP/1.1
@@ -221,7 +221,7 @@ interactions:
headers:
Accept:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1jz-yq7-oge
method: GET
response:
proto: HTTP/1.1
@@ -229,16 +229,250 @@ interactions:
proto_minor: 1
transfer_encoding: []
trailer: {}
- content_length: 456
+ content_length: 395
uncompressed: false
- body: '{"data":{"id":"253-34a-t2k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710435260000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"updated agent rule for terraform provider test","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"txrpiwrxcp","updateDate":1710435263000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}'
+ body: '{"data":{"id":"1jz-yq7-oge","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":226,"name":"mjmmwxercs","policyVersion":"2","priority":1000000011,"ruleCount":227,"updateDate":1747903114478,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
headers:
Content-Type:
- application/json
status: 200 OK
code: 200
- duration: 229.127333ms
+ duration: 246.62375ms
- id: 7
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/wnb-ha7-wsh?policy_id=1jz-yq7-oge
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 504
+ uncompressed: false
+ body: '{"data":{"id":"wnb-ha7-wsh","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903114478,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["1jz-yq7-oge"],"name":"mjmmwxercs","product_tags":["compliance_framework:PCI-DSS"],"updateDate":1747903114478,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 299.323917ms
+ - id: 8
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1jz-yq7-oge
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 395
+ uncompressed: false
+ body: '{"data":{"id":"1jz-yq7-oge","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":226,"name":"mjmmwxercs","policyVersion":"2","priority":1000000011,"ruleCount":227,"updateDate":1747903114478,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 249.369792ms
+ - id: 9
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/wnb-ha7-wsh?policy_id=1jz-yq7-oge
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 504
+ uncompressed: false
+ body: '{"data":{"id":"wnb-ha7-wsh","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903114478,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["1jz-yq7-oge"],"name":"mjmmwxercs","product_tags":["compliance_framework:PCI-DSS"],"updateDate":1747903114478,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 253.845917ms
+ - id: 10
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 219
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: |
+ {"data":{"attributes":{"description":"updated agent rule for terraform provider test","enabled":true,"policy_id":"1jz-yq7-oge","product_tags":["compliance_framework:ISO-27799"]},"id":"wnb-ha7-wsh","type":"agent_rule"}}
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ Content-Type:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/wnb-ha7-wsh
+ method: PATCH
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 543
+ uncompressed: false
+ body: '{"data":{"id":"wnb-ha7-wsh","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903114478,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"updated agent rule for terraform provider test","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["1jz-yq7-oge"],"name":"mjmmwxercs","product_tags":["compliance_framework:ISO-27799"],"updateDate":1747903117840,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 718.191042ms
+ - id: 11
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/wnb-ha7-wsh?policy_id=1jz-yq7-oge
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 543
+ uncompressed: false
+ body: '{"data":{"id":"wnb-ha7-wsh","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903114478,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"updated agent rule for terraform provider test","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["1jz-yq7-oge"],"name":"mjmmwxercs","product_tags":["compliance_framework:ISO-27799"],"updateDate":1747903117840,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 296.889625ms
+ - id: 12
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1jz-yq7-oge
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 395
+ uncompressed: false
+ body: '{"data":{"id":"1jz-yq7-oge","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":226,"name":"mjmmwxercs","policyVersion":"3","priority":1000000011,"ruleCount":227,"updateDate":1747903117840,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 200.274542ms
+ - id: 13
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/wnb-ha7-wsh?policy_id=1jz-yq7-oge
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 543
+ uncompressed: false
+ body: '{"data":{"id":"wnb-ha7-wsh","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903114478,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"updated agent rule for terraform provider test","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["1jz-yq7-oge"],"name":"mjmmwxercs","product_tags":["compliance_framework:ISO-27799"],"updateDate":1747903117840,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 298.105167ms
+ - id: 14
request:
proto: HTTP/1.1
proto_major: 1
@@ -254,7 +488,7 @@ interactions:
headers:
Accept:
- '*/*'
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/wnb-ha7-wsh?policy_id=1jz-yq7-oge
method: DELETE
response:
proto: HTTP/1.1
@@ -270,8 +504,41 @@ interactions:
- application/json
status: 204 No Content
code: 204
- duration: 485.813209ms
- - id: 8
+ duration: 621.174042ms
+ - id: 15
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - '*/*'
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1jz-yq7-oge
+ method: DELETE
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 0
+ uncompressed: false
+ body: ""
+ headers:
+ Content-Type:
+ - application/json
+ status: 204 No Content
+ code: 204
+ duration: 607.786375ms
+ - id: 16
request:
proto: HTTP/1.1
proto_major: 1
@@ -287,7 +554,7 @@ interactions:
headers:
Accept:
- application/json
- url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/253-34a-t2k
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/wnb-ha7-wsh?policy_id=1jz-yq7-oge
method: GET
response:
proto: HTTP/1.1
@@ -304,4 +571,4 @@ interactions:
- application/json
status: 404 Not Found
code: 404
- duration: 113.42125ms
+ duration: 260.435166ms
diff --git a/datadog/tests/cassettes/TestAccCSMThreatsAgentRulesDataSource.freeze b/datadog/tests/cassettes/TestAccCSMThreatsAgentRulesDataSource.freeze
new file mode 100644
index 000000000..acfc1c18a
--- /dev/null
+++ b/datadog/tests/cassettes/TestAccCSMThreatsAgentRulesDataSource.freeze
@@ -0,0 +1 @@
+2025-05-22T10:43:36.121516+02:00
\ No newline at end of file
diff --git a/datadog/tests/cassettes/TestAccCSMThreatsAgentRulesDataSource.yaml b/datadog/tests/cassettes/TestAccCSMThreatsAgentRulesDataSource.yaml
new file mode 100644
index 000000000..69cbd6d3d
--- /dev/null
+++ b/datadog/tests/cassettes/TestAccCSMThreatsAgentRulesDataSource.yaml
@@ -0,0 +1,542 @@
+---
+version: 2
+interactions:
+ - id: 0
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 140
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: |
+ {"data":{"attributes":{"description":"im a policy","enabled":true,"hostTags":["host_name:test_host"],"name":"dxnfjxgrbm"},"type":"policy"}}
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ Content-Type:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy
+ method: POST
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 395
+ uncompressed: false
+ body: '{"data":{"id":"ae9-ca1-p8y","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":225,"name":"dxnfjxgrbm","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903418032,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 755.874917ms
+ - id: 1
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 238
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: |
+ {"data":{"attributes":{"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","name":"dxnfjxgrbm","policy_id":"ae9-ca1-p8y","product_tags":["compliance_framework:PCI-DSS"]},"type":"agent_rule"}}
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ Content-Type:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules
+ method: POST
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 504
+ uncompressed: false
+ body: '{"data":{"id":"hop-hlk-ktz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903418500,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y"],"name":"dxnfjxgrbm","product_tags":["compliance_framework:PCI-DSS"],"updateDate":1747903418500,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 690.576833ms
+ - id: 2
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/hop-hlk-ktz?policy_id=ae9-ca1-p8y
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 504
+ uncompressed: false
+ body: '{"data":{"id":"hop-hlk-ktz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903418500,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y"],"name":"dxnfjxgrbm","product_tags":["compliance_framework:PCI-DSS"],"updateDate":1747903418500,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 292.9505ms
+ - id: 3
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ae9-ca1-p8y
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 395
+ uncompressed: false
+ body: '{"data":{"id":"ae9-ca1-p8y","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":226,"name":"dxnfjxgrbm","policyVersion":"2","priority":1000000011,"ruleCount":227,"updateDate":1747903418500,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 580.064041ms
+ - id: 4
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/hop-hlk-ktz?policy_id=ae9-ca1-p8y
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 504
+ uncompressed: false
+ body: '{"data":{"id":"hop-hlk-ktz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903418500,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y"],"name":"dxnfjxgrbm","product_tags":["compliance_framework:PCI-DSS"],"updateDate":1747903418500,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 822.509416ms
+ - id: 5
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ae9-ca1-p8y
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 395
+ uncompressed: false
+ body: '{"data":{"id":"ae9-ca1-p8y","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":226,"name":"dxnfjxgrbm","policyVersion":"2","priority":1000000011,"ruleCount":227,"updateDate":1747903418500,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 477.002875ms
+ - id: 6
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/hop-hlk-ktz?policy_id=ae9-ca1-p8y
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 504
+ uncompressed: false
+ body: '{"data":{"id":"hop-hlk-ktz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903418500,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y"],"name":"dxnfjxgrbm","product_tags":["compliance_framework:PCI-DSS"],"updateDate":1747903418500,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 310.709917ms
+ - id: 7
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules?policy_id=ae9-ca1-p8y
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding:
+ - chunked
+ trailer: {}
+ content_length: -1
+ uncompressed: false
+ body: '{"data":[{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"wmi_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1047-windows-management-instrumentation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0pf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process attempted to overwrite the container entrypoint","enabled":true,"expression":"open.file.path == \"/proc/self/fd/1\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0 \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"overwrite_entrypoint","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-t06","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"find command searching for sensitive files","enabled":true,"expression":"exec.comm == \"find\" \u0026\u0026 exec.args in [~\"*credentials*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"find_credentials","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_chmod","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pwnkit_privilege_escalation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mining_pool_lookup","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dirty_pipe_attempt","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-m9i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows environment variable registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_system_enviroment_variable_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_open","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args_flags in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args_flags in [\"R\", \"L\", \"D\", \"w\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"tunnel_traffic","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A network utility (such as nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"common_net_intrusion_util","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_unlink","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n\u0026\u0026 process.parent.file.name in [\"java\", \"jspawnhelper\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"java_shell_execution_parent","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sensitive_tracing","product_tags":["tactic:TA0004-privilege-escalation","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tlf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"the windows hosts file was modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\Drivers\\etc\\hosts\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_hosts_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x7z","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process executed with arguments common with Inveigh tool usage","enabled":true,"expression":"exec.cmdline in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", ~\"*SnifferIP*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"inveigh_tool_usage","product_tags":["tactic:TA0009-collection","technique:T1557-adversary-in-the-middle","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-guo","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process was executed matching arguments for a UAC bypass technique common in powershell empire","enabled":true,"expression":"exec.cmdline in [~\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*\", ~\"*-NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"powershell_empire_uac_bypass","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h19","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The container breakout CVE-2024-21626 was successful","enabled":true,"expression":"chdir.syscall.path =~ \"/proc/self/fd/*\" \u0026\u0026 chdir.file.path == \"/sys/fs/cgroup\" \u0026\u0026 process.file.name =~ \"runc.*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"runc_leaky_fd","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7ez","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process arguments indicating possible php shell detected","enabled":true,"expression":"exec.file.name == \"php\" \u0026\u0026 exec.args_flags in [\"r\"] \u0026\u0026 ((exec.args in [~\"*socket_bind*\", ~\"*socket_listen*\", ~\"*socket_accept*\", ~\"*socket_create*\", ~\"*socket_write*\", ~\"*socket_read*\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"php_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_util_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"offensive_k8s_tool","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"rc_scripts_modified","product_tags":["tactic:TA0003-persistence","technique:T1037-boot-or-logon-initialization-scripts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", \"transfer.sh\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"paste_site","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_utimes","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"auditd_config_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_chown","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jl7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"openssl used to establish backdoor","enabled":true,"expression":"exec.comm == \"openssl\" \u0026\u0026 exec.args =~ \"*s_client*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"openssl_backdoor","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-41f","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH initiated a connection on a nonstandard port","enabled":true,"expression":"connect.addr.port in [80, 8080, 88, 443, 8443, 4444] \u0026\u0026 process.file.name == \"ssh\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_nonstandard_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1021-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mount_host_fs","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"certutil_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nv0","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The rclone utility was executed","enabled":true,"expression":"exec.file.name in [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"file_sync_exfil","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lkj-jnb-khe","type":"agent_rule","attributes":{"actions":[{"set":{"name":"imds_v1_usage_services","field":"process.file.name","append":true,"ttl":10000000000},"disabled":false}],"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An AWS IMDSv1 request was issued","disabled":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"enabled":false,"expression":"imds.cloud_provider == \"aws\" \u0026\u0026 imds.aws.is_imds_v2 == false \u0026\u0026 process.file.name not in ${imds_v1_usage_services}","filters":["os == \"linux\""],"name":"imds_v1_usage","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\"libpam\\.so\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"libpam_ebpf_hook","product_tags":["tactic:TA0006-credential-access","technique:T1056-input-capture","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\" \u0026\u0026 exec.cmdline =~ \"*comsvcs*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"minidump_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"potential_web_shell_parent","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_history_truncated","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"apparmor_modified_tty","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_chmod","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"redis_save_module","product_tags":["tactic:TA0002-execution","technique:T1129-shared-modules","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_msr_write","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ld_preload_unusual_library_path","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS request was made for a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"chatroom_request","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"gcp_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eho","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Container escape attempted by overwriting release_agent","enabled":true,"expression":"open.file.name == \"release_agent\" \u0026\u0026 open.file.path in [\"/tmp/**\", \"/home/**\", \"/root/**\", \"/*\"] \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"release_agent_escape","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"auditctl_usage","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oil","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The unshare utility was executed in a container","enabled":true,"expression":"exec.comm == \"unshare\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"unshare_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"tty_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_utimes","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a65","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Web application requested IMDSv1 credentials","enabled":true,"expression":"imds.aws.is_imds_v2 == false \u0026\u0026 imds.url =~ \"*/*/meta-data/iam/security-credentials/*\" \u0026\u0026 (process.ancestors.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.ancestors.file.name =~ \"php*\" || process.ancestors.file.name == \"java\")","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"webapp_imds_V1_request","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"new_binary_execution_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wok","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Device rule created","enabled":true,"expression":"open.file.path in [~\"/etc/udev/rules.d/*\", ~\"/lib/udev/rules.d/*\", ~\"/usr/lib/udev/rules.d/*\", ~\"/usr/local/lib/udev/rules.d/*\", ~\"/run/udev/rules.d/*\"] \u0026\u0026 open.flags \u0026 O_CREAT \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"udev_modification","product_tags":["tactic:TA0003-persistence","technique:T1546-event-triggered-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_utimes","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_rename","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ip_check_domain","product_tags":["tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"exec_whoami","product_tags":["tactic:TA0007-discovery","technique:T1033-system-owner-or-user-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", ~\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"aws_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kmod_list","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_bitsadmin_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"unlink.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 unlink.file.path in [~\"/root/**\", ~\"/home/**\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_history_deleted","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"omigod","product_tags":["tactic:TA0002-execution","technique:T1203-exploitation-for-client-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6x2","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Service registry runkey modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\RunServices\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"registry_service_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"package_management_in_container","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [~\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"curl_docker_socket","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ptrace_injection","product_tags":["tactic:TA0005-defense-evasion","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-g5v","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process connected to an SSH server","enabled":true,"expression":"connect.addr.port == 22 \u0026\u0026 connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 connect.addr.ip not in [127.0.0.0/8, 0.0.0.0/32, ::1/128, ::/128]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_outbound_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1563-remote-service-session-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-gqa","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows boot registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\SYSTEM.ini\\boot*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_boot_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_link","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"] \u0026\u0026 process.argv0 not in [\"runc\", \"/usr/bin/runc\", \"/usr/sbin/runc\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dynamic_linker_config_write","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"hidden_file_executed","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zp4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"microsoft security essentials executable modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_security_essentials_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"redis_sandbox_escape","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eck","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dll written to a suspicious directory","enabled":true,"expression":"create.file.name =~ \"*.dll\" \u0026\u0026 create.file.device_path not in [~\"\\Device\\*\\Windows\\System32\\**\", ~\"\\Device\\*\\ProgramData\\docker\\**\"] \u0026\u0026 process.file.name != \"dockerd.exe\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_dll_write","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-beh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dotnet_dump was used to dump a process memory","enabled":true,"expression":"exec.cmdline =~ \"*dotnet-dump*\" \u0026\u0026 exec.cmdline =~ \"*collect*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dotnet_dump_execution","product_tags":["tactic:TA0009-collection","technique:T1005-data-from-local-system","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_chown","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suid_file_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"compile_after_delivery","product_tags":["tactic:TA0005-defense-evasion","tactic:TA0004-privilege-escalation","technique:T1027-obfuscated-files-or-information","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"user_created_tty","product_tags":["tactic:TA0003-persistence","technique:T1136-create-account","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-76q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows cryptographic blocking policy modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllRemoveSignedDataMsg*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_cryptographic_blocking_policy_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_unlink","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_suid_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_open","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0fx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell process spawned from print server","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 process.parent.file.name == \"foomatic-rip\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cups_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b5z","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process arguments match rubeus credential theft tool","enabled":true,"expression":"exec.cmdline in [~\"*asreproast*\", ~\"*/service:krbtgt*\", ~\"*dump /luid:0x*\", ~\"*kerberoast*\", ~\"*createonly /program*\", ~\"*ptt /ticket*\", ~\"*impersonateuser*\", ~\"*renew /ticket*\", ~\"*asktgt /user*\", ~\"*harvest /interval*\", ~\"*s4u /user*\", ~\"*hash /password*\", ~\"*golden /aes256*\", ~\"*silver /user*\", \"*rubeus*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"rubeus_execution","product_tags":["tactic:TA0006-credential-access","technique:T1558-steal-or-forge-kerberos-tickets","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"interactive_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"azure_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_link","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_utimes","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"exec_wrmsr","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"runc_modification","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qn0","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsenter used to breakout of container","enabled":true,"expression":"exec.file.name == \"nsenter\" \u0026\u0026 exec.args_options in [\"target=1\", \"t=1\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsenter_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_container_client","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"service_stop","product_tags":["tactic:TA0040-impact","technique:T1489-service-stop","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6lj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"windows explorer file has been modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\windows\\explorer.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_explorer_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_unlink","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_history_symlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"auditd_rule_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_profile_modification","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_open","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oi1","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process arguments indicating possible socat shell detected","enabled":true,"expression":"((exec.file.name == \"socat\") || (exec.comm == \"socat\")) \u0026\u0026 exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\", ~\"*exec*\", ~\"*pty*\", ~\"*setsid*\", ~\"*stderr*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"socat_shell","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"procdump_execution","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme.exe*\", ~\"*cme.py*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"crackmap_exec_executed","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_chmod","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xg6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a critical windows file was modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\**\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"critical_windows_files_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_link","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_rename","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o1o","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process made a connection to a port associated with P2PInfect malware","enabled":true,"expression":"connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 connect.addr.is_public == true \u0026\u0026 connect.addr.port \u003e= 60100 \u0026\u0026 connect.addr.port \u003c= 60150","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"p2pinfect_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [~\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_it_tool_config_write","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cryptominer_envs","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"delete_system_log","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_utimes","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wnn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows firewall configuration registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_firewall_configuration_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"looney_tunables_exploit","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dar","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A shell made an outbound network connection","enabled":true,"expression":"connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 process.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_net_connection","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\"OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"iptables_egress_allowed","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"executable_bit_added","product_tags":["tactic:TA0005-defense-evasion","technique:T1222-file-and-directory-permissions-modification","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_rename","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","append":true,"ttl":60000000000},"disabled":false}],"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"]\n\u0026\u0026 open.file.name == \"token\"\n\u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]\n\u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"]\n\u0026\u0026 process.file.path not in ${processes_accessing}\n\u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"k8s_pod_service_account_token_accessed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_file_download","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ab6","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently modified file requested credentials from IMDS","enabled":true,"expression":"imds.url =~ \"/*/meta-data/iam/security-credentials/*\" \u0026\u0026 (process.parent.file.modification_time \u003c 120s || process.file.modification_time \u003c 30s)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"modified_file_requesting_imds_creds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"network_sniffing_tool","product_tags":["tactic:TA0007-discovery","technique:T1040-network-sniffing","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"read_kubeconfig","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"passwd_execution","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","technique:T1098-account-manipulation","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load_from_memory","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\" \u0026\u0026 process.parent.file.path not in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\" , \"/run/docker/runtime-runc/moby/*\", \"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\"] \u0026\u0026 !(process.comm == \"dd-ipc-helper\" \u0026\u0026 exec.file.name in [\"memfd:spawn_worker_trampoline (deleted)\", \"memfd:spawn_worker_trampoline\"])","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"memfd_create","product_tags":["tactic:TA0005-defense-evasion","technique:T1620-reflective-code-loading","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_unlink","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"user_deleted_tty","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-brb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"regedit used to export critical registry hive","enabled":true,"expression":"exec.file.name in [\"reg.exe\", \"regedit.exe\"] \u0026\u0026 exec.cmdline in [~\"*hklm*\", ~\"*hkey_local_machine*\", ~\"*system*\", ~\"*sam*\", ~\"*security*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"critical_registry_export","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_util","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nip","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Browser WebDriver spawned shell","enabled":true,"expression":"process.parent.file.name in [~\"chromedriver*\", \"geckodriver\"] \u0026\u0026 exec.file.name not in [\"chrome\", \"google-chrome\", \"chromium\", \"firefox\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"webdriver_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows registry hives file location key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"registry_hives_file_path_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_utimes","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"base64_decode","product_tags":["tactic:TA0005-defense-evasion","technique:T1140-deobfuscate-or-decode-files-or-information","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_link","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-n3u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows shell folders registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders*\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_shell_folders_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6oh","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A Registry runkey has been modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"registry_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_link","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_chown","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", ~\"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"python_cli_code","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wqf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows update registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsUpdate*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_update_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_chmod","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_chown","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args_flags == \"randomx-1gb-pages\" || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cryptominer_args","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_chown","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"jupyter_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dnj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The AWS CLI utility was executed","enabled":true,"expression":"exec.file.name == \"aws\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"aws_cli_usage","product_tags":["tactic:TA0002-execution","technique:T1651-cloud-administration-command","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"deploy_priv_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PHP web application spawning shell","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name in [\"php.exe\",\"php-cgi.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"php_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hbr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process arguments match sliver c2 implant","enabled":true,"expression":"exec.cmdline =~ \"*NoExit *\" \u0026\u0026 exec.cmdline =~ \"*Command *\" \u0026\u0026 exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sliver_c2_implant_execution","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0en","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The debugfs was executed in a container","enabled":true,"expression":"exec.comm == \"debugfs\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"debugfs_in_container","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\")\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_chmod","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.id != \"\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x51","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Safeboot registry modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"safeboot_modification","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_rename","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"open_msr_writes","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_open","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_rename","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_chown","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bv2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process matches known relay attack tool","enabled":true,"expression":"exec.file.name in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"relay_attack_tool_execution","product_tags":["tactic:TA0006-credential-access","technique:T1555-credentials-from-password-stores","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fsq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A cryptominer was potentially executed","enabled":true,"expression":"exec.cmdline in [~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_cryptominer_process","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dynamic_linker_config_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"tar_execution","product_tags":["tactic:TA0009-collection","technique:T1560-archive-collected-data","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"exec_lsmod","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"database_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_rename","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ptrace_antidebug","product_tags":["tactic:TA0005-defense-evasion","technique:T1622-debugger-evasion","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-lel","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Perl executed with suspicious argument","enabled":true,"expression":"exec.file.name == ~\"perl*\" \u0026\u0026 exec.args_flags in [\"e\"] \u0026\u0026 (exec.args in [~\"*socket*\", ~\"*bind*\", ~\"*sockaddr*\", ~\"*listen*\", ~\"*accept\", ~\"*stdin*\", ~\"*stdout\"])","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"perl_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_ntdsutil_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] \u0026\u0026 exec.cmdline =~ \"*create*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"scheduled_task_creation","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"aws_eks_service_account_token_accessed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ntds_in_commandline","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A file executed from /dev/shm/ directory","enabled":true,"expression":"exec.file.path == \"/dev/shm/**\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"devshm_execution","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dirty_pipe_exploitation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tat","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows RPC COM debugging registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_com_rpc_debugging_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_unusual_request","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_link","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_open_v2","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_open","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026\nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_util_exfiltration","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-969","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process arguments indicating possible netcat shell detected","enabled":true,"expression":"exec.file.name in [\"netcat\", \"nc\", \"ncat\"] \u0026\u0026 ((exec.args_flags in [\"l\"] \u0026\u0026 exec.args_flags in [\"p\"]) || (exec.args_flags in [\"n\"] \u0026\u0026 exec.args_flags in [\"v\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"netcat_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ibc","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The mount utility was executed in a container","enabled":true,"expression":"exec.comm == \"mount\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mount_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vez","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows winlogon registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"winlogon_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_chmod","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load_from_memory_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"selinux_disable_enforcement","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows Known DLLs location registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"known_dll_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1574-hijack-execution-flow","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\"] \u0026\u0026 open.file.name not in [r\"\\.lock$\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ransomware_note","product_tags":["tactic:TA0040-impact","technique:T1490-inhibit-system-recovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || exec.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"compiler_in_container","product_tags":["tactic:TA0005-defense-evasion","technique:T1027-obfuscated-files-or-information","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qf8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"sharpup tool used for local privilege escalation","enabled":true,"expression":"exec.file.name == \"sharpup.exe\" \u0026\u0026 exec.cmdline in [~\"*HijackablePaths*\", ~\"*UnquotedServicePath*\", ~\"*ProcessDLLHijack*\", ~\"*ModifiableServiceBinaries*\", ~\"*ModifiableScheduledTask*\", ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sharpup_tool_usage","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kubernetes_dns_enumeration","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mount_proc_hide","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qnj","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process made an outbound IRC connection","enabled":true,"expression":"connect.addr.port == 6667 \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"irc_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_unlink","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.loaded_from_memory == false \u0026\u0026 load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hop-hlk-ktz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903418500,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y"],"name":"dxnfjxgrbm","product_tags":["compliance_framework:PCI-DSS"],"updateDate":1747903418500,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}]}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 4.953237083s
+ - id: 8
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules?policy_id=ae9-ca1-p8y
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding:
+ - chunked
+ trailer: {}
+ content_length: -1
+ uncompressed: false
+ body: '{"data":[{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"wmi_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1047-windows-management-instrumentation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0pf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process attempted to overwrite the container entrypoint","enabled":true,"expression":"open.file.path == \"/proc/self/fd/1\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0 \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"overwrite_entrypoint","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-t06","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"find command searching for sensitive files","enabled":true,"expression":"exec.comm == \"find\" \u0026\u0026 exec.args in [~\"*credentials*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"find_credentials","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_chmod","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pwnkit_privilege_escalation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mining_pool_lookup","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dirty_pipe_attempt","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-m9i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows environment variable registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_system_enviroment_variable_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_open","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args_flags in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args_flags in [\"R\", \"L\", \"D\", \"w\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"tunnel_traffic","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A network utility (such as nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"common_net_intrusion_util","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_unlink","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n\u0026\u0026 process.parent.file.name in [\"java\", \"jspawnhelper\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"java_shell_execution_parent","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sensitive_tracing","product_tags":["tactic:TA0004-privilege-escalation","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tlf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"the windows hosts file was modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\Drivers\\etc\\hosts\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_hosts_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x7z","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process executed with arguments common with Inveigh tool usage","enabled":true,"expression":"exec.cmdline in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", ~\"*SnifferIP*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"inveigh_tool_usage","product_tags":["tactic:TA0009-collection","technique:T1557-adversary-in-the-middle","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-guo","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process was executed matching arguments for a UAC bypass technique common in powershell empire","enabled":true,"expression":"exec.cmdline in [~\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*\", ~\"*-NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"powershell_empire_uac_bypass","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h19","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The container breakout CVE-2024-21626 was successful","enabled":true,"expression":"chdir.syscall.path =~ \"/proc/self/fd/*\" \u0026\u0026 chdir.file.path == \"/sys/fs/cgroup\" \u0026\u0026 process.file.name =~ \"runc.*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"runc_leaky_fd","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7ez","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process arguments indicating possible php shell detected","enabled":true,"expression":"exec.file.name == \"php\" \u0026\u0026 exec.args_flags in [\"r\"] \u0026\u0026 ((exec.args in [~\"*socket_bind*\", ~\"*socket_listen*\", ~\"*socket_accept*\", ~\"*socket_create*\", ~\"*socket_write*\", ~\"*socket_read*\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"php_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_util_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"offensive_k8s_tool","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"rc_scripts_modified","product_tags":["tactic:TA0003-persistence","technique:T1037-boot-or-logon-initialization-scripts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", \"transfer.sh\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"paste_site","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_utimes","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"auditd_config_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_chown","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jl7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"openssl used to establish backdoor","enabled":true,"expression":"exec.comm == \"openssl\" \u0026\u0026 exec.args =~ \"*s_client*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"openssl_backdoor","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-41f","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH initiated a connection on a nonstandard port","enabled":true,"expression":"connect.addr.port in [80, 8080, 88, 443, 8443, 4444] \u0026\u0026 process.file.name == \"ssh\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_nonstandard_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1021-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mount_host_fs","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"certutil_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nv0","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The rclone utility was executed","enabled":true,"expression":"exec.file.name in [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"file_sync_exfil","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lkj-jnb-khe","type":"agent_rule","attributes":{"actions":[{"set":{"name":"imds_v1_usage_services","field":"process.file.name","append":true,"ttl":10000000000},"disabled":false}],"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An AWS IMDSv1 request was issued","disabled":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"enabled":false,"expression":"imds.cloud_provider == \"aws\" \u0026\u0026 imds.aws.is_imds_v2 == false \u0026\u0026 process.file.name not in ${imds_v1_usage_services}","filters":["os == \"linux\""],"name":"imds_v1_usage","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\"libpam\\.so\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"libpam_ebpf_hook","product_tags":["tactic:TA0006-credential-access","technique:T1056-input-capture","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\" \u0026\u0026 exec.cmdline =~ \"*comsvcs*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"minidump_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"potential_web_shell_parent","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_history_truncated","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"apparmor_modified_tty","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_chmod","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"redis_save_module","product_tags":["tactic:TA0002-execution","technique:T1129-shared-modules","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_msr_write","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ld_preload_unusual_library_path","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS request was made for a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"chatroom_request","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"gcp_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eho","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Container escape attempted by overwriting release_agent","enabled":true,"expression":"open.file.name == \"release_agent\" \u0026\u0026 open.file.path in [\"/tmp/**\", \"/home/**\", \"/root/**\", \"/*\"] \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"release_agent_escape","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"auditctl_usage","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oil","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The unshare utility was executed in a container","enabled":true,"expression":"exec.comm == \"unshare\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"unshare_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"tty_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_utimes","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a65","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Web application requested IMDSv1 credentials","enabled":true,"expression":"imds.aws.is_imds_v2 == false \u0026\u0026 imds.url =~ \"*/*/meta-data/iam/security-credentials/*\" \u0026\u0026 (process.ancestors.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.ancestors.file.name =~ \"php*\" || process.ancestors.file.name == \"java\")","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"webapp_imds_V1_request","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"new_binary_execution_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wok","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Device rule created","enabled":true,"expression":"open.file.path in [~\"/etc/udev/rules.d/*\", ~\"/lib/udev/rules.d/*\", ~\"/usr/lib/udev/rules.d/*\", ~\"/usr/local/lib/udev/rules.d/*\", ~\"/run/udev/rules.d/*\"] \u0026\u0026 open.flags \u0026 O_CREAT \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"udev_modification","product_tags":["tactic:TA0003-persistence","technique:T1546-event-triggered-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_utimes","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_rename","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ip_check_domain","product_tags":["tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"exec_whoami","product_tags":["tactic:TA0007-discovery","technique:T1033-system-owner-or-user-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", ~\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"aws_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kmod_list","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_bitsadmin_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"unlink.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 unlink.file.path in [~\"/root/**\", ~\"/home/**\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_history_deleted","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"omigod","product_tags":["tactic:TA0002-execution","technique:T1203-exploitation-for-client-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6x2","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Service registry runkey modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\RunServices\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"registry_service_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"package_management_in_container","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [~\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"curl_docker_socket","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ptrace_injection","product_tags":["tactic:TA0005-defense-evasion","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-g5v","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process connected to an SSH server","enabled":true,"expression":"connect.addr.port == 22 \u0026\u0026 connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 connect.addr.ip not in [127.0.0.0/8, 0.0.0.0/32, ::1/128, ::/128]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_outbound_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1563-remote-service-session-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-gqa","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows boot registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\SYSTEM.ini\\boot*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_boot_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_link","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"] \u0026\u0026 process.argv0 not in [\"runc\", \"/usr/bin/runc\", \"/usr/sbin/runc\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dynamic_linker_config_write","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"hidden_file_executed","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zp4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"microsoft security essentials executable modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_security_essentials_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"redis_sandbox_escape","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eck","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dll written to a suspicious directory","enabled":true,"expression":"create.file.name =~ \"*.dll\" \u0026\u0026 create.file.device_path not in [~\"\\Device\\*\\Windows\\System32\\**\", ~\"\\Device\\*\\ProgramData\\docker\\**\"] \u0026\u0026 process.file.name != \"dockerd.exe\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_dll_write","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-beh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dotnet_dump was used to dump a process memory","enabled":true,"expression":"exec.cmdline =~ \"*dotnet-dump*\" \u0026\u0026 exec.cmdline =~ \"*collect*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dotnet_dump_execution","product_tags":["tactic:TA0009-collection","technique:T1005-data-from-local-system","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_chown","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suid_file_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"compile_after_delivery","product_tags":["tactic:TA0005-defense-evasion","tactic:TA0004-privilege-escalation","technique:T1027-obfuscated-files-or-information","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"user_created_tty","product_tags":["tactic:TA0003-persistence","technique:T1136-create-account","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-76q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows cryptographic blocking policy modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllRemoveSignedDataMsg*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_cryptographic_blocking_policy_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_unlink","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_suid_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_open","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0fx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell process spawned from print server","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 process.parent.file.name == \"foomatic-rip\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cups_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b5z","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process arguments match rubeus credential theft tool","enabled":true,"expression":"exec.cmdline in [~\"*asreproast*\", ~\"*/service:krbtgt*\", ~\"*dump /luid:0x*\", ~\"*kerberoast*\", ~\"*createonly /program*\", ~\"*ptt /ticket*\", ~\"*impersonateuser*\", ~\"*renew /ticket*\", ~\"*asktgt /user*\", ~\"*harvest /interval*\", ~\"*s4u /user*\", ~\"*hash /password*\", ~\"*golden /aes256*\", ~\"*silver /user*\", \"*rubeus*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"rubeus_execution","product_tags":["tactic:TA0006-credential-access","technique:T1558-steal-or-forge-kerberos-tickets","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"interactive_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"azure_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_link","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_utimes","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"exec_wrmsr","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"runc_modification","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qn0","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsenter used to breakout of container","enabled":true,"expression":"exec.file.name == \"nsenter\" \u0026\u0026 exec.args_options in [\"target=1\", \"t=1\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsenter_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_container_client","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"service_stop","product_tags":["tactic:TA0040-impact","technique:T1489-service-stop","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6lj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"windows explorer file has been modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\windows\\explorer.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_explorer_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_unlink","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_history_symlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"auditd_rule_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_profile_modification","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_open","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oi1","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process arguments indicating possible socat shell detected","enabled":true,"expression":"((exec.file.name == \"socat\") || (exec.comm == \"socat\")) \u0026\u0026 exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\", ~\"*exec*\", ~\"*pty*\", ~\"*setsid*\", ~\"*stderr*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"socat_shell","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"procdump_execution","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme.exe*\", ~\"*cme.py*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"crackmap_exec_executed","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_chmod","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xg6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a critical windows file was modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\**\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"critical_windows_files_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_link","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_rename","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o1o","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process made a connection to a port associated with P2PInfect malware","enabled":true,"expression":"connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 connect.addr.is_public == true \u0026\u0026 connect.addr.port \u003e= 60100 \u0026\u0026 connect.addr.port \u003c= 60150","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"p2pinfect_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [~\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_it_tool_config_write","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cryptominer_envs","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"delete_system_log","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_utimes","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wnn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows firewall configuration registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_firewall_configuration_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"looney_tunables_exploit","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dar","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A shell made an outbound network connection","enabled":true,"expression":"connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 process.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_net_connection","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\"OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"iptables_egress_allowed","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"executable_bit_added","product_tags":["tactic:TA0005-defense-evasion","technique:T1222-file-and-directory-permissions-modification","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_rename","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","append":true,"ttl":60000000000},"disabled":false}],"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"]\n\u0026\u0026 open.file.name == \"token\"\n\u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]\n\u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"]\n\u0026\u0026 process.file.path not in ${processes_accessing}\n\u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"k8s_pod_service_account_token_accessed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_file_download","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ab6","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently modified file requested credentials from IMDS","enabled":true,"expression":"imds.url =~ \"/*/meta-data/iam/security-credentials/*\" \u0026\u0026 (process.parent.file.modification_time \u003c 120s || process.file.modification_time \u003c 30s)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"modified_file_requesting_imds_creds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"network_sniffing_tool","product_tags":["tactic:TA0007-discovery","technique:T1040-network-sniffing","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"read_kubeconfig","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"passwd_execution","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","technique:T1098-account-manipulation","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load_from_memory","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\" \u0026\u0026 process.parent.file.path not in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\" , \"/run/docker/runtime-runc/moby/*\", \"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\"] \u0026\u0026 !(process.comm == \"dd-ipc-helper\" \u0026\u0026 exec.file.name in [\"memfd:spawn_worker_trampoline (deleted)\", \"memfd:spawn_worker_trampoline\"])","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"memfd_create","product_tags":["tactic:TA0005-defense-evasion","technique:T1620-reflective-code-loading","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_unlink","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"user_deleted_tty","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-brb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"regedit used to export critical registry hive","enabled":true,"expression":"exec.file.name in [\"reg.exe\", \"regedit.exe\"] \u0026\u0026 exec.cmdline in [~\"*hklm*\", ~\"*hkey_local_machine*\", ~\"*system*\", ~\"*sam*\", ~\"*security*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"critical_registry_export","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_util","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nip","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Browser WebDriver spawned shell","enabled":true,"expression":"process.parent.file.name in [~\"chromedriver*\", \"geckodriver\"] \u0026\u0026 exec.file.name not in [\"chrome\", \"google-chrome\", \"chromium\", \"firefox\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"webdriver_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows registry hives file location key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"registry_hives_file_path_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_utimes","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"base64_decode","product_tags":["tactic:TA0005-defense-evasion","technique:T1140-deobfuscate-or-decode-files-or-information","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_link","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-n3u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows shell folders registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders*\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_shell_folders_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6oh","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A Registry runkey has been modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"registry_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_link","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_chown","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", ~\"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"python_cli_code","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wqf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows update registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsUpdate*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_update_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_chmod","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_chown","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args_flags == \"randomx-1gb-pages\" || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cryptominer_args","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_chown","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"jupyter_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dnj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The AWS CLI utility was executed","enabled":true,"expression":"exec.file.name == \"aws\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"aws_cli_usage","product_tags":["tactic:TA0002-execution","technique:T1651-cloud-administration-command","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"deploy_priv_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PHP web application spawning shell","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name in [\"php.exe\",\"php-cgi.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"php_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hbr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process arguments match sliver c2 implant","enabled":true,"expression":"exec.cmdline =~ \"*NoExit *\" \u0026\u0026 exec.cmdline =~ \"*Command *\" \u0026\u0026 exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sliver_c2_implant_execution","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0en","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The debugfs was executed in a container","enabled":true,"expression":"exec.comm == \"debugfs\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"debugfs_in_container","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\")\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_chmod","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.id != \"\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x51","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Safeboot registry modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"safeboot_modification","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_rename","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"open_msr_writes","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_open","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_rename","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_chown","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bv2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process matches known relay attack tool","enabled":true,"expression":"exec.file.name in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"relay_attack_tool_execution","product_tags":["tactic:TA0006-credential-access","technique:T1555-credentials-from-password-stores","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fsq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A cryptominer was potentially executed","enabled":true,"expression":"exec.cmdline in [~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_cryptominer_process","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dynamic_linker_config_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"tar_execution","product_tags":["tactic:TA0009-collection","technique:T1560-archive-collected-data","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"exec_lsmod","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"database_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_rename","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ptrace_antidebug","product_tags":["tactic:TA0005-defense-evasion","technique:T1622-debugger-evasion","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-lel","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Perl executed with suspicious argument","enabled":true,"expression":"exec.file.name == ~\"perl*\" \u0026\u0026 exec.args_flags in [\"e\"] \u0026\u0026 (exec.args in [~\"*socket*\", ~\"*bind*\", ~\"*sockaddr*\", ~\"*listen*\", ~\"*accept\", ~\"*stdin*\", ~\"*stdout\"])","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"perl_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_ntdsutil_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] \u0026\u0026 exec.cmdline =~ \"*create*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"scheduled_task_creation","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"aws_eks_service_account_token_accessed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ntds_in_commandline","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A file executed from /dev/shm/ directory","enabled":true,"expression":"exec.file.path == \"/dev/shm/**\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"devshm_execution","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dirty_pipe_exploitation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tat","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows RPC COM debugging registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_com_rpc_debugging_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_unusual_request","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_link","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_open_v2","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_open","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026\nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_util_exfiltration","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-969","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process arguments indicating possible netcat shell detected","enabled":true,"expression":"exec.file.name in [\"netcat\", \"nc\", \"ncat\"] \u0026\u0026 ((exec.args_flags in [\"l\"] \u0026\u0026 exec.args_flags in [\"p\"]) || (exec.args_flags in [\"n\"] \u0026\u0026 exec.args_flags in [\"v\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"netcat_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ibc","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The mount utility was executed in a container","enabled":true,"expression":"exec.comm == \"mount\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mount_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vez","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows winlogon registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"winlogon_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_chmod","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load_from_memory_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"selinux_disable_enforcement","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows Known DLLs location registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"known_dll_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1574-hijack-execution-flow","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\"] \u0026\u0026 open.file.name not in [r\"\\.lock$\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ransomware_note","product_tags":["tactic:TA0040-impact","technique:T1490-inhibit-system-recovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || exec.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"compiler_in_container","product_tags":["tactic:TA0005-defense-evasion","technique:T1027-obfuscated-files-or-information","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qf8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"sharpup tool used for local privilege escalation","enabled":true,"expression":"exec.file.name == \"sharpup.exe\" \u0026\u0026 exec.cmdline in [~\"*HijackablePaths*\", ~\"*UnquotedServicePath*\", ~\"*ProcessDLLHijack*\", ~\"*ModifiableServiceBinaries*\", ~\"*ModifiableScheduledTask*\", ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sharpup_tool_usage","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kubernetes_dns_enumeration","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mount_proc_hide","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qnj","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process made an outbound IRC connection","enabled":true,"expression":"connect.addr.port == 6667 \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"irc_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_unlink","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.loaded_from_memory == false \u0026\u0026 load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hop-hlk-ktz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903418500,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y"],"name":"dxnfjxgrbm","product_tags":["compliance_framework:PCI-DSS"],"updateDate":1747903418500,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}]}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 4.534110791s
+ - id: 9
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules?policy_id=ae9-ca1-p8y
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding:
+ - chunked
+ trailer: {}
+ content_length: -1
+ uncompressed: false
+ body: '{"data":[{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"wmi_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1047-windows-management-instrumentation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0pf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process attempted to overwrite the container entrypoint","enabled":true,"expression":"open.file.path == \"/proc/self/fd/1\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0 \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"overwrite_entrypoint","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-t06","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"find command searching for sensitive files","enabled":true,"expression":"exec.comm == \"find\" \u0026\u0026 exec.args in [~\"*credentials*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"find_credentials","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_chmod","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pwnkit_privilege_escalation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mining_pool_lookup","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dirty_pipe_attempt","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-m9i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows environment variable registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_system_enviroment_variable_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_open","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args_flags in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args_flags in [\"R\", \"L\", \"D\", \"w\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"tunnel_traffic","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A network utility (such as nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"common_net_intrusion_util","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_unlink","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n\u0026\u0026 process.parent.file.name in [\"java\", \"jspawnhelper\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"java_shell_execution_parent","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sensitive_tracing","product_tags":["tactic:TA0004-privilege-escalation","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tlf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"the windows hosts file was modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\Drivers\\etc\\hosts\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_hosts_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x7z","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process executed with arguments common with Inveigh tool usage","enabled":true,"expression":"exec.cmdline in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", ~\"*SnifferIP*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"inveigh_tool_usage","product_tags":["tactic:TA0009-collection","technique:T1557-adversary-in-the-middle","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-guo","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process was executed matching arguments for a UAC bypass technique common in powershell empire","enabled":true,"expression":"exec.cmdline in [~\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*\", ~\"*-NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"powershell_empire_uac_bypass","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h19","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The container breakout CVE-2024-21626 was successful","enabled":true,"expression":"chdir.syscall.path =~ \"/proc/self/fd/*\" \u0026\u0026 chdir.file.path == \"/sys/fs/cgroup\" \u0026\u0026 process.file.name =~ \"runc.*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"runc_leaky_fd","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7ez","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process arguments indicating possible php shell detected","enabled":true,"expression":"exec.file.name == \"php\" \u0026\u0026 exec.args_flags in [\"r\"] \u0026\u0026 ((exec.args in [~\"*socket_bind*\", ~\"*socket_listen*\", ~\"*socket_accept*\", ~\"*socket_create*\", ~\"*socket_write*\", ~\"*socket_read*\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"php_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_util_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"offensive_k8s_tool","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"rc_scripts_modified","product_tags":["tactic:TA0003-persistence","technique:T1037-boot-or-logon-initialization-scripts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", \"transfer.sh\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"paste_site","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_utimes","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"auditd_config_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_chown","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jl7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"openssl used to establish backdoor","enabled":true,"expression":"exec.comm == \"openssl\" \u0026\u0026 exec.args =~ \"*s_client*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"openssl_backdoor","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-41f","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH initiated a connection on a nonstandard port","enabled":true,"expression":"connect.addr.port in [80, 8080, 88, 443, 8443, 4444] \u0026\u0026 process.file.name == \"ssh\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_nonstandard_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1021-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mount_host_fs","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"certutil_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nv0","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The rclone utility was executed","enabled":true,"expression":"exec.file.name in [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"file_sync_exfil","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lkj-jnb-khe","type":"agent_rule","attributes":{"actions":[{"set":{"name":"imds_v1_usage_services","field":"process.file.name","append":true,"ttl":10000000000},"disabled":false}],"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An AWS IMDSv1 request was issued","disabled":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"enabled":false,"expression":"imds.cloud_provider == \"aws\" \u0026\u0026 imds.aws.is_imds_v2 == false \u0026\u0026 process.file.name not in ${imds_v1_usage_services}","filters":["os == \"linux\""],"name":"imds_v1_usage","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\"libpam\\.so\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"libpam_ebpf_hook","product_tags":["tactic:TA0006-credential-access","technique:T1056-input-capture","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\" \u0026\u0026 exec.cmdline =~ \"*comsvcs*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"minidump_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"potential_web_shell_parent","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_history_truncated","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"apparmor_modified_tty","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_chmod","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"redis_save_module","product_tags":["tactic:TA0002-execution","technique:T1129-shared-modules","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_msr_write","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ld_preload_unusual_library_path","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS request was made for a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"chatroom_request","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"gcp_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eho","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Container escape attempted by overwriting release_agent","enabled":true,"expression":"open.file.name == \"release_agent\" \u0026\u0026 open.file.path in [\"/tmp/**\", \"/home/**\", \"/root/**\", \"/*\"] \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"release_agent_escape","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"auditctl_usage","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oil","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The unshare utility was executed in a container","enabled":true,"expression":"exec.comm == \"unshare\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"unshare_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"tty_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_utimes","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a65","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Web application requested IMDSv1 credentials","enabled":true,"expression":"imds.aws.is_imds_v2 == false \u0026\u0026 imds.url =~ \"*/*/meta-data/iam/security-credentials/*\" \u0026\u0026 (process.ancestors.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.ancestors.file.name =~ \"php*\" || process.ancestors.file.name == \"java\")","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"webapp_imds_V1_request","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"new_binary_execution_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wok","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Device rule created","enabled":true,"expression":"open.file.path in [~\"/etc/udev/rules.d/*\", ~\"/lib/udev/rules.d/*\", ~\"/usr/lib/udev/rules.d/*\", ~\"/usr/local/lib/udev/rules.d/*\", ~\"/run/udev/rules.d/*\"] \u0026\u0026 open.flags \u0026 O_CREAT \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"udev_modification","product_tags":["tactic:TA0003-persistence","technique:T1546-event-triggered-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_utimes","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_rename","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ip_check_domain","product_tags":["tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"exec_whoami","product_tags":["tactic:TA0007-discovery","technique:T1033-system-owner-or-user-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", ~\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"aws_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kmod_list","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_bitsadmin_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"unlink.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 unlink.file.path in [~\"/root/**\", ~\"/home/**\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_history_deleted","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"omigod","product_tags":["tactic:TA0002-execution","technique:T1203-exploitation-for-client-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6x2","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Service registry runkey modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\RunServices\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"registry_service_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"package_management_in_container","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [~\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"curl_docker_socket","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ptrace_injection","product_tags":["tactic:TA0005-defense-evasion","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-g5v","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process connected to an SSH server","enabled":true,"expression":"connect.addr.port == 22 \u0026\u0026 connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 connect.addr.ip not in [127.0.0.0/8, 0.0.0.0/32, ::1/128, ::/128]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_outbound_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1563-remote-service-session-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-gqa","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows boot registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\SYSTEM.ini\\boot*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_boot_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_link","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"] \u0026\u0026 process.argv0 not in [\"runc\", \"/usr/bin/runc\", \"/usr/sbin/runc\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dynamic_linker_config_write","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"hidden_file_executed","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zp4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"microsoft security essentials executable modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_security_essentials_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"redis_sandbox_escape","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eck","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dll written to a suspicious directory","enabled":true,"expression":"create.file.name =~ \"*.dll\" \u0026\u0026 create.file.device_path not in [~\"\\Device\\*\\Windows\\System32\\**\", ~\"\\Device\\*\\ProgramData\\docker\\**\"] \u0026\u0026 process.file.name != \"dockerd.exe\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_dll_write","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-beh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dotnet_dump was used to dump a process memory","enabled":true,"expression":"exec.cmdline =~ \"*dotnet-dump*\" \u0026\u0026 exec.cmdline =~ \"*collect*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dotnet_dump_execution","product_tags":["tactic:TA0009-collection","technique:T1005-data-from-local-system","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_chown","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suid_file_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"compile_after_delivery","product_tags":["tactic:TA0005-defense-evasion","tactic:TA0004-privilege-escalation","technique:T1027-obfuscated-files-or-information","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"user_created_tty","product_tags":["tactic:TA0003-persistence","technique:T1136-create-account","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-76q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows cryptographic blocking policy modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllRemoveSignedDataMsg*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_cryptographic_blocking_policy_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_unlink","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_suid_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_open","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0fx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell process spawned from print server","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 process.parent.file.name == \"foomatic-rip\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cups_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b5z","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process arguments match rubeus credential theft tool","enabled":true,"expression":"exec.cmdline in [~\"*asreproast*\", ~\"*/service:krbtgt*\", ~\"*dump /luid:0x*\", ~\"*kerberoast*\", ~\"*createonly /program*\", ~\"*ptt /ticket*\", ~\"*impersonateuser*\", ~\"*renew /ticket*\", ~\"*asktgt /user*\", ~\"*harvest /interval*\", ~\"*s4u /user*\", ~\"*hash /password*\", ~\"*golden /aes256*\", ~\"*silver /user*\", \"*rubeus*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"rubeus_execution","product_tags":["tactic:TA0006-credential-access","technique:T1558-steal-or-forge-kerberos-tickets","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"interactive_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"azure_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_link","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_utimes","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"exec_wrmsr","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"runc_modification","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qn0","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsenter used to breakout of container","enabled":true,"expression":"exec.file.name == \"nsenter\" \u0026\u0026 exec.args_options in [\"target=1\", \"t=1\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsenter_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_container_client","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"service_stop","product_tags":["tactic:TA0040-impact","technique:T1489-service-stop","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6lj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"windows explorer file has been modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\windows\\explorer.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_explorer_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_unlink","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_history_symlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"auditd_rule_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_profile_modification","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_open","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oi1","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process arguments indicating possible socat shell detected","enabled":true,"expression":"((exec.file.name == \"socat\") || (exec.comm == \"socat\")) \u0026\u0026 exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\", ~\"*exec*\", ~\"*pty*\", ~\"*setsid*\", ~\"*stderr*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"socat_shell","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"procdump_execution","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme.exe*\", ~\"*cme.py*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"crackmap_exec_executed","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_chmod","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xg6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a critical windows file was modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\**\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"critical_windows_files_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_link","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_rename","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o1o","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process made a connection to a port associated with P2PInfect malware","enabled":true,"expression":"connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 connect.addr.is_public == true \u0026\u0026 connect.addr.port \u003e= 60100 \u0026\u0026 connect.addr.port \u003c= 60150","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"p2pinfect_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [~\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_it_tool_config_write","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cryptominer_envs","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"delete_system_log","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_utimes","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wnn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows firewall configuration registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_firewall_configuration_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"looney_tunables_exploit","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dar","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A shell made an outbound network connection","enabled":true,"expression":"connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 process.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_net_connection","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\"OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"iptables_egress_allowed","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"executable_bit_added","product_tags":["tactic:TA0005-defense-evasion","technique:T1222-file-and-directory-permissions-modification","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_rename","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","append":true,"ttl":60000000000},"disabled":false}],"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"]\n\u0026\u0026 open.file.name == \"token\"\n\u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]\n\u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"]\n\u0026\u0026 process.file.path not in ${processes_accessing}\n\u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"k8s_pod_service_account_token_accessed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_file_download","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ab6","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently modified file requested credentials from IMDS","enabled":true,"expression":"imds.url =~ \"/*/meta-data/iam/security-credentials/*\" \u0026\u0026 (process.parent.file.modification_time \u003c 120s || process.file.modification_time \u003c 30s)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"modified_file_requesting_imds_creds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"network_sniffing_tool","product_tags":["tactic:TA0007-discovery","technique:T1040-network-sniffing","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"read_kubeconfig","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"passwd_execution","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","technique:T1098-account-manipulation","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load_from_memory","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\" \u0026\u0026 process.parent.file.path not in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\" , \"/run/docker/runtime-runc/moby/*\", \"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\"] \u0026\u0026 !(process.comm == \"dd-ipc-helper\" \u0026\u0026 exec.file.name in [\"memfd:spawn_worker_trampoline (deleted)\", \"memfd:spawn_worker_trampoline\"])","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"memfd_create","product_tags":["tactic:TA0005-defense-evasion","technique:T1620-reflective-code-loading","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_unlink","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"user_deleted_tty","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-brb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"regedit used to export critical registry hive","enabled":true,"expression":"exec.file.name in [\"reg.exe\", \"regedit.exe\"] \u0026\u0026 exec.cmdline in [~\"*hklm*\", ~\"*hkey_local_machine*\", ~\"*system*\", ~\"*sam*\", ~\"*security*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"critical_registry_export","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_util","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nip","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Browser WebDriver spawned shell","enabled":true,"expression":"process.parent.file.name in [~\"chromedriver*\", \"geckodriver\"] \u0026\u0026 exec.file.name not in [\"chrome\", \"google-chrome\", \"chromium\", \"firefox\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"webdriver_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows registry hives file location key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"registry_hives_file_path_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_utimes","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"base64_decode","product_tags":["tactic:TA0005-defense-evasion","technique:T1140-deobfuscate-or-decode-files-or-information","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_link","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-n3u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows shell folders registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders*\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_shell_folders_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6oh","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A Registry runkey has been modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"registry_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_link","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_chown","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", ~\"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"python_cli_code","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wqf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows update registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsUpdate*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_update_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_chmod","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_chown","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args_flags == \"randomx-1gb-pages\" || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cryptominer_args","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_chown","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"jupyter_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dnj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The AWS CLI utility was executed","enabled":true,"expression":"exec.file.name == \"aws\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"aws_cli_usage","product_tags":["tactic:TA0002-execution","technique:T1651-cloud-administration-command","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"deploy_priv_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PHP web application spawning shell","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name in [\"php.exe\",\"php-cgi.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"php_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hbr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process arguments match sliver c2 implant","enabled":true,"expression":"exec.cmdline =~ \"*NoExit *\" \u0026\u0026 exec.cmdline =~ \"*Command *\" \u0026\u0026 exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sliver_c2_implant_execution","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0en","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The debugfs was executed in a container","enabled":true,"expression":"exec.comm == \"debugfs\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"debugfs_in_container","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\")\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_chmod","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.id != \"\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x51","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Safeboot registry modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"safeboot_modification","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_rename","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"open_msr_writes","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_open","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_rename","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_chown","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bv2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process matches known relay attack tool","enabled":true,"expression":"exec.file.name in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"relay_attack_tool_execution","product_tags":["tactic:TA0006-credential-access","technique:T1555-credentials-from-password-stores","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fsq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A cryptominer was potentially executed","enabled":true,"expression":"exec.cmdline in [~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_cryptominer_process","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dynamic_linker_config_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"tar_execution","product_tags":["tactic:TA0009-collection","technique:T1560-archive-collected-data","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"exec_lsmod","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"database_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_rename","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ptrace_antidebug","product_tags":["tactic:TA0005-defense-evasion","technique:T1622-debugger-evasion","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-lel","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Perl executed with suspicious argument","enabled":true,"expression":"exec.file.name == ~\"perl*\" \u0026\u0026 exec.args_flags in [\"e\"] \u0026\u0026 (exec.args in [~\"*socket*\", ~\"*bind*\", ~\"*sockaddr*\", ~\"*listen*\", ~\"*accept\", ~\"*stdin*\", ~\"*stdout\"])","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"perl_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_ntdsutil_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] \u0026\u0026 exec.cmdline =~ \"*create*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"scheduled_task_creation","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"aws_eks_service_account_token_accessed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ntds_in_commandline","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A file executed from /dev/shm/ directory","enabled":true,"expression":"exec.file.path == \"/dev/shm/**\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"devshm_execution","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dirty_pipe_exploitation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tat","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows RPC COM debugging registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_com_rpc_debugging_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_unusual_request","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_link","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_open_v2","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_open","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026\nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_util_exfiltration","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-969","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process arguments indicating possible netcat shell detected","enabled":true,"expression":"exec.file.name in [\"netcat\", \"nc\", \"ncat\"] \u0026\u0026 ((exec.args_flags in [\"l\"] \u0026\u0026 exec.args_flags in [\"p\"]) || (exec.args_flags in [\"n\"] \u0026\u0026 exec.args_flags in [\"v\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"netcat_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ibc","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The mount utility was executed in a container","enabled":true,"expression":"exec.comm == \"mount\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mount_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vez","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows winlogon registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"winlogon_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_chmod","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load_from_memory_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"selinux_disable_enforcement","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows Known DLLs location registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"known_dll_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1574-hijack-execution-flow","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\"] \u0026\u0026 open.file.name not in [r\"\\.lock$\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ransomware_note","product_tags":["tactic:TA0040-impact","technique:T1490-inhibit-system-recovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || exec.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"compiler_in_container","product_tags":["tactic:TA0005-defense-evasion","technique:T1027-obfuscated-files-or-information","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qf8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"sharpup tool used for local privilege escalation","enabled":true,"expression":"exec.file.name == \"sharpup.exe\" \u0026\u0026 exec.cmdline in [~\"*HijackablePaths*\", ~\"*UnquotedServicePath*\", ~\"*ProcessDLLHijack*\", ~\"*ModifiableServiceBinaries*\", ~\"*ModifiableScheduledTask*\", ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sharpup_tool_usage","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kubernetes_dns_enumeration","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mount_proc_hide","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qnj","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process made an outbound IRC connection","enabled":true,"expression":"connect.addr.port == 6667 \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"irc_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_unlink","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.loaded_from_memory == false \u0026\u0026 load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hop-hlk-ktz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903418500,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y"],"name":"dxnfjxgrbm","product_tags":["compliance_framework:PCI-DSS"],"updateDate":1747903418500,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}]}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 4.403495166s
+ - id: 10
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ae9-ca1-p8y
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 395
+ uncompressed: false
+ body: '{"data":{"id":"ae9-ca1-p8y","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":226,"name":"dxnfjxgrbm","policyVersion":"2","priority":1000000011,"ruleCount":227,"updateDate":1747903418500,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 226.866916ms
+ - id: 11
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/hop-hlk-ktz?policy_id=ae9-ca1-p8y
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 504
+ uncompressed: false
+ body: '{"data":{"id":"hop-hlk-ktz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903418500,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y"],"name":"dxnfjxgrbm","product_tags":["compliance_framework:PCI-DSS"],"updateDate":1747903418500,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 244.264417ms
+ - id: 12
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules?policy_id=ae9-ca1-p8y
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding:
+ - chunked
+ trailer: {}
+ content_length: -1
+ uncompressed: false
+ body: '{"data":[{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"wmi_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1047-windows-management-instrumentation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0pf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process attempted to overwrite the container entrypoint","enabled":true,"expression":"open.file.path == \"/proc/self/fd/1\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0 \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"overwrite_entrypoint","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-t06","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"find command searching for sensitive files","enabled":true,"expression":"exec.comm == \"find\" \u0026\u0026 exec.args in [~\"*credentials*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"find_credentials","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_chmod","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 exec.uid != 0)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pwnkit_privilege_escalation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mining_pool_lookup","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dirty_pipe_attempt","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-m9i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows environment variable registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_system_enviroment_variable_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_open","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args_flags in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args_flags in [\"R\", \"L\", \"D\", \"w\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"tunnel_traffic","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A network utility (such as nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"common_net_intrusion_util","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_unlink","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n\u0026\u0026 process.parent.file.name in [\"java\", \"jspawnhelper\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"java_shell_execution_parent","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sensitive_tracing","product_tags":["tactic:TA0004-privilege-escalation","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tlf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"the windows hosts file was modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\Drivers\\etc\\hosts\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_hosts_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x7z","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process executed with arguments common with Inveigh tool usage","enabled":true,"expression":"exec.cmdline in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", ~\"*SnifferIP*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"inveigh_tool_usage","product_tags":["tactic:TA0009-collection","technique:T1557-adversary-in-the-middle","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-guo","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process was executed matching arguments for a UAC bypass technique common in powershell empire","enabled":true,"expression":"exec.cmdline in [~\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*\", ~\"*-NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"powershell_empire_uac_bypass","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h19","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The container breakout CVE-2024-21626 was successful","enabled":true,"expression":"chdir.syscall.path =~ \"/proc/self/fd/*\" \u0026\u0026 chdir.file.path == \"/sys/fs/cgroup\" \u0026\u0026 process.file.name =~ \"runc.*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"runc_leaky_fd","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7ez","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process arguments indicating possible php shell detected","enabled":true,"expression":"exec.file.name == \"php\" \u0026\u0026 exec.args_flags in [\"r\"] \u0026\u0026 ((exec.args in [~\"*socket_bind*\", ~\"*socket_listen*\", ~\"*socket_accept*\", ~\"*socket_create*\", ~\"*socket_write*\", ~\"*socket_read*\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"php_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_util_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"offensive_k8s_tool","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"rc_scripts_modified","product_tags":["tactic:TA0003-persistence","technique:T1037-boot-or-logon-initialization-scripts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", \"transfer.sh\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"paste_site","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_utimes","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"auditd_config_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_chown","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jl7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"openssl used to establish backdoor","enabled":true,"expression":"exec.comm == \"openssl\" \u0026\u0026 exec.args =~ \"*s_client*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"openssl_backdoor","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-41f","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH initiated a connection on a nonstandard port","enabled":true,"expression":"connect.addr.port in [80, 8080, 88, 443, 8443, 4444] \u0026\u0026 process.file.name == \"ssh\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_nonstandard_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1021-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mount_host_fs","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"certutil_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nv0","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The rclone utility was executed","enabled":true,"expression":"exec.file.name in [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"file_sync_exfil","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lkj-jnb-khe","type":"agent_rule","attributes":{"actions":[{"set":{"name":"imds_v1_usage_services","field":"process.file.name","append":true,"ttl":10000000000},"disabled":false}],"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An AWS IMDSv1 request was issued","disabled":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"enabled":false,"expression":"imds.cloud_provider == \"aws\" \u0026\u0026 imds.aws.is_imds_v2 == false \u0026\u0026 process.file.name not in ${imds_v1_usage_services}","filters":["os == \"linux\""],"name":"imds_v1_usage","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE \u0026\u0026 process.args in [r\"libpam\\.so\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"libpam_ebpf_hook","product_tags":["tactic:TA0006-credential-access","technique:T1056-input-capture","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline =~ \"*MiniDump*\" \u0026\u0026 exec.cmdline =~ \"*comsvcs*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"minidump_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"potential_web_shell_parent","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name == \"truncate\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_history_truncated","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"apparmor_modified_tty","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_chmod","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"redis_save_module","product_tags":["tactic:TA0002-execution","technique:T1129-shared-modules","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_msr_write","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ld_preload_unusual_library_path","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS request was made for a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"chatroom_request","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"gcp_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eho","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Container escape attempted by overwriting release_agent","enabled":true,"expression":"open.file.name == \"release_agent\" \u0026\u0026 open.file.path in [\"/tmp/**\", \"/home/**\", \"/root/**\", \"/*\"] \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"release_agent_escape","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"auditctl_usage","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oil","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The unshare utility was executed in a container","enabled":true,"expression":"exec.comm == \"unshare\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"unshare_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"tty_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_utimes","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a65","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Web application requested IMDSv1 credentials","enabled":true,"expression":"imds.aws.is_imds_v2 == false \u0026\u0026 imds.url =~ \"*/*/meta-data/iam/security-credentials/*\" \u0026\u0026 (process.ancestors.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.ancestors.file.name =~ \"php*\" || process.ancestors.file.name == \"java\")","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"webapp_imds_V1_request","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"new_binary_execution_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wok","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Device rule created","enabled":true,"expression":"open.file.path in [~\"/etc/udev/rules.d/*\", ~\"/lib/udev/rules.d/*\", ~\"/usr/lib/udev/rules.d/*\", ~\"/usr/local/lib/udev/rules.d/*\", ~\"/run/udev/rules.d/*\"] \u0026\u0026 open.flags \u0026 O_CREAT \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"udev_modification","product_tags":["tactic:TA0003-persistence","technique:T1546-event-triggered-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_utimes","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_rename","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ip_check_domain","product_tags":["tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"exec_whoami","product_tags":["tactic:TA0007-discovery","technique:T1033-system-owner-or-user-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", ~\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"aws_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kmod_list","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", ~\"*resume*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_bitsadmin_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"unlink.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 unlink.file.path in [~\"/root/**\", ~\"/home/**\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_history_deleted","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"omigod","product_tags":["tactic:TA0002-execution","technique:T1203-exploitation-for-client-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6x2","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Service registry runkey modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\RunServices\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"registry_service_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"package_management_in_container","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [~\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"curl_docker_socket","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ptrace_injection","product_tags":["tactic:TA0005-defense-evasion","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-g5v","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process connected to an SSH server","enabled":true,"expression":"connect.addr.port == 22 \u0026\u0026 connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 connect.addr.ip not in [127.0.0.0/8, 0.0.0.0/32, ::1/128, ::/128]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_outbound_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1563-remote-service-session-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-gqa","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows boot registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\SYSTEM.ini\\boot*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_boot_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_link","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"] \u0026\u0026 process.argv0 not in [\"runc\", \"/usr/bin/runc\", \"/usr/sbin/runc\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dynamic_linker_config_write","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"hidden_file_executed","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zp4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"microsoft security essentials executable modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_security_essentials_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"redis_sandbox_escape","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eck","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dll written to a suspicious directory","enabled":true,"expression":"create.file.name =~ \"*.dll\" \u0026\u0026 create.file.device_path not in [~\"\\Device\\*\\Windows\\System32\\**\", ~\"\\Device\\*\\ProgramData\\docker\\**\"] \u0026\u0026 process.file.name != \"dockerd.exe\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_dll_write","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-beh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dotnet_dump was used to dump a process memory","enabled":true,"expression":"exec.cmdline =~ \"*dotnet-dump*\" \u0026\u0026 exec.cmdline =~ \"*collect*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dotnet_dump_execution","product_tags":["tactic:TA0009-collection","technique:T1005-data-from-local-system","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_chown","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suid_file_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"compile_after_delivery","product_tags":["tactic:TA0005-defense-evasion","tactic:TA0004-privilege-escalation","technique:T1027-obfuscated-files-or-information","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"user_created_tty","product_tags":["tactic:TA0003-persistence","technique:T1136-create-account","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-76q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows cryptographic blocking policy modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllRemoveSignedDataMsg*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_cryptographic_blocking_policy_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_unlink","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_suid_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_open","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0fx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell process spawned from print server","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 process.parent.file.name == \"foomatic-rip\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cups_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b5z","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process arguments match rubeus credential theft tool","enabled":true,"expression":"exec.cmdline in [~\"*asreproast*\", ~\"*/service:krbtgt*\", ~\"*dump /luid:0x*\", ~\"*kerberoast*\", ~\"*createonly /program*\", ~\"*ptt /ticket*\", ~\"*impersonateuser*\", ~\"*renew /ticket*\", ~\"*asktgt /user*\", ~\"*harvest /interval*\", ~\"*s4u /user*\", ~\"*hash /password*\", ~\"*golden /aes256*\", ~\"*silver /user*\", \"*rubeus*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"rubeus_execution","product_tags":["tactic:TA0006-credential-access","technique:T1558-steal-or-forge-kerberos-tickets","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"interactive_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"azure_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_link","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_utimes","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"exec_wrmsr","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"runc_modification","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qn0","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsenter used to breakout of container","enabled":true,"expression":"exec.file.name == \"nsenter\" \u0026\u0026 exec.args_options in [\"target=1\", \"t=1\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsenter_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_container_client","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"service_stop","product_tags":["tactic:TA0040-impact","technique:T1489-service-stop","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6lj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"windows explorer file has been modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\windows\\explorer.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_explorer_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_unlink","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_history_symlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"auditd_rule_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_profile_modification","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_open","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oi1","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process arguments indicating possible socat shell detected","enabled":true,"expression":"((exec.file.name == \"socat\") || (exec.comm == \"socat\")) \u0026\u0026 exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\", ~\"*exec*\", ~\"*pty*\", ~\"*setsid*\", ~\"*stderr*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"socat_shell","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"procdump_execution","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline in [~\"*crackmapexec*\", ~\"*cme.exe*\", ~\"*cme.py*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"crackmap_exec_executed","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_chmod","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xg6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a critical windows file was modified","enabled":true,"expression":"write.file.device_path in [~\"\\Device\\*\\windows\\system32\\**\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"critical_windows_files_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_link","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_rename","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o1o","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process made a connection to a port associated with P2PInfect malware","enabled":true,"expression":"connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 connect.addr.is_public == true \u0026\u0026 connect.addr.port \u003e= 60100 \u0026\u0026 connect.addr.port \u003c= 60150","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"p2pinfect_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [~\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_it_tool_config_write","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cryptominer_envs","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"delete_system_log","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_utimes","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wnn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows firewall configuration registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_firewall_configuration_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"looney_tunables_exploit","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dar","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A shell made an outbound network connection","enabled":true,"expression":"connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 process.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"shell_net_connection","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == \"iptables\" \u0026\u0026 process.args in [r\"OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"iptables_egress_allowed","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"executable_bit_added","product_tags":["tactic:TA0005-defense-evasion","technique:T1222-file-and-directory-permissions-modification","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_rename","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","append":true,"ttl":60000000000},"disabled":false}],"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"]\n\u0026\u0026 open.file.name == \"token\"\n\u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]\n\u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"]\n\u0026\u0026 process.file.path not in ${processes_accessing}\n\u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"k8s_pod_service_account_token_accessed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_file_download","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ab6","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently modified file requested credentials from IMDS","enabled":true,"expression":"imds.url =~ \"/*/meta-data/iam/security-credentials/*\" \u0026\u0026 (process.parent.file.modification_time \u003c 120s || process.file.modification_time \u003c 30s)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"modified_file_requesting_imds_creds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"network_sniffing_tool","product_tags":["tactic:TA0007-discovery","technique:T1040-network-sniffing","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"read_kubeconfig","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags not in [\"S\", \"status\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"passwd_execution","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","technique:T1098-account-manipulation","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory == true","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load_from_memory","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" \u0026\u0026 exec.file.path == \"\" \u0026\u0026 process.parent.file.path not in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\" , \"/run/docker/runtime-runc/moby/*\", \"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\"] \u0026\u0026 !(process.comm == \"dd-ipc-helper\" \u0026\u0026 exec.file.name in [\"memfd:spawn_worker_trampoline (deleted)\", \"memfd:spawn_worker_trampoline\"])","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"memfd_create","product_tags":["tactic:TA0005-defense-evasion","technique:T1620-reflective-code-loading","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_unlink","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"user_deleted_tty","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-brb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"regedit used to export critical registry hive","enabled":true,"expression":"exec.file.name in [\"reg.exe\", \"regedit.exe\"] \u0026\u0026 exec.cmdline in [~\"*hklm*\", ~\"*hkey_local_machine*\", ~\"*system*\", ~\"*sam*\", ~\"*security*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"critical_registry_export","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_util","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nip","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Browser WebDriver spawned shell","enabled":true,"expression":"process.parent.file.name in [~\"chromedriver*\", \"geckodriver\"] \u0026\u0026 exec.file.name not in [\"chrome\", \"google-chrome\", \"chromium\", \"firefox\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"webdriver_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jed","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows registry hives file location key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"registry_hives_file_path_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_utimes","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"base64_decode","product_tags":["tactic:TA0005-defense-evasion","technique:T1140-deobfuscate-or-decode-files-or-information","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_link","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-n3u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows shell folders registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders*\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_shell_folders_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6oh","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A Registry runkey has been modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"registry_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_link","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_chown","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", ~\"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"python_cli_code","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wqf","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows update registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsUpdate*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_update_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_chmod","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_chown","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args_flags == \"randomx-1gb-pages\" || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cryptominer_args","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_chown","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"jupyter_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dnj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The AWS CLI utility was executed","enabled":true,"expression":"exec.file.name == \"aws\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"aws_cli_usage","product_tags":["tactic:TA0002-execution","technique:T1651-cloud-administration-command","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"deploy_priv_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zse","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PHP web application spawning shell","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name in [\"php.exe\",\"php-cgi.exe\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"php_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hbr","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process arguments match sliver c2 implant","enabled":true,"expression":"exec.cmdline =~ \"*NoExit *\" \u0026\u0026 exec.cmdline =~ \"*Command *\" \u0026\u0026 exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sliver_c2_implant_execution","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0en","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The debugfs was executed in a container","enabled":true,"expression":"exec.comm == \"debugfs\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"debugfs_in_container","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path == \"/etc/sudoers\")\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_chmod","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"\n\u0026\u0026 container.id != \"\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x51","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Safeboot registry modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"safeboot_modification","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"cron_at_job_creation_rename","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"open_msr_writes","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pam_modification_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssh_authorized_keys_open","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_rename","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_chown","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bv2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process matches known relay attack tool","enabled":true,"expression":"exec.file.name in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"relay_attack_tool_execution","product_tags":["tactic:TA0006-credential-access","technique:T1555-credentials-from-password-stores","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fsq","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A cryptominer was potentially executed","enabled":true,"expression":"exec.cmdline in [~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_cryptominer_process","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dynamic_linker_config_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"tar_execution","product_tags":["tactic:TA0009-collection","technique:T1560-archive-collected-data","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm == \"lsmod\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"exec_lsmod","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"database_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"systemd_modification_rename","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ptrace_antidebug","product_tags":["tactic:TA0005-defense-evasion","technique:T1622-debugger-evasion","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-lel","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Perl executed with suspicious argument","enabled":true,"expression":"exec.file.name == ~\"perl*\" \u0026\u0026 exec.args_flags in [\"e\"] \u0026\u0026 (exec.args in [~\"*socket*\", ~\"*bind*\", ~\"*sockaddr*\", ~\"*listen*\", ~\"*accept\", ~\"*stdin*\", ~\"*stdout\"])","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"perl_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ssl_certificate_tampering_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"suspicious_ntdsutil_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] \u0026\u0026 exec.cmdline =~ \"*create*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"scheduled_task_creation","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"aws_eks_service_account_token_accessed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ntds_in_commandline","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4w","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A file executed from /dev/shm/ directory","enabled":true,"expression":"exec.file.path == \"/dev/shm/**\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"devshm_execution","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 process.gid != 0)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"dirty_pipe_exploitation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tat","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows RPC COM debugging registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"windows_com_rpc_debugging_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_unusual_request","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_link","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_open_v2","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sudoers_policy_modified_open","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026\nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"net_util_exfiltration","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-969","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process arguments indicating possible netcat shell detected","enabled":true,"expression":"exec.file.name in [\"netcat\", \"nc\", \"ncat\"] \u0026\u0026 ((exec.args_flags in [\"l\"] \u0026\u0026 exec.args_flags in [\"p\"]) || (exec.args_flags in [\"n\"] \u0026\u0026 exec.args_flags in [\"v\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"netcat_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ibc","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The mount utility was executed in a container","enabled":true,"expression":"exec.comm == \"mount\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mount_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vez","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows winlogon registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"winlogon_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_chmod","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load_from_memory_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"selinux_disable_enforcement","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1p","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows Known DLLs location registry key modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"known_dll_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1574-hijack-execution-flow","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 open.file.name in [r\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\"] \u0026\u0026 open.file.name not in [r\"\\.lock$\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"ransomware_note","product_tags":["tactic:TA0040-impact","technique:T1490-inhibit-system-recovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A compiler was executed inside of a container","enabled":true,"expression":"(exec.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || exec.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"compiler_in_container","product_tags":["tactic:TA0005-defense-evasion","technique:T1027-obfuscated-files-or-information","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qf8","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"sharpup tool used for local privilege escalation","enabled":true,"expression":"exec.file.name == \"sharpup.exe\" \u0026\u0026 exec.cmdline in [~\"*HijackablePaths*\", ~\"*UnquotedServicePath*\", ~\"*ProcessDLLHijack*\", ~\"*ModifiableServiceBinaries*\", ~\"*ModifiableScheduledTask*\", ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","filters":["os == \"windows\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"sharpup_tool_usage","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kubernetes_dns_enumeration","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"mount_proc_hide","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qnj","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process made an outbound IRC connection","enabled":true,"expression":"connect.addr.port == 6667 \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"irc_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"pci_11_5_critical_binaries_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"nsswitch_conf_mod_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"credential_modified_unlink","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A kernel module was loaded","enabled":true,"expression":"load_module.loaded_from_memory == false \u0026\u0026 load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y","tq0-tji-i5m","flw-lrk-xzo","bod-mnz-hk1","hxv-ezx-44x","ahl-zxe-fbg","d1j-pkc-rhm","qve-9uc-uih","gwd-neb-qml","CWS_CUSTOM-canary","CWS_DD"],"name":"kernel_module_load","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hop-hlk-ktz","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1747903418500,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"im a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["ae9-ca1-p8y"],"name":"dxnfjxgrbm","product_tags":["compliance_framework:PCI-DSS"],"updateDate":1747903418500,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}]}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 4.524785792s
+ - id: 13
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - '*/*'
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/hop-hlk-ktz?policy_id=ae9-ca1-p8y
+ method: DELETE
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 0
+ uncompressed: false
+ body: ""
+ headers:
+ Content-Type:
+ - application/json
+ status: 204 No Content
+ code: 204
+ duration: 698.85275ms
+ - id: 14
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - '*/*'
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ae9-ca1-p8y
+ method: DELETE
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 0
+ uncompressed: false
+ body: ""
+ headers:
+ Content-Type:
+ - application/json
+ status: 204 No Content
+ code: 204
+ duration: 1.077869416s
+ - id: 15
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/hop-hlk-ktz?policy_id=ae9-ca1-p8y
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 44
+ uncompressed: false
+ body: |
+ {"errors":[{"title":"failed to get rule"}]}
+ headers:
+ Content-Type:
+ - application/json
+ status: 404 Not Found
+ code: 404
+ duration: 293.933542ms
diff --git a/datadog/tests/cassettes/TestAccCSMThreatsPoliciesDataSource.freeze b/datadog/tests/cassettes/TestAccCSMThreatsPoliciesDataSource.freeze
new file mode 100644
index 000000000..e2bbcef9f
--- /dev/null
+++ b/datadog/tests/cassettes/TestAccCSMThreatsPoliciesDataSource.freeze
@@ -0,0 +1 @@
+2025-05-22T10:40:38.486844+02:00
\ No newline at end of file
diff --git a/datadog/tests/cassettes/TestAccCSMThreatsPoliciesDataSource.yaml b/datadog/tests/cassettes/TestAccCSMThreatsPoliciesDataSource.yaml
new file mode 100644
index 000000000..7ae5d3254
--- /dev/null
+++ b/datadog/tests/cassettes/TestAccCSMThreatsPoliciesDataSource.yaml
@@ -0,0 +1,373 @@
+---
+version: 2
+interactions:
+ - id: 0
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 197
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: |
+ {"data":{"attributes":{"description":"im a policy","enabled":true,"hostTagsLists":[["host_name:test_host","env:prod"],["host_name:test_host2","env:staging"]],"name":"jokbmxzkof"},"type":"policy"}}
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ Content-Type:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy
+ method: POST
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 452
+ uncompressed: false
+ body: '{"data":{"id":"y6n-dxf-nn1","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test_host","env:prod"],["host_name:test_host2","env:staging"]],"monitoringRulesCount":225,"name":"jokbmxzkof","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903240323,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 910.68575ms
+ - id: 1
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/y6n-dxf-nn1
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 452
+ uncompressed: false
+ body: '{"data":{"id":"y6n-dxf-nn1","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test_host","env:prod"],["host_name:test_host2","env:staging"]],"monitoringRulesCount":225,"name":"jokbmxzkof","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903240323,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 252.186959ms
+ - id: 2
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/y6n-dxf-nn1
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 452
+ uncompressed: false
+ body: '{"data":{"id":"y6n-dxf-nn1","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test_host","env:prod"],["host_name:test_host2","env:staging"]],"monitoringRulesCount":225,"name":"jokbmxzkof","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903240323,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 378.252ms
+ - id: 3
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding:
+ - chunked
+ trailer: {}
+ content_length: -1
+ uncompressed: false
+ body: '{"data":[{"id":"y6n-dxf-nn1","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test_host","env:prod"],["host_name:test_host2","env:staging"]],"monitoringRulesCount":225,"name":"jokbmxzkof","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903240323,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tq0-tji-i5m","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747597121","policyVersion":"3","priority":1000000010,"ruleCount":226,"updateDate":1747597121931,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"flw-lrk-xzo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747539521","policyVersion":"3","priority":1000000009,"ruleCount":226,"updateDate":1747539521946,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"bod-mnz-hk1","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747525121","policyVersion":"3","priority":1000000008,"ruleCount":226,"updateDate":1747525122007,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"hxv-ezx-44x","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747481921","policyVersion":"3","priority":1000000007,"ruleCount":226,"updateDate":1747481921965,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ahl-zxe-fbg","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747467521","policyVersion":"3","priority":1000000006,"ruleCount":226,"updateDate":1747467521937,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"d1j-pkc-rhm","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747453121","policyVersion":"3","priority":1000000005,"ruleCount":226,"updateDate":1747453121950,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"qve-9uc-uih","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747438721","policyVersion":"3","priority":1000000004,"ruleCount":226,"updateDate":1747438721983,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"gwd-neb-qml","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747424321","policyVersion":"3","priority":1000000003,"ruleCount":226,"updateDate":1747424321971,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"CWS_CUSTOM-canary","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"disabledRulesCount":2,"enabled":false,"monitoringRulesCount":491,"name":"Datadog Managed Policy","policyVersion":"58249","priority":1000000002,"ruleCount":493,"updateDate":1746789273109,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"CWS_DD","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":1,"enabled":true,"monitoringRulesCount":225,"name":"Datadog Managed Policy","policyVersion":"1.43.0-rc80","priority":0,"ruleCount":226,"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}}]}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 268.506375ms
+ - id: 4
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/y6n-dxf-nn1
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 452
+ uncompressed: false
+ body: '{"data":{"id":"y6n-dxf-nn1","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test_host","env:prod"],["host_name:test_host2","env:staging"]],"monitoringRulesCount":225,"name":"jokbmxzkof","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903240323,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 585.3815ms
+ - id: 5
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding:
+ - chunked
+ trailer: {}
+ content_length: -1
+ uncompressed: false
+ body: '{"data":[{"id":"y6n-dxf-nn1","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test_host","env:prod"],["host_name:test_host2","env:staging"]],"monitoringRulesCount":225,"name":"jokbmxzkof","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903240323,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tq0-tji-i5m","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747597121","policyVersion":"3","priority":1000000010,"ruleCount":226,"updateDate":1747597121931,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"flw-lrk-xzo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747539521","policyVersion":"3","priority":1000000009,"ruleCount":226,"updateDate":1747539521946,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"bod-mnz-hk1","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747525121","policyVersion":"3","priority":1000000008,"ruleCount":226,"updateDate":1747525122007,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"hxv-ezx-44x","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747481921","policyVersion":"3","priority":1000000007,"ruleCount":226,"updateDate":1747481921965,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ahl-zxe-fbg","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747467521","policyVersion":"3","priority":1000000006,"ruleCount":226,"updateDate":1747467521937,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"d1j-pkc-rhm","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747453121","policyVersion":"3","priority":1000000005,"ruleCount":226,"updateDate":1747453121950,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"qve-9uc-uih","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747438721","policyVersion":"3","priority":1000000004,"ruleCount":226,"updateDate":1747438721983,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"gwd-neb-qml","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747424321","policyVersion":"3","priority":1000000003,"ruleCount":226,"updateDate":1747424321971,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"CWS_CUSTOM-canary","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"disabledRulesCount":2,"enabled":false,"monitoringRulesCount":491,"name":"Datadog Managed Policy","policyVersion":"58249","priority":1000000002,"ruleCount":493,"updateDate":1746789273109,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"CWS_DD","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":1,"enabled":true,"monitoringRulesCount":225,"name":"Datadog Managed Policy","policyVersion":"1.43.0-rc80","priority":0,"ruleCount":226,"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}}]}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 250.807916ms
+ - id: 6
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding:
+ - chunked
+ trailer: {}
+ content_length: -1
+ uncompressed: false
+ body: '{"data":[{"id":"y6n-dxf-nn1","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test_host","env:prod"],["host_name:test_host2","env:staging"]],"monitoringRulesCount":225,"name":"jokbmxzkof","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903240323,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tq0-tji-i5m","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747597121","policyVersion":"3","priority":1000000010,"ruleCount":226,"updateDate":1747597121931,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"flw-lrk-xzo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747539521","policyVersion":"3","priority":1000000009,"ruleCount":226,"updateDate":1747539521946,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"bod-mnz-hk1","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747525121","policyVersion":"3","priority":1000000008,"ruleCount":226,"updateDate":1747525122007,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"hxv-ezx-44x","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747481921","policyVersion":"3","priority":1000000007,"ruleCount":226,"updateDate":1747481921965,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ahl-zxe-fbg","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747467521","policyVersion":"3","priority":1000000006,"ruleCount":226,"updateDate":1747467521937,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"d1j-pkc-rhm","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747453121","policyVersion":"3","priority":1000000005,"ruleCount":226,"updateDate":1747453121950,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"qve-9uc-uih","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747438721","policyVersion":"3","priority":1000000004,"ruleCount":226,"updateDate":1747438721983,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"gwd-neb-qml","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747424321","policyVersion":"3","priority":1000000003,"ruleCount":226,"updateDate":1747424321971,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"CWS_CUSTOM-canary","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"disabledRulesCount":2,"enabled":false,"monitoringRulesCount":491,"name":"Datadog Managed Policy","policyVersion":"58249","priority":1000000002,"ruleCount":493,"updateDate":1746789273109,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"CWS_DD","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":1,"enabled":true,"monitoringRulesCount":225,"name":"Datadog Managed Policy","policyVersion":"1.43.0-rc80","priority":0,"ruleCount":226,"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}}]}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 206.509583ms
+ - id: 7
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding:
+ - chunked
+ trailer: {}
+ content_length: -1
+ uncompressed: false
+ body: '{"data":[{"id":"y6n-dxf-nn1","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test_host","env:prod"],["host_name:test_host2","env:staging"]],"monitoringRulesCount":225,"name":"jokbmxzkof","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903240323,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tq0-tji-i5m","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747597121","policyVersion":"3","priority":1000000010,"ruleCount":226,"updateDate":1747597121931,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"flw-lrk-xzo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747539521","policyVersion":"3","priority":1000000009,"ruleCount":226,"updateDate":1747539521946,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"bod-mnz-hk1","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747525121","policyVersion":"3","priority":1000000008,"ruleCount":226,"updateDate":1747525122007,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"hxv-ezx-44x","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747481921","policyVersion":"3","priority":1000000007,"ruleCount":226,"updateDate":1747481921965,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ahl-zxe-fbg","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747467521","policyVersion":"3","priority":1000000006,"ruleCount":226,"updateDate":1747467521937,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"d1j-pkc-rhm","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747453121","policyVersion":"3","priority":1000000005,"ruleCount":226,"updateDate":1747453121950,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"qve-9uc-uih","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747438721","policyVersion":"3","priority":1000000004,"ruleCount":226,"updateDate":1747438721983,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"gwd-neb-qml","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747424321","policyVersion":"3","priority":1000000003,"ruleCount":226,"updateDate":1747424321971,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"CWS_CUSTOM-canary","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"disabledRulesCount":2,"enabled":false,"monitoringRulesCount":491,"name":"Datadog Managed Policy","policyVersion":"58249","priority":1000000002,"ruleCount":493,"updateDate":1746789273109,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"CWS_DD","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":1,"enabled":true,"monitoringRulesCount":225,"name":"Datadog Managed Policy","policyVersion":"1.43.0-rc80","priority":0,"ruleCount":226,"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}}]}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 286.60925ms
+ - id: 8
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/y6n-dxf-nn1
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 452
+ uncompressed: false
+ body: '{"data":{"id":"y6n-dxf-nn1","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test_host","env:prod"],["host_name:test_host2","env:staging"]],"monitoringRulesCount":225,"name":"jokbmxzkof","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903240323,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 334.079375ms
+ - id: 9
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - '*/*'
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/y6n-dxf-nn1
+ method: DELETE
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 0
+ uncompressed: false
+ body: ""
+ headers:
+ Content-Type:
+ - application/json
+ status: 204 No Content
+ code: 204
+ duration: 480.180667ms
+ - id: 10
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/y6n-dxf-nn1
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 34
+ uncompressed: false
+ body: '{"errors":[{"title":"Not Found"}]}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 404 Not Found
+ code: 404
+ duration: 277.551375ms
diff --git a/datadog/tests/cassettes/TestAccCSMThreatsPolicy_CreateAndUpdate.freeze b/datadog/tests/cassettes/TestAccCSMThreatsPolicy_CreateAndUpdate.freeze
new file mode 100644
index 000000000..42bfe8c75
--- /dev/null
+++ b/datadog/tests/cassettes/TestAccCSMThreatsPolicy_CreateAndUpdate.freeze
@@ -0,0 +1 @@
+2025-05-22T10:39:03.062047+02:00
\ No newline at end of file
diff --git a/datadog/tests/cassettes/TestAccCSMThreatsPolicy_CreateAndUpdate.yaml b/datadog/tests/cassettes/TestAccCSMThreatsPolicy_CreateAndUpdate.yaml
new file mode 100644
index 000000000..7f6b81c1e
--- /dev/null
+++ b/datadog/tests/cassettes/TestAccCSMThreatsPolicy_CreateAndUpdate.yaml
@@ -0,0 +1,306 @@
+---
+version: 2
+interactions:
+ - id: 0
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 140
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: |
+ {"data":{"attributes":{"description":"im a policy","enabled":true,"hostTags":["host_name:test_host"],"name":"xwqlkatfug"},"type":"policy"}}
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ Content-Type:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy
+ method: POST
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 395
+ uncompressed: false
+ body: '{"data":{"id":"ygp-5ea-tjo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":225,"name":"xwqlkatfug","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903144675,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 719.324875ms
+ - id: 1
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ygp-5ea-tjo
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 395
+ uncompressed: false
+ body: '{"data":{"id":"ygp-5ea-tjo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":225,"name":"xwqlkatfug","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903144675,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 266.677084ms
+ - id: 2
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ygp-5ea-tjo
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 395
+ uncompressed: false
+ body: '{"data":{"id":"ygp-5ea-tjo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":225,"name":"xwqlkatfug","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903144675,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 210.912958ms
+ - id: 3
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ygp-5ea-tjo
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 395
+ uncompressed: false
+ body: '{"data":{"id":"ygp-5ea-tjo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":225,"name":"xwqlkatfug","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903144675,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 273.617125ms
+ - id: 4
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 190
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: |
+ {"data":{"attributes":{"description":"updated policy for terraform provider test","enabled":true,"hostTags":["host_name:test_host"],"name":"xwqlkatfug"},"id":"ygp-5ea-tjo","type":"policy"}}
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ Content-Type:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ygp-5ea-tjo
+ method: PATCH
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 426
+ uncompressed: false
+ body: '{"data":{"id":"ygp-5ea-tjo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"updated policy for terraform provider test","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":225,"name":"xwqlkatfug","policyVersion":"2","priority":1000000011,"ruleCount":226,"updateDate":1747903147274,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 631.96575ms
+ - id: 5
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ygp-5ea-tjo
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 426
+ uncompressed: false
+ body: '{"data":{"id":"ygp-5ea-tjo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"updated policy for terraform provider test","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":225,"name":"xwqlkatfug","policyVersion":"2","priority":1000000011,"ruleCount":226,"updateDate":1747903147274,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 273.182541ms
+ - id: 6
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ygp-5ea-tjo
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 426
+ uncompressed: false
+ body: '{"data":{"id":"ygp-5ea-tjo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"updated policy for terraform provider test","disabledRulesCount":1,"enabled":true,"hostTags":["host_name:test_host"],"monitoringRulesCount":225,"name":"xwqlkatfug","policyVersion":"2","priority":1000000011,"ruleCount":226,"updateDate":1747903147274,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 195.515917ms
+ - id: 7
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - '*/*'
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ygp-5ea-tjo
+ method: DELETE
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 0
+ uncompressed: false
+ body: ""
+ headers:
+ Content-Type:
+ - application/json
+ status: 204 No Content
+ code: 204
+ duration: 470.967708ms
+ - id: 8
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ygp-5ea-tjo
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 34
+ uncompressed: false
+ body: '{"errors":[{"title":"Not Found"}]}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 404 Not Found
+ code: 404
+ duration: 254.375458ms
diff --git a/datadog/tests/cassettes/TestAccCSMThreatsPolicy_CreateAndUpdateWithHostTagsLists.freeze b/datadog/tests/cassettes/TestAccCSMThreatsPolicy_CreateAndUpdateWithHostTagsLists.freeze
new file mode 100644
index 000000000..d9a3bde38
--- /dev/null
+++ b/datadog/tests/cassettes/TestAccCSMThreatsPolicy_CreateAndUpdateWithHostTagsLists.freeze
@@ -0,0 +1 @@
+2025-05-22T10:39:23.317742+02:00
\ No newline at end of file
diff --git a/datadog/tests/cassettes/TestAccCSMThreatsPolicy_CreateAndUpdateWithHostTagsLists.yaml b/datadog/tests/cassettes/TestAccCSMThreatsPolicy_CreateAndUpdateWithHostTagsLists.yaml
new file mode 100644
index 000000000..5e1e95dc2
--- /dev/null
+++ b/datadog/tests/cassettes/TestAccCSMThreatsPolicy_CreateAndUpdateWithHostTagsLists.yaml
@@ -0,0 +1,306 @@
+---
+version: 2
+interactions:
+ - id: 0
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 197
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: |
+ {"data":{"attributes":{"description":"im a policy","enabled":true,"hostTagsLists":[["host_name:test_host","env:prod"],["host_name:test_host2","env:staging"]],"name":"cdosilpwxl"},"type":"policy"}}
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ Content-Type:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy
+ method: POST
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 452
+ uncompressed: false
+ body: '{"data":{"id":"kkg-54l-qhi","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test_host","env:prod"],["host_name:test_host2","env:staging"]],"monitoringRulesCount":225,"name":"cdosilpwxl","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903164941,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 688.514958ms
+ - id: 1
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/kkg-54l-qhi
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 452
+ uncompressed: false
+ body: '{"data":{"id":"kkg-54l-qhi","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test_host","env:prod"],["host_name:test_host2","env:staging"]],"monitoringRulesCount":225,"name":"cdosilpwxl","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903164941,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 241.787209ms
+ - id: 2
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/kkg-54l-qhi
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 452
+ uncompressed: false
+ body: '{"data":{"id":"kkg-54l-qhi","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test_host","env:prod"],["host_name:test_host2","env:staging"]],"monitoringRulesCount":225,"name":"cdosilpwxl","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903164941,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 266.160792ms
+ - id: 3
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/kkg-54l-qhi
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 452
+ uncompressed: false
+ body: '{"data":{"id":"kkg-54l-qhi","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"im a policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test_host","env:prod"],["host_name:test_host2","env:staging"]],"monitoringRulesCount":225,"name":"cdosilpwxl","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1747903164941,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 203.106666ms
+ - id: 4
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 239
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: |
+ {"data":{"attributes":{"description":"updated policy for terraform provider test","enabled":true,"hostTagsLists":[["host_name:test","env:prod"],["host_name:test_host2","env:test"]],"name":"cdosilpwxl"},"id":"kkg-54l-qhi","type":"policy"}}
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ Content-Type:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/kkg-54l-qhi
+ method: PATCH
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 475
+ uncompressed: false
+ body: '{"data":{"id":"kkg-54l-qhi","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"updated policy for terraform provider test","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test","env:prod"],["host_name:test_host2","env:test"]],"monitoringRulesCount":225,"name":"cdosilpwxl","policyVersion":"2","priority":1000000011,"ruleCount":226,"updateDate":1747903167422,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 653.258417ms
+ - id: 5
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/kkg-54l-qhi
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 475
+ uncompressed: false
+ body: '{"data":{"id":"kkg-54l-qhi","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"updated policy for terraform provider test","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test","env:prod"],["host_name:test_host2","env:test"]],"monitoringRulesCount":225,"name":"cdosilpwxl","policyVersion":"2","priority":1000000011,"ruleCount":226,"updateDate":1747903167422,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 261.73675ms
+ - id: 6
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/kkg-54l-qhi
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 475
+ uncompressed: false
+ body: '{"data":{"id":"kkg-54l-qhi","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"updated policy for terraform provider test","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["host_name:test","env:prod"],["host_name:test_host2","env:test"]],"monitoringRulesCount":225,"name":"cdosilpwxl","policyVersion":"2","priority":1000000011,"ruleCount":226,"updateDate":1747903167422,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 200 OK
+ code: 200
+ duration: 222.797125ms
+ - id: 7
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - '*/*'
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/kkg-54l-qhi
+ method: DELETE
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 0
+ uncompressed: false
+ body: ""
+ headers:
+ Content-Type:
+ - application/json
+ status: 204 No Content
+ code: 204
+ duration: 426.242166ms
+ - id: 8
+ request:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ content_length: 0
+ transfer_encoding: []
+ trailer: {}
+ host: api.datadoghq.com
+ remote_addr: ""
+ request_uri: ""
+ body: ""
+ form: {}
+ headers:
+ Accept:
+ - application/json
+ url: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/kkg-54l-qhi
+ method: GET
+ response:
+ proto: HTTP/1.1
+ proto_major: 1
+ proto_minor: 1
+ transfer_encoding: []
+ trailer: {}
+ content_length: 34
+ uncompressed: false
+ body: '{"errors":[{"title":"Not Found"}]}'
+ headers:
+ Content-Type:
+ - application/json
+ status: 404 Not Found
+ code: 404
+ duration: 212.18875ms
diff --git a/datadog/tests/data_source_datadog_csm_threats_agent_rules_test.go b/datadog/tests/data_source_datadog_csm_threats_agent_rules_test.go
index f0be8a911..0c88d21ee 100644
--- a/datadog/tests/data_source_datadog_csm_threats_agent_rules_test.go
+++ b/datadog/tests/data_source_datadog_csm_threats_agent_rules_test.go
@@ -6,25 +6,40 @@ import (
"strconv"
"testing"
+ "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
"github.com/hashicorp/terraform-plugin-testing/helper/resource"
"github.com/hashicorp/terraform-plugin-testing/terraform"
"github.com/terraform-providers/terraform-provider-datadog/datadog/fwprovider"
)
-func TestAccCSMThreatsAgentRuleDataSource(t *testing.T) {
+func TestAccCSMThreatsAgentRulesDataSource(t *testing.T) {
+ t.Parallel()
ctx, providers, accProviders := testAccFrameworkMuxProviders(context.Background(), t)
- agentRuleName := uniqueAgentRuleName(ctx)
- dataSourceName := "data.datadog_csm_threats_agent_rules.my_data_source"
- agentRuleConfig := fmt.Sprintf(`
- resource "datadog_csm_threats_agent_rule" "agent_rule_for_data_source_test" {
+ policyName := uniqueAgentRuleName(ctx)
+ policyConfig := fmt.Sprintf(`
+ resource "datadog_csm_threats_policy" "policy_for_test" {
name = "%s"
- enabled = false
- description = "im a rule"
- expression = "open.file.name == \"etc/shadow/password\""
+ enabled = true
+ description = "im a policy"
+ tags = ["host_name:test_host"]
}
- `, agentRuleName)
+ `, policyName)
+
+ agentRuleName := uniqueAgentRuleName(ctx)
+ agentRuleConfig := fmt.Sprintf(`
+ %s
+ resource "datadog_csm_threats_agent_rule" "agent_rule_for_data_source_test" {
+ name = "%s"
+ policy_id = datadog_csm_threats_policy.policy_for_test.id
+ enabled = true
+ description = "im a rule"
+ expression = "open.file.name == \"etc/shadow/password\""
+ product_tags = ["compliance_framework:PCI-DSS"]
+ }
+ `, policyConfig, agentRuleName)
+ dataSourceName := "data.datadog_csm_threats_agent_rules.my_data_source"
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
@@ -39,7 +54,9 @@ func TestAccCSMThreatsAgentRuleDataSource(t *testing.T) {
{
Config: fmt.Sprintf(`
%s
- data "datadog_csm_threats_agent_rules" "my_data_source" {}
+ data "datadog_csm_threats_agent_rules" "my_data_source" {
+ policy_id = datadog_csm_threats_policy.policy_for_test.id
+ }
`, agentRuleConfig),
Check: checkCSMThreatsAgentRulesDataSourceContent(providers.frameworkProvider, dataSourceName, agentRuleName),
},
@@ -47,6 +64,30 @@ func TestAccCSMThreatsAgentRuleDataSource(t *testing.T) {
})
}
+func testAccCheckDatadogCSMThreatsAgentRulesDataSourceConfig(policyName, agentRuleName string) string {
+ return fmt.Sprintf(`
+data "datadog_csm_threats_agent_rules" "my_data_source" {
+ policy_id = datadog_csm_threats_policy.policy.id
+}
+
+resource "datadog_csm_threats_policy" "policy" {
+ name = "%s"
+ enabled = true
+ description = "Test description"
+ tags = ["host_name:test_host"]
+}
+
+resource "datadog_csm_threats_agent_rule" "agent_rule" {
+ name = "%s"
+ description = "Test description"
+ enabled = true
+ expression = "open.file.name == \"etc/shadow/password\""
+ policy_id = datadog_csm_threats_policy.policy.id
+ product_tags = ["compliance_framework:PCI-DSS"]
+}
+`, policyName, agentRuleName)
+}
+
func checkCSMThreatsAgentRulesDataSourceContent(accProvider *fwprovider.FrameworkProvider, dataSourceName string, agentRuleName string) resource.TestCheckFunc {
return func(state *terraform.State) error {
res, ok := state.RootModule().Resources[dataSourceName]
@@ -57,7 +98,8 @@ func checkCSMThreatsAgentRulesDataSourceContent(accProvider *fwprovider.Framewor
auth := accProvider.Auth
apiInstances := accProvider.DatadogApiInstances
- allAgentRulesResponse, _, err := apiInstances.GetCSMThreatsApiV2().ListCSMThreatsAgentRules(auth)
+ policyId := res.Primary.Attributes["policy_id"]
+ allAgentRulesResponse, _, err := apiInstances.GetCSMThreatsApiV2().ListCSMThreatsAgentRules(auth, *datadogV2.NewListCSMThreatsAgentRulesOptionalParameters().WithPolicyId(policyId))
if err != nil {
return err
}
@@ -101,9 +143,11 @@ func checkCSMThreatsAgentRulesDataSourceContent(accProvider *fwprovider.Framewor
return resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("agent_rules.%d.name", idx), ruleName),
- resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("agent_rules.%d.enabled", idx), "false"),
+ resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("agent_rules.%d.enabled", idx), "true"),
resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("agent_rules.%d.description", idx), "im a rule"),
resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("agent_rules.%d.expression", idx), "open.file.name == \"etc/shadow/password\""),
+ resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("agent_rules.%d.product_tags.#", idx), "1"),
+ resource.TestCheckTypeSetElemAttr(dataSourceName, fmt.Sprintf("agent_rules.%d.product_tags.*", idx), "compliance_framework:PCI-DSS"),
)(state)
}
}
diff --git a/datadog/tests/data_source_datadog_csm_threats_policies_test.go b/datadog/tests/data_source_datadog_csm_threats_policies_test.go
new file mode 100644
index 000000000..559681ff8
--- /dev/null
+++ b/datadog/tests/data_source_datadog_csm_threats_policies_test.go
@@ -0,0 +1,110 @@
+package test
+
+import (
+ "context"
+ "fmt"
+ "strconv"
+ "testing"
+
+ "github.com/hashicorp/terraform-plugin-testing/helper/resource"
+ "github.com/hashicorp/terraform-plugin-testing/terraform"
+
+ "github.com/terraform-providers/terraform-provider-datadog/datadog/fwprovider"
+)
+
+func TestAccCSMThreatsPoliciesDataSource(t *testing.T) {
+ ctx, providers, accProviders := testAccFrameworkMuxProviders(context.Background(), t)
+
+ policyName := uniqueAgentRuleName(ctx)
+ dataSourceName := "data.datadog_csm_threats_policies.my_data_source"
+ policyConfig := fmt.Sprintf(`
+ resource "datadog_csm_threats_policy" "policy_for_data_source_test" {
+ name = "%s"
+ enabled = true
+ description = "im a policy"
+ host_tags_lists = [["host_name:test_host", "env:prod"], ["host_name:test_host2", "env:staging"]]
+ }
+ `, policyName)
+
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ ProtoV5ProviderFactories: accProviders,
+ CheckDestroy: testAccCheckCSMThreatsPolicyDestroy(providers.frameworkProvider),
+ Steps: []resource.TestStep{
+ {
+ // Create a policy to have at least one
+ Config: policyConfig,
+ Check: testAccCheckCSMThreatsPolicyExists(providers.frameworkProvider, "datadog_csm_threats_policy.policy_for_data_source_test"),
+ },
+ {
+ Config: fmt.Sprintf(`
+ %s
+ data "datadog_csm_threats_policies" "my_data_source" {}
+ `, policyConfig),
+ Check: checkCSMThreatsPoliciesDataSourceContent(providers.frameworkProvider, dataSourceName, policyName),
+ },
+ },
+ })
+}
+
+func checkCSMThreatsPoliciesDataSourceContent(accProvider *fwprovider.FrameworkProvider, dataSourceName string, policyName string) resource.TestCheckFunc {
+ return func(state *terraform.State) error {
+ res, ok := state.RootModule().Resources[dataSourceName]
+ if !ok {
+ return fmt.Errorf("resource missing from state: %s", dataSourceName)
+ }
+
+ auth := accProvider.Auth
+ apiInstances := accProvider.DatadogApiInstances
+
+ allPoliciesResponse, _, err := apiInstances.GetCSMThreatsApiV2().ListCSMThreatsAgentPolicies(auth)
+ if err != nil {
+ return err
+ }
+
+ // Check the policy we created is in the API response
+ resPolicyId := ""
+ for _, policy := range allPoliciesResponse.GetData() {
+ if policy.Attributes.GetName() == policyName {
+ resPolicyId = policy.GetId()
+ break
+ }
+ }
+ if resPolicyId == "" {
+ return fmt.Errorf("policy with name '%s' not found in API responses", policyName)
+ }
+
+ // Check that the data_source fetched is correct
+ resourceAttributes := res.Primary.Attributes
+ policyIdsCount, err := strconv.Atoi(resourceAttributes["policy_ids.#"])
+ if err != nil {
+ return err
+ }
+ policiesCount, err := strconv.Atoi(resourceAttributes["policies.#"])
+ if err != nil {
+ return err
+ }
+ if policiesCount != policyIdsCount {
+ return fmt.Errorf("the data source contains %d policy IDs but %d policies", policyIdsCount, policiesCount)
+ }
+
+ // Find in which position is the policy we created, and check its values
+ idx := 0
+ for idx < policyIdsCount && resourceAttributes[fmt.Sprintf("policy_ids.%d", idx)] != resPolicyId {
+ idx++
+ }
+ if idx == len(resourceAttributes) {
+ return fmt.Errorf("policy with ID '%s' not found in data source", resPolicyId)
+ }
+
+ return resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("policies.%d.name", idx), policyName),
+ resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("policies.%d.enabled", idx), "true"),
+ resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("policies.%d.host_tags_lists.0.0", idx), "host_name:test_host"),
+ resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("policies.%d.host_tags_lists.0.1", idx), "env:prod"),
+ resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("policies.%d.host_tags_lists.1.0", idx), "host_name:test_host2"),
+ resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("policies.%d.host_tags_lists.1.1", idx), "env:staging"),
+ resource.TestCheckResourceAttr(dataSourceName, fmt.Sprintf("policies.%d.description", idx), "im a policy"),
+ )(state)
+ }
+}
diff --git a/datadog/tests/provider_test.go b/datadog/tests/provider_test.go
index 2a4207638..c0e6ed40d 100644
--- a/datadog/tests/provider_test.go
+++ b/datadog/tests/provider_test.go
@@ -58,7 +58,9 @@ var testFiles2EndpointTags = map[string]string{
"tests/data_source_datadog_application_key_test": "application_keys",
"tests/data_source_datadog_cloud_workload_security_agent_rules_test": "cloud-workload-security",
"tests/data_source_datadog_action_connection_test": "action_connection",
+ "tests/data_source_datadog_csm_threats_agent_rule_test": "cloud-workload-security",
"tests/data_source_datadog_csm_threats_agent_rules_test": "cloud-workload-security",
+ "tests/data_source_datadog_csm_threats_policies_test": "cloud-workload-security",
"tests/data_source_datadog_dashboard_list_test": "dashboard-lists",
"tests/data_source_datadog_dashboard_test": "dashboard",
"tests/data_source_datadog_hosts_test": "hosts",
@@ -122,6 +124,7 @@ var testFiles2EndpointTags = map[string]string{
"tests/resource_datadog_cloud_workload_security_agent_rule_test": "cloud_workload_security",
"tests/resource_datadog_action_connection_test": "action_connection",
"tests/resource_datadog_csm_threats_agent_rule_test": "cloud-workload-security",
+ "tests/resource_datadog_csm_threats_policy_test": "cloud-workload-security",
"tests/resource_datadog_dashboard_alert_graph_test": "dashboards",
"tests/resource_datadog_dashboard_alert_value_test": "dashboards",
"tests/resource_datadog_dashboard_change_test": "dashboards",
diff --git a/datadog/tests/resource_datadog_csm_threats_agent_rule_test.go b/datadog/tests/resource_datadog_csm_threats_agent_rule_test.go
index a99e0c742..ee3bfe61b 100644
--- a/datadog/tests/resource_datadog_csm_threats_agent_rule_test.go
+++ b/datadog/tests/resource_datadog_csm_threats_agent_rule_test.go
@@ -6,6 +6,8 @@ import (
"fmt"
"testing"
+ "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
+
"github.com/hashicorp/terraform-plugin-testing/helper/resource"
"github.com/hashicorp/terraform-plugin-testing/terraform"
@@ -18,40 +20,62 @@ func TestAccCSMThreatsAgentRule_CreateAndUpdate(t *testing.T) {
agentRuleName := uniqueAgentRuleName(ctx)
resourceName := "datadog_csm_threats_agent_rule.agent_rule_test"
+
+ policyName := uniqueAgentRuleName(ctx)
+ policyConfig := fmt.Sprintf(`
+ resource "datadog_csm_threats_policy" "policy_for_test" {
+ name = "%s"
+ enabled = true
+ description = "im a policy"
+ tags = ["host_name:test_host"]
+ }
+ `, policyName)
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
ProtoV5ProviderFactories: accProviders,
CheckDestroy: testAccCheckCSMThreatsAgentRuleDestroy(providers.frameworkProvider),
Steps: []resource.TestStep{
+ {
+ // Create a policy to have at least one
+ Config: policyConfig,
+ Check: testAccCheckCSMThreatsPolicyExists(providers.frameworkProvider, "datadog_csm_threats_policy.policy_for_test"),
+ },
{
Config: fmt.Sprintf(`
+ %s
resource "datadog_csm_threats_agent_rule" "agent_rule_test" {
name = "%s"
+ policy_id = datadog_csm_threats_policy.policy_for_test.id
enabled = true
description = "im a rule"
expression = "open.file.name == \"etc/shadow/password\""
+ product_tags = ["compliance_framework:PCI-DSS"]
}
- `, agentRuleName),
+ `, policyConfig, agentRuleName),
Check: resource.ComposeTestCheckFunc(
- testAccCheckCSMThreatsAgentRuleExists(providers.frameworkProvider, "datadog_csm_threats_agent_rule.agent_rule_test"),
+ testAccCheckCSMThreatsAgentRuleExists(providers.frameworkProvider, resourceName),
checkCSMThreatsAgentRuleContent(
resourceName,
agentRuleName,
"im a rule",
"open.file.name == \"etc/shadow/password\"",
+ "compliance_framework:PCI-DSS",
),
),
},
// Update description
{
Config: fmt.Sprintf(`
+ %s
resource "datadog_csm_threats_agent_rule" "agent_rule_test" {
name = "%s"
+ policy_id = datadog_csm_threats_policy.policy_for_test.id
enabled = true
description = "updated agent rule for terraform provider test"
expression = "open.file.name == \"etc/shadow/password\""
+ product_tags = ["compliance_framework:ISO-27799"]
}
- `, agentRuleName),
+ `, policyConfig, agentRuleName),
Check: resource.ComposeTestCheckFunc(
testAccCheckCSMThreatsAgentRuleExists(providers.frameworkProvider, resourceName),
checkCSMThreatsAgentRuleContent(
@@ -59,6 +83,7 @@ func TestAccCSMThreatsAgentRule_CreateAndUpdate(t *testing.T) {
agentRuleName,
"updated agent rule for terraform provider test",
"open.file.name == \"etc/shadow/password\"",
+ "compliance_framework:ISO-27799",
),
),
},
@@ -66,15 +91,6 @@ func TestAccCSMThreatsAgentRule_CreateAndUpdate(t *testing.T) {
})
}
-func checkCSMThreatsAgentRuleContent(resourceName string, name string, description string, expression string) resource.TestCheckFunc {
- return resource.ComposeTestCheckFunc(
- resource.TestCheckResourceAttr(resourceName, "name", name),
- resource.TestCheckResourceAttr(resourceName, "description", description),
- resource.TestCheckResourceAttr(resourceName, "enabled", "true"),
- resource.TestCheckResourceAttr(resourceName, "expression", expression),
- )
-}
-
func testAccCheckCSMThreatsAgentRuleExists(accProvider *fwprovider.FrameworkProvider, resourceName string) resource.TestCheckFunc {
return func(s *terraform.State) error {
resource, ok := s.RootModule().Resources[resourceName]
@@ -89,7 +105,8 @@ func testAccCheckCSMThreatsAgentRuleExists(accProvider *fwprovider.FrameworkProv
auth := accProvider.Auth
apiInstances := accProvider.DatadogApiInstances
- _, _, err := apiInstances.GetCSMThreatsApiV2().GetCSMThreatsAgentRule(auth, resource.Primary.ID)
+ policyId := resource.Primary.Attributes["policy_id"]
+ _, _, err := apiInstances.GetCSMThreatsApiV2().GetCSMThreatsAgentRule(auth, resource.Primary.ID, *datadogV2.NewGetCSMThreatsAgentRuleOptionalParameters().WithPolicyId(policyId))
if err != nil {
return fmt.Errorf("received an error retrieving agent rule: %s", err)
}
@@ -105,7 +122,8 @@ func testAccCheckCSMThreatsAgentRuleDestroy(accProvider *fwprovider.FrameworkPro
for _, resource := range s.RootModule().Resources {
if resource.Type == "datadog_csm_threats_agent_rule" {
- _, httpResponse, err := apiInstances.GetCSMThreatsApiV2().GetCSMThreatsAgentRule(auth, resource.Primary.ID)
+ policyId := resource.Primary.Attributes["policy_id"]
+ _, httpResponse, err := apiInstances.GetCSMThreatsApiV2().GetCSMThreatsAgentRule(auth, resource.Primary.ID, *datadogV2.NewGetCSMThreatsAgentRuleOptionalParameters().WithPolicyId(policyId))
if err == nil {
return errors.New("agent rule still exists")
}
@@ -118,3 +136,14 @@ func testAccCheckCSMThreatsAgentRuleDestroy(accProvider *fwprovider.FrameworkPro
return nil
}
}
+
+func checkCSMThreatsAgentRuleContent(resourceName string, name string, description string, expression string, product_tags string) resource.TestCheckFunc {
+ return resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttr(resourceName, "name", name),
+ resource.TestCheckResourceAttr(resourceName, "description", description),
+ resource.TestCheckResourceAttr(resourceName, "enabled", "true"),
+ resource.TestCheckResourceAttr(resourceName, "expression", expression),
+ resource.TestCheckResourceAttr(resourceName, "product_tags.#", "1"),
+ resource.TestCheckTypeSetElemAttr(resourceName, "product_tags.*", product_tags),
+ )
+}
diff --git a/datadog/tests/resource_datadog_csm_threats_policy_test.go b/datadog/tests/resource_datadog_csm_threats_policy_test.go
new file mode 100644
index 000000000..4eca2fdd0
--- /dev/null
+++ b/datadog/tests/resource_datadog_csm_threats_policy_test.go
@@ -0,0 +1,204 @@
+package test
+
+import (
+ "context"
+ "errors"
+ "fmt"
+ "testing"
+
+ "github.com/hashicorp/terraform-plugin-testing/helper/resource"
+ "github.com/hashicorp/terraform-plugin-testing/terraform"
+
+ "github.com/terraform-providers/terraform-provider-datadog/datadog/fwprovider"
+)
+
+// Create an agent policy and update its description
+func TestAccCSMThreatsPolicy_CreateAndUpdate(t *testing.T) {
+ ctx, providers, accProviders := testAccFrameworkMuxProviders(context.Background(), t)
+
+ policyName := uniqueAgentRuleName(ctx)
+ resourceName := "datadog_csm_threats_policy.policy_test"
+ tags := []string{"host_name:test_host"}
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ ProtoV5ProviderFactories: accProviders,
+ CheckDestroy: testAccCheckCSMThreatsPolicyDestroy(providers.frameworkProvider),
+ Steps: []resource.TestStep{
+ {
+ Config: fmt.Sprintf(`
+ resource "datadog_csm_threats_policy" "policy_test" {
+ name = "%s"
+ enabled = true
+ description = "im a policy"
+ tags = ["host_name:test_host"]
+ }
+ `, policyName),
+ Check: resource.ComposeTestCheckFunc(
+ testAccCheckCSMThreatsPolicyExists(providers.frameworkProvider, "datadog_csm_threats_policy.policy_test"),
+ checkCSMThreatsPolicyContent(
+ resourceName,
+ policyName,
+ "im a policy",
+ tags,
+ ),
+ ),
+ },
+ // Update description
+ {
+ Config: fmt.Sprintf(`
+ resource "datadog_csm_threats_policy" "policy_test" {
+ name = "%s"
+ enabled = true
+ description = "updated policy for terraform provider test"
+ tags = ["host_name:test_host"]
+ }
+ `, policyName),
+ Check: resource.ComposeTestCheckFunc(
+ testAccCheckCSMThreatsPolicyExists(providers.frameworkProvider, resourceName),
+ checkCSMThreatsPolicyContent(
+ resourceName,
+ policyName,
+ "updated policy for terraform provider test",
+ tags,
+ ),
+ ),
+ },
+ },
+ })
+}
+
+// Create an agent policy with host_tags_lists and update its description
+func TestAccCSMThreatsPolicy_CreateAndUpdateWithHostTagsLists(t *testing.T) {
+ ctx, providers, accProviders := testAccFrameworkMuxProviders(context.Background(), t)
+
+ policyName := uniqueAgentRuleName(ctx)
+ resourceName := "datadog_csm_threats_policy.policy_test"
+ hostTagsLists := [][]string{
+ {"host_name:test_host", "env:prod"},
+ {"host_name:test_host2", "env:staging"},
+ }
+ updatedHostTagsLists := [][]string{
+ {"host_name:test", "env:prod"},
+ {"host_name:test_host2", "env:test"},
+ }
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ ProtoV5ProviderFactories: accProviders,
+ CheckDestroy: testAccCheckCSMThreatsPolicyDestroy(providers.frameworkProvider),
+ Steps: []resource.TestStep{
+ {
+ Config: fmt.Sprintf(`
+ resource "datadog_csm_threats_policy" "policy_test" {
+ name = "%s"
+ enabled = true
+ description = "im a policy"
+ host_tags_lists = [["host_name:test_host", "env:prod"], ["host_name:test_host2", "env:staging"]]
+ }
+ `, policyName),
+ Check: resource.ComposeTestCheckFunc(
+ testAccCheckCSMThreatsPolicyExists(providers.frameworkProvider, "datadog_csm_threats_policy.policy_test"),
+ checkCSMThreatsPolicyContentWithHostTagsLists(
+ resourceName,
+ policyName,
+ "im a policy",
+ hostTagsLists,
+ ),
+ ),
+ },
+ // Update description and tags
+ {
+ Config: fmt.Sprintf(`
+ resource "datadog_csm_threats_policy" "policy_test" {
+ name = "%s"
+ enabled = true
+ description = "updated policy for terraform provider test"
+ host_tags_lists = [["host_name:test", "env:prod"], ["host_name:test_host2", "env:test"]]
+ }
+ `, policyName),
+ Check: resource.ComposeTestCheckFunc(
+ testAccCheckCSMThreatsPolicyExists(providers.frameworkProvider, resourceName),
+ checkCSMThreatsPolicyContentWithHostTagsLists(
+ resourceName,
+ policyName,
+ "updated policy for terraform provider test",
+ updatedHostTagsLists,
+ ),
+ ),
+ },
+ },
+ })
+}
+
+func checkCSMThreatsPolicyContent(resourceName string, name string, description string, tags []string) resource.TestCheckFunc {
+ return resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttr(resourceName, "name", name),
+ resource.TestCheckResourceAttr(resourceName, "description", description),
+ resource.TestCheckResourceAttr(resourceName, "enabled", "true"),
+ resource.TestCheckResourceAttr(resourceName, "tags.0", tags[0]),
+ )
+}
+
+func checkCSMThreatsPolicyContentWithHostTagsLists(resourceName string, name string, description string, hostTagsLists [][]string) resource.TestCheckFunc {
+ checks := []resource.TestCheckFunc{
+ resource.TestCheckResourceAttr(resourceName, "name", name),
+ resource.TestCheckResourceAttr(resourceName, "description", description),
+ resource.TestCheckResourceAttr(resourceName, "enabled", "true"),
+ }
+
+ // Add checks for each host tags list
+ for i, tagList := range hostTagsLists {
+ for j, tag := range tagList {
+ checks = append(checks, resource.TestCheckResourceAttr(
+ resourceName,
+ fmt.Sprintf("host_tags_lists.%d.%d", i, j),
+ tag,
+ ))
+ }
+ }
+
+ return resource.ComposeTestCheckFunc(checks...)
+}
+
+func testAccCheckCSMThreatsPolicyExists(accProvider *fwprovider.FrameworkProvider, resourceName string) resource.TestCheckFunc {
+ return func(s *terraform.State) error {
+ resource, ok := s.RootModule().Resources[resourceName]
+ if !ok {
+ return fmt.Errorf("resource '%s' not found in the state %s", resourceName, s.RootModule().Resources)
+ }
+
+ if resource.Type != "datadog_csm_threats_policy" {
+ return fmt.Errorf("resource %s is not of type datadog_csm_threats_policy, found %s instead", resourceName, resource.Type)
+ }
+
+ auth := accProvider.Auth
+ apiInstances := accProvider.DatadogApiInstances
+
+ _, _, err := apiInstances.GetCSMThreatsApiV2().GetCSMThreatsAgentPolicy(auth, resource.Primary.ID)
+ if err != nil {
+ return fmt.Errorf("received an error retrieving policy: %s", err)
+ }
+
+ return nil
+ }
+}
+
+func testAccCheckCSMThreatsPolicyDestroy(accProvider *fwprovider.FrameworkProvider) resource.TestCheckFunc {
+ return func(s *terraform.State) error {
+ auth := accProvider.Auth
+ apiInstances := accProvider.DatadogApiInstances
+
+ for _, resource := range s.RootModule().Resources {
+ if resource.Type == "datadog_csm_threats_policy" {
+ _, httpResponse, err := apiInstances.GetCSMThreatsApiV2().GetCSMThreatsAgentPolicy(auth, resource.Primary.ID)
+ if err == nil {
+ return errors.New("policy still exists")
+ }
+ if httpResponse == nil || httpResponse.StatusCode != 404 {
+ return fmt.Errorf("received an error while getting the policy: %s", err)
+ }
+ }
+ }
+
+ return nil
+ }
+}
diff --git a/docs/data-sources/csm_threats_agent_rules.md b/docs/data-sources/csm_threats_agent_rules.md
index 6e6e7a0d1..0f2b1183a 100644
--- a/docs/data-sources/csm_threats_agent_rules.md
+++ b/docs/data-sources/csm_threats_agent_rules.md
@@ -15,11 +15,15 @@ Use this data source to retrieve information about existing Agent rules.
## Schema
+### Optional
+
+- `policy_id` (String) Listing only the rules in the policy with this field as the ID
+
### Read-Only
- `agent_rules` (List of Object) List of Agent rules (see [below for nested schema](#nestedatt--agent_rules))
- `agent_rules_ids` (List of String) List of IDs for the Agent rules.
-- `id` (String) The ID of this resource.
+- `id` (String) The ID of the data source
### Nested Schema for `agent_rules`
@@ -31,3 +35,4 @@ Read-Only:
- `expression` (String)
- `id` (String)
- `name` (String)
+- `product_tags` (Set of String)
diff --git a/docs/data-sources/csm_threats_policies.md b/docs/data-sources/csm_threats_policies.md
new file mode 100644
index 000000000..fe4047323
--- /dev/null
+++ b/docs/data-sources/csm_threats_policies.md
@@ -0,0 +1,34 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "datadog_csm_threats_policies Data Source - terraform-provider-datadog"
+subcategory: ""
+description: |-
+ Use this data source to retrieve information about existing policies.
+---
+
+# datadog_csm_threats_policies (Data Source)
+
+Use this data source to retrieve information about existing policies.
+
+
+
+
+## Schema
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `policies` (List of Object) List of policies (see [below for nested schema](#nestedatt--policies))
+- `policy_ids` (List of String) List of IDs for the policies.
+
+
+### Nested Schema for `policies`
+
+Read-Only:
+
+- `description` (String)
+- `enabled` (Boolean)
+- `host_tags_lists` (Set of List of String)
+- `id` (String)
+- `name` (String)
+- `tags` (Set of String)
diff --git a/docs/resources/csm_threats_agent_rule.md b/docs/resources/csm_threats_agent_rule.md
index 0db98a372..ee1d6f4da 100644
--- a/docs/resources/csm_threats_agent_rule.md
+++ b/docs/resources/csm_threats_agent_rule.md
@@ -29,10 +29,12 @@ resource "datadog_csm_threats_agent_rule" "my_agent_rule" {
- `enabled` (Boolean) Indicates Whether the Agent rule is enabled.
- `expression` (String) The SECL expression of the Agent rule
- `name` (String) The name of the Agent rule.
+- `policy_id` (String) The ID of the agent policy in which the rule is saved
### Optional
-- `description` (String) A description for the Agent rule. Defaults to `""`.
+- `description` (String) A description for the Agent rule.
+- `product_tags` (Set of String) The list of product tags associated with the rule
### Read-Only
diff --git a/docs/resources/csm_threats_policy.md b/docs/resources/csm_threats_policy.md
new file mode 100644
index 000000000..61039b47f
--- /dev/null
+++ b/docs/resources/csm_threats_policy.md
@@ -0,0 +1,31 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "datadog_csm_threats_policy Resource - terraform-provider-datadog"
+subcategory: ""
+description: |-
+ Provides a Datadog CSM Threats policy API resource.
+---
+
+# datadog_csm_threats_policy (Resource)
+
+Provides a Datadog CSM Threats policy API resource.
+
+
+
+
+## Schema
+
+### Required
+
+- `name` (String) The name of the policy.
+
+### Optional
+
+- `description` (String) A description for the policy.
+- `enabled` (Boolean) Indicates whether the policy is enabled. Defaults to `false`.
+- `host_tags_lists` (Set of List of String) Host tags that define where the policy is deployed. Inner values are ANDed, outer arrays are ORed.
+- `tags` (Set of String) Host tags that define where the policy is deployed. Deprecated, use host_tags_lists instead.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
diff --git a/go.mod b/go.mod
index 3bd5a6b67..d09e4a8d2 100644
--- a/go.mod
+++ b/go.mod
@@ -1,7 +1,7 @@
module github.com/terraform-providers/terraform-provider-datadog
require (
- github.com/DataDog/datadog-api-client-go/v2 v2.37.2-0.20250429195731-d6c3507540d3
+ github.com/DataDog/datadog-api-client-go/v2 v2.37.2-0.20250509174935-ad49841e906f
github.com/DataDog/dd-sdk-go-testing v0.0.0-20211116174033-1cd082e322ad
github.com/Masterminds/semver/v3 v3.2.0
github.com/google/go-cmp v0.7.0
diff --git a/go.sum b/go.sum
index 7d68f7985..03af5c3eb 100644
--- a/go.sum
+++ b/go.sum
@@ -2,8 +2,8 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/DataDog/datadog-api-client-go/v2 v2.37.2-0.20250429195731-d6c3507540d3 h1:rrnGH7u4UvqSSfjOEVVXgryezNX8KGgBFixpYrjf9n8=
-github.com/DataDog/datadog-api-client-go/v2 v2.37.2-0.20250429195731-d6c3507540d3/go.mod h1:d3tOEgUd2kfsr9uuHQdY+nXrWp4uikgTgVCPdKNK30U=
+github.com/DataDog/datadog-api-client-go/v2 v2.37.2-0.20250509174935-ad49841e906f h1:uxWBnKdTVRw6v1B19apTcSmOVjK7BtB+vElm+OxBQoM=
+github.com/DataDog/datadog-api-client-go/v2 v2.37.2-0.20250509174935-ad49841e906f/go.mod h1:d3tOEgUd2kfsr9uuHQdY+nXrWp4uikgTgVCPdKNK30U=
github.com/DataDog/datadog-go v4.4.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
github.com/DataDog/datadog-go v4.8.3+incompatible h1:fNGaYSuObuQb5nzeTQqowRAd9bpDIRRV4/gUtIBjh8Q=
github.com/DataDog/datadog-go v4.8.3+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=