Capsule8 Docs
Capsule8 Docs
Help

List of Detection Classes and their Individual Detections

This page includes a full list of the detection classes bundled within Detection Analytics, and those bundled within Smart Policy. It also includes the individual detections that comprise each detection class.

List of Detection Analytics Detections

Below is a list of the detection classes bundled in Detection Analytics, including the individual detections that comprise each detection class. Each detection’s corresponding MITRE ATT&CK categories are listed as sub-bullets.

Heads up: some detections are disabled by default

Any detections listed in italics are disabled by default, and must be manually enabled. Please see Enabling a default-disabled detection for more information.

Application Exploitation

Memory Corruption

  • Memory Marked Executable: Alerts when a program sets heap or stack memory permissions to executable. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments.
    • MITRE.Execution.Exploitation for Client Execution
    • MITRE.Initial Access.Exploit Public-Facing Application
  • Repeated Program Crashes: Alerts when more than 5 instances of an individual program crash via segmentation fault.
    • MITRE.Execution.Exploitation for Client Execution
    • MITRE.Initial Access.Exploit Public-Facing Application

Unusual Application Behavior

  • Suspicious Interactive Shell: Alerts when an interactive shell is started with arguments commonly used for reverse shells.
    • MITRE.Execution.Command-Line Interface
    • MITRE.Initial Access.Exploit Public-Facing Application
  • Suspicious Interactive Shell Advanced: Alerts when an interactive shell is started with arguments commonly used for reverse shells, started in a container, or started as a child of a network service that is not SSH. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments.
    • MITRE.Execution.Command-Line Interface
    • MITRE.Initial Access.Exploit Public-Facing Application
  • New File Executed in Container: Alerts when a file that has been created or modified within 30 minutes is then executed within a container. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments.
    • MITRE.Initial Access.Exploit Public-Facing Application

System Exploitation

Common Kernel Exploitation Methods

  • Kernel Exploit: Alerts when a kernel function unexpectedly returns to userland.
    • MITRE.Credential Access.Exploitation for Credential Access
    • MITRE.Defense Evasion.Exploitation for Defense Evasion
    • MITRE.Privilege Escalation.Exploitation for Privilege Escalation
  • Illegal Elevation Of Privileges: Alerts when a program attempts to elevate privileges through unusual means. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments.
    • MITRE.Privilege Escalation.Exploitation for Privilege Escalation
  • Processor-Level Protections Disabled: Alerts when a program tampers with the kernel SMEP/SMAP configuration.
    • MITRE.Defense Evasion.Disabling Security Tools

Container Escapes

  • Userland Container Escape: Alerts when a container-created file is executed from the host namespace, which indicates a possible container escape
    • MITRE.Privilege Escalation.Exploitation for Privilege Escalation
  • Container Escape via Kernel Exploitation: Alerts when a program uses kernel functions commonly used in container escape exploits.
    • MITRE.Credential Access.Exploitation for Credential Access
    • MITRE.Defense Evasion.Exploitation for Defense Evasion
    • MITRE.Privilege Escalation.Exploitation for Privilege Escalation
  • RunC Container Escape: Alerts when a modification is detected of the runc binary by a non-package manager, such as with CVE-2019-5736 This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments.
    • MITRE.Privilege Escalation.Exploitation for Privilege Escalation

Tampering of Security Mechanisms

  • AppArmor Profile Modified: Alerts when a command for modifying an AppArmor profile is executed, if it was not disabled by a user in an SSH session.
    • MITRE.Defense Evasion.Disabling Security Tools
  • SELinux Disabled In Kernel: Alerts when the SELinux state in the kernel has been changed from the SELinux configuration detected when the sensor starts. This indicates that SELinux has been disabled by a kernel exploit or rootkit.
    • MITRE.Defense Evasion.Disabling Security Tools
  • AppArmor Disabled In Kernel: Alerts when the AppArmor state is changed from the AppArmor configuration detected when the sensor starts.
    • MITRE.Defense Evasion.Disabling Security Tools
  • SELinux Enforcement Mode Disabled From Userland: Alerts when SELinux enforcement mode is disabled.
    • MITRE.Defense Evasion.Disabling Security Tools

Persistence

Userland Backdoors

  • Suspicious Program Name Executed-Space After File: Alerts when a program is executed with a space after the program name, commonly used to masquerade as a legitimate system service.
    • MITRE.Defense Evasion.Space after Filename
    • MITRE.Execution.Space after Filename

Kernel Backdoors

  • BPF Program Executed: Alerts when a BPF program is loaded by a process that is already part of an ongoing incident. This could indicate that an attacker is loading a BPF-based rootkit to gain persistence and avoid detection.
    • MITRE.Defense Evasion.Disabling Security Tools
    • MITRE.Defense Evasion.Rootkit
    • MITRE.Persistence.Kernel Modules and Extensions
  • Kernel Module Loaded: Alerts when a kernel module is loaded, if the program is already part of an ongoing incident.
    • MITRE.Defense Evasion.Disabling Security Tools
    • MITRE.Defense Evasion.Rootkit
    • MITRE.Persistence.Kernel Modules and Extensions


List of Smart Policy Detections

Below is a list of the detection classes bundled in Smart Policy, including the individual detections that comprise each detection class. Each detection’s corresponding MITRE ATT&CK categories are listed as sub-bullets.

Heads up: some detections are disabled by default

Any detections listed in italics are disabled by default, and must be manually enabled. Please see Enabling a default-disabled detection for more information.

File Activity

Unusual Files Created

  • Hidden File Created: Alerts when a hidden file is created by a process associated with an ongoing incident. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments. This event is auditable and can be audited separately from use as a Smart Policy.
    • MITRE.Defense Evasion.Hidden Files and Directories
    • MITRE.Persistence.Hidden Files and Directories

Privileged File Operations

  • Setuid/Setgid Bit Set On File: Alerts when the setuid or setgid bit is set on a file with chmod. This event is auditable and can be audited separately from use as a Smart Policy.
    • MITRE.Persistence.Setuid and Setgid

Network Activity

Network Service Behavior

  • Network Service Created: Alerts when a program starts a new network service, if the program is already part of an ongoing incident. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments. This event is auditable and can be audited separately from use as a Smart Policy.

Discovery

  • Network Connection Enumeration Via Program: Alerts when a program associated with network connection enumeration is executed, if the program is already part of an ongoing incident. This event is auditable and can be audited separately from use as a Smart Policy.
    • MITRE.Discovery.System Network Connections Discovery
  • Cloud Metadata API Accessed: Requires sensor version 4.2. Alerts when a program accesses the cloud metadata API, if the program is already part of an ongoing incident. This event is auditable and can be audited separately from use as a Smart Policy.
    • MITRE.Credential Access.Cloud Instance Metadata API

Outbound Connections

  • Unusual Outbound Connection Detected: Alerts when a program initiates a new connection on an uncommon port, if the program is already part of an ongoing incident. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments. This event is auditable and can be audited separately from use as a Smart Policy.
    • MITRE.Command and Control.Uncommonly Used Port

Process Activity

Discovery

  • Account Enumeration Via Program: Alerts when a program associated with account enumeration is executed, if the program is already part of an ongoing incident. This event is auditable and can be audited separately from use as a Smart Policy.
    • MITRE.Collection.Data from Local System
    • MITRE.Discovery.Account Discovery
    • MITRE.Discovery.Permission Groups Discovery
  • Network Configuration Enumeration Via Program: Alerts when a program associated with network configuration enumeration is executed. This event is auditable and can be audited separately from use as a Smart Policy.
    • MITRE.Discovery.System Network Configuration Discovery
  • System Information Enumeration Via Program: Alerts when a program associated with system information enumeration is executed, if the program is already part of an ongoing incident. This event is auditable and can be audited separately from use as a Smart Policy.
    • MITRE.Collection.Data from Local System
    • MITRE.Discovery.System Information Discovery
  • File and Directory Discovery Via Program: Alerts when a program associated with file and directory enumeration is executed, if the program is already part of an ongoing incident. This event is auditable and can be audited separately from use as a Smart Policy.
    • MITRE.Collection.Data from Local System
    • MITRE.Discovery.File and Directory Discovery

User Activity

User Account Changes

  • SSH Authorized Keys Modification: Alerts when an attempt to write to a user’s SSH authorized_keys file is observed, if the program is already part of an ongoing incident. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments. This event is auditable and can be audited separately from use as a Smart Policy.
    • MITRE.Persistence.Valid Accounts

Audit

File Activity

Configuration Changes

  • Root Certificate Store Modified: Alerts when a system CA certificate store is changed. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments.
    • MITRE.Defense Evasion.Install Root Certificate

Changes to System Binaries

  • Boot Files Modified: Alerts when changes are made to files in /boot, indicating installation of a new kernel or boot configuration. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments.
    • MITRE.Persistence.Bootkit

System Configuration Changes

  • Systemd Unit File Modified: Alerts whenever a systemd unit file is modified by a program other than systemctl. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments.
    • MITRE.Persistence.Systemd Service

Indicator Removal

  • Log Files Deleted: Alerts on deletion of log files. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments.
    • MITRE.Defense Evasion.File Deletion
    • MITRE.Defense Evasion.Indicator Removal on Host

Network Activity

Lateral Movement

  • Network Service Scanner Executed: Alerts when common network scanning program tools are executed.
    • MITRE.Discovery.Network Service Scanning

Network Sniffing

  • Network Sniffing Program Executed: Alerts when a program is executed that allows network capture.
    • MITRE.Credential Access.Network Sniffing
    • MITRE.Discovery.Network Sniffing

Process Activity

Scheduled Task Changes

  • Scheduled Tasks Modified Via Program: Alerts when the crontab command is used to modify cron job configurations.
    • MITRE.Execution.Local Job Scheduling
    • MITRE.Persistence.Local Job Scheduling
  • Scheduled Tasks Modified Via File: Alerts when a cron-related file is modified, indicating a change to scheduled job configurations. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments.
    • MITRE.Execution.Local Job Scheduling
    • MITRE.Persistence.Local Job Scheduling

System Configuration Changes

  • Systemctl Usage Detected: Alerts when the systemctl command is used to modify systemd units.
    • MITRE.Persistence.Systemd Service

Compiler Usage

  • Compiler Usage: Alerts when a program is executed that compiles a binary.
    • MITRE.Defense Evasion.Compile After Delivery

Debugging

  • Process Injection: Alerts when a program uses ptrace mechanisms to interact with another process.
    • MITRE.Defense Evasion.Process Injection
    • MITRE.Privilege Escalation.Process Injection

Abnormal Process Execution

  • New File Executed: Alerts when a file that has been created or modified within 30 minutes is then executed. Excludes files created by system update programs. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments.
    • MITRE.Initial Access.Exploit Public-Facing Application

User Activity

User Account Changes

  • Password Database Modification: Alerts when a file related to user passwords is modified by a program unrelated to updating existing user information. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments.
    • MITRE.Persistence.Create Account
  • User Account Created Via CLI: Alerts when an identity management program is executed by a program other than a package manager.
    • MITRE.Persistence.Create Account
  • User Configuration Changes: Alerts when .bash_profile and bashrc (as well as related files) are modified by an unexpected program. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments.
    • MITRE.Persistence.bash_profile and bashrc
  • Account Modification: Alerts when a file related to identity management is modified by a program unrelated to updating existing user information. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments.
    • MITRE.Persistence.Create Account

Privileged Command Usage

  • User Execution Of su Command: Alerts when the ‘su’ command is executed.
    • MITRE.Privilege Escalation.Sudo
  • User Execution Of sudo Command: Alerts when the ‘sudo’ command is executed.
    • MITRE.Privilege Escalation.Sudo

Risky Developer Activity

  • User Login Via SSH: Alerts when an interactive shell process is started by a valid system user via SSH.
    • MITRE.Initial Access.Valid Accounts
    • MITRE.Execution.Command-Line Interface
    • MITRE.Execution.User Execution
  • User Command History Cleared: Alerts when command line history files are deleted. This is disabled by default as tracking for this detection can incur a performance impact on some workloads, and can issue false positive alerts in some environments.
    • MITRE.Defense Evasion.Clear Command History
  • Shell Command Executed: Alerts when an command is executed by a valid system user via SSH.
    • MITRE.Initial Access.Valid Accounts
    • MITRE.Execution.Command-Line Interface
    • MITRE.Execution.User Execution