Capsule8 Docs
Capsule8 Docs

Abnormal Activity Strategies

Abnormal Activity defines a family of strategies containing policies that detect abnormal behavior in a system or across deployments.

For example, Abnormal Activity strategies can help you discover users running commands they have never run before or discrepancies across machines that are supposed to be behaving similarly.

How to create an Abnormal Activity Strategy

  • Application Activity: Abnormal application activity (syscalls etc.)
  • System Activity: Abnormal system-wide activity (processes, network events etc.)
  • User Activity: Abnormal user activity (login times, behavioral patterns)
  • Generic: Any exploitation technique not falling within the above categories

Strategy types

Application Activity

Strategy Description
userfaultfd Monitors for calls of the userfaultfd syscall

System Activity

Strategy Description
connect Provides network-level IP-based policy monitoring for TCP connections
file Monitors calls to create files and generates alerts for creation of file names in disallowed locations
fileMonitor Monitors calls to create, link, modify, rename or delete to files and generates alerts upon violation of policy specified by path, operation type or program performing the operation
interactiveShell Provides policy monitoring of interactive shell sessions (like /bin/bash)
loadKernelModule Detects whenever a kernel module is loaded
networkService Monitors newly created network services
newFileExec Watches for execution of newly-created files by non-whitelisted programs
program Monitors program execution and compares the program name to its configured filters
remoteInteractiveShell Monitors for interactive shells processing input/output from a network connection, such as the behavior exhibited by exploit payloads using mechanisms like the bash shell’s /dev/tcp to connect back to an attacker’s machine
sendto Provides network-level IP-based policy monitoring for TCP connections, comparing the destination IP of outbound TCP connections against its configured filters
shellCommand Provides policy monitoring of commands from interactive shell sessions (like /bin/bash, /bin/sh etc)

Default Abnormal Activity Strategies

Strategy Name Strategy Type
Bitcoin Miner connect
Container Escape - File fileMonitor
cron File Changes fileMonitor
Email Server Executed Command program
Jenkins Execution program
Non-Standard Interactive Shell interactiveShell
Process Injection - File fileMonitor
SSH Pubkey Added filemonitor