Capsule8 Docs
Capsule8 Docs

Exploitation Strategies

Exploitation defines a family of strategies containing policies that guard against known exploitation techniques.

For example, Exploitation can help you discover stack smashing, privilege escalation, process injection, and ret2usr.

How to create an Exploitation Strategy

  • Defense Evasion: Any technique bypassing a defense (e.g., AppArmor)
  • Generic: Any exploitation technique not falling within the above categories
  • Injection: Any technique involing command injection, process injection etc.
  • Privilege Escalation: Any technique involing privilege escalation
  • Side-Channel: Any technique involing side-channels (CPU, cache etc.)

Policy types

Defense Evasion

Strategy Description
appArmor Detects if AppArmor settings are illegally modified
selinux Detects if a kernel exploit illegally modified the SELinux settings
smepSmap Monitors for kernel exploitation attempts which involve disabling specific kernel memory protection mechanisms (as is common in kernel-based local-privilege-escalation exploits)


Strategy Description
bpfExec Provides monitoring for attempts to call the BPF subsystem
containerEscape Provides monitoring for attempts to escape running containers
kernelPayload Detects when kernel functions commonly used by kernel based exploits are called in unusual ways, in patterns that are unique to kernel exploitation
memoryProtection Provides monitoring for attempts to exploit memory-mismanagement software vulnerabilities
setrlimit Detects when a process’ maximum stack size is set to an unusually high value
stackPivotDetection Examines the stack pointer on certain syscalls and ensures that it is within normal stack bounds
userfaultfd Monitors for calls of the userfaultfd syscall


Strategy Description
ptrace Monitors for usage of system calls that are typically used by debuggers or other process injection tools

Privilege Escalation

Strategy Description
chmod Produces an alert if a permission change matching the rules set occurs
privilegeEscalation Monitors for privilege escalation attacks that overwrite process privileges without going through a setuid or setgid call
setPrivilege Monitors calls to the setuid and setgid family of system calls used by processes to run with the privileges of a specific user or group

Side Channel

Strategy Description
spectreMeltdown Monitors for spectre or meltdown attacks by monitoring hardware performance counters

Default Exploitation Strategies

Strategy Name Strategy Type
AppArmor Tampering appArmor
Container Escape containerEscape
Credential Exploit privilegeEscalation
Kernel Exploit kernelPayload
Kernel Memory Protection Tampering smepSmap
Process Manipulation ptrace
Repeated Program Crashes segfault
SELinux Tampering selinux
Userland Exploit - Executable Memory memoryProtection
Userland Exploit - Stack stackPivotDetection