Falco Rules Changelog

Falco rules are used in the Sysdig Secure Policy Editor. On this page, you can read the most recent changes to Falco Rules.

Subscribe to the RSS feed to stay updated with the latest Falco rules.

Commit Date

Rule Notes

Version of the Falco Rules Installer (On-Prem)

February 21, 2024

Rule Changes

  • Reduced false positive for the Suspicious System Service Modificationrule

0.139.1

February 20, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Kernel startup modules changed

    • Suspicious Cron Modification

    • eBPF Program Loaded into Kernel

    • Mount Launched in Privileged Container

    • Find AWS Credentials

    • Launch Root User Container

    • Change thread namespace

    • Non sudo setuid

  • Updated Indicators of Compromise rulesets with new findings

  • Improved output for AWS rules - Event Summary

  • Improved condition for for the following rules:

    • Suspicious System Service Modification

    • Discovery Security Service Activity Detected

    • Mount Launched in Privileged Container

    • Update Package Repository

  • Added the following rules:

    • RDS Delete DB Instance

    • RDS Create DB Instance

    • Peripheral Device Discovery Activity Detected

    • Interactive Reconnaissance Activity Detected

    • Suspicious Docker Options

    • Possible SSH Hijacking Attempt Detected

Default Policy Changes

  • Added the following rules:

    • RDS Delete DB Instance

    • RDS Create DB Instance

    • Peripheral Device Discovery Activity Detected

    • Interactive Reconnaissance Activity Detected

    • Suspicious Docker Options

    • Possible SSH Hijacking Attempt Detected

  • Update policy for the following rules:

    • Suspicious RC Script Modification

    • Hardware Added to the System

    • Suspicious Chdir Event Detected

0.139.0

February 19, 2024

Rule Changes

  • Improved output for the Attach to cluster-admin Role rule

  • Reduced false positives for the following rules:

    • Set Setuid or Setgid bit

    • System procs network activity

    • Container escape via discretionary access control

    • Possible Backdoor using BPF

    • Create Symlink Over Sensitive Files

    • eBPF Program Loaded into Kernel

  • Updated Indicators of Compromise (IoCs) rulesets with new findings

0.138.3

February 15, 2024

Rule Changes

  • Reduced false positive for the following rules:

    • Mount Launched in Privileged Container

    • Possible Backdoor using BPF

    • Modification of pam.d detected

    • eBPF Program Loaded into Kernel

  • Updated Indicators of Compromise (IoCs) rulesets with new findings

0.138.2

February 14, 2024

Rule Changes

  • Reduced false positive for the following rules:

    • Find AWS Credentials

    • System procs network activity

    • Launch Root User Container

    • Suspicious Cron Modification

    • System Geolocation Discovery

    • Launch Ingress Remote File Copy Tools in Container

  • Fixed tags for the ld.so.preloadcode> rule

  • Improved performance of the Modify binary dirs rule

  • Fixed description for the Discovery Security Service Activity Detected rule

  • Updated Indicators of Compromise (IoCs) rulesets with new findings

  • Updated Sysdig Mitre Attack Mapper

Default Policy Changes

  • Updated policy for the System Geolocation Discovery rule

0.138.1

February 13, 2024

Rule Changes

  • Reduced false positive for the following rules:

    • Suspicious Cron Modification

    • Search Private Keys or Passwords

    • Kernel startup modules changed

    • Kernel Module Loaded by Unexpected Program

  • Added the following rules

    • Exfiltrating Artifacts via Kubernetes Control Plane

    • Discovery Security Service Activity Detected

    • Suspicious RC Script Modification

    • Azure Read Service SAS Token for a Storage Account

    • CloudShell Download File

    • Create Support Case

  • Improved condition for the following:

    • AWS reconnaissance rules

    • Hide Process with Mount rule

    • Suspicious Home Directory Creation rule

    • inbound_outbound macro

    • inbound macro

  • Improve coverage for T1025, T1092, and T1129

  • IoCs update

Default Policy Changes

Added the following rules:

  • Exfiltrating Artifacts via Kubernetes Control Plane

  • Discovery Security Service Activity Detected

  • Suspicious RC Script Modification

  • Azure Read Service SAS Token for a Storage Account

  • CloudShell Download File

  • Create Support Case

0.138.0

February 12, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Launch Root User Container

    • Find AWS Credentials

    • Suspicious Cron Modification

    • eBPF Program Loaded into Kernel

    • Possible Backdoor using BPF

  • Improved condition for Hide Process with Mount rule

  • Improved coverage for T1554

  • Updated Indicators of Compromise (IoCs) rulesets with new findings.

0.137.4

February 09, 2024

Rule Changes

  • Improved tag T113 for the Workload rules

  • Reduced FPs for the following rules:

    • Modify ld.so.preload

    • Possible Backdoor using BPF

    • nsenter Container Escape

    • Find AWS Credentials

  • Fixed condition for the Possible Backdoor using BPF rule

  • IoCs update

0.137.3

February 08, 2024

Rule Changes

  • Improved condition for the following macros:

    • inbound_outbound

    • inbound

    • device_mounted_exists

  • ImprovedHide Process with Mountrule.

  • Improve output for Kernel Module Loaded by Unexpected Program rule

  • Reduced false positive for the following rules:

    • eBPF Program Loaded into Kernel

    • Suspicious device created in container

    • Suspicious Cron Modification

    • Mount Launched in Privileged Container

    • Modify ld.so.preload

    • Kernel Module Loaded by Unexpected Program

  • Improved the rfc_1918_addresses list

  • Updated IoCs

0.137.2

February 07, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Suspicious Cron Modification

    • Mount Launched in Privileged Container

    • Change thread namespace

    • Non sudo setuid

    • Find GCP Credentials

    • Kernel Module Loaded by Unexpected Program

    • eBPF Program Loaded into Kernel

  • IoCs update

  • Improved coverage for T1052 and T1102

0.137.1

February 06, 2024

Rule Changes

  • IoCs update

  • Reduced false positives for the following rules:

    • Possible Backdoor using BPF

    • Suspicious Cron Modification

    • Kernel startup modules changed

    • eBPF Program Loaded into Kernel

    • eBPF Program Loaded into Kernel

    • Possible Backdoor using BPF

    • Packet socket created in container

    • Suspicious Cron Modification

    • Terminal Shell in Container

    • Possible Backdoor using BPF

    • Kernel startup modules changed

    • Suspicious Cron Modification

    • Suspicious System Service Modification

    • Write below etc

    • Suspicious Cron Modification

    • Possible Backdoor using BPF

    • Launch Root User Container

    • Suspicious Domain Contacted

    • Non sudo setuid

    • Suspicious Cron Modification

    • Possible Backdoor using BPF

    • Malicious IPs or domains detected on command line

    • nsenter Container Escape

    • Kernel startup modules changed

    • Suspicious Cron Modification

  • Improved condition for the following rules:

    • Suspicious device created in container

    • Suspicious Java Child Processes

    • Run shell untrusted

    • Create Hidden Files or Directories

  • Improved output for Workload rules - Event Summary

  • Improved tags for Workload rules - MITRE T1555

  • Added the following rules:

    • Suspicious Chdir Event Detected

    • Kernel Module Loaded by Unexpected Program

    • System Geolocation Discovery

    • Miner Filename Pushed to Repository

    • Mount on Container Path Detected

    • Hardware Added to the System

    • Abuse Sudo for Privilege Escalation

    • Suspicious Connection to K8S API Server From Container

Default Policy Changes

Added the following rules:

  • Suspicious Chdir Event Detected

  • Kernel Module Loaded by Unexpected Program

  • System Geolocation Discovery

  • Miner Filename Pushed to Repository

  • Mount on Container Path Detected

  • Hardware Added to the System

  • Abuse Sudo for Privilege Escalation

  • Suspicious Connection to K8S API Server From Container

0.137.0

February 05, 2024

What's Changed

Rule Changes

Reduced false positive for the following rules:

  • Kernel startup modules changed

  • Suspicious Cron Modification

0.136.8

February 02, 2024

Rule Changes

Reduced false positives for the following:

  • Suspicious Cron Modification
  • Packet socket created in container
  • Possible Backdoor using BPF
  • eBPF Program Loaded into Kernel

0.136.7

February 01, 2024

Rule Changes

Reduced false positives for the following:

  • Suspicious System Service Modification

  • Suspicious Cron Modification

  • Kernel startup modules changed

  • Possible Backdoor using BPF

  • Terminal Shell in Container

0.136.6

January 31, 2024

Rule Changes

Reduced false positives for the following:

  • Launch Root User Container

  • Suspicious Domain Contacted

  • Non sudo setuid

  • Suspicious Cron Modification

  • Possible Backdoor using BPF

  • Write below etc

0.136.5

January 29, 2024

Rule Changes

  • Added macro internal_domains_connection_data

  • Improved MITRE ATTCK tags for T1016

  • Reduced false positives for the following rules:

    • Write below etc

    • eBPF Program Loaded into Kernel

    • Possible Backdoor using BPF

    • Possible Backdoor using BPF

  • Updated Indicators of Compromise (IoCs) rulesets with new findings.

0.136.4

January 26, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Suspicious Domain Contacted

    • Write below etc

    • Fileless Malware Detected

    • Possible Backdoor using BPF

    • Improved output for Workload Rules - Event Summary

  • Updated Indicators of Compromise (IoCs) rulesets with new findings.

0.136.3

January 25, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Non sudo setuid

    • Contact K8S API Server From Container

    • Container escape via discretionary access control

    • Possible Backdoor using BPF

    • Launch Root User Container

    • Write below etc

  • Updated Indicators of Compromise (IoCs) rulesets with new findings.

0.136.2

January 24, 2024

Rule Changes

  • Updated Indicators of Compromise (IoCs) rulesets with new findings.

  • Reduced false positives for the following rules:

    • Service Discovery Activity Detected

    • Write below root

    • Write below etc

    • Possible Backdoor using BPF

    • Find GCP Credentials

    • Create Privileged Pod

0.136.1

January 23, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Modify Shell Configuration File

    • Launch Ingress Remote File Copy Tools in Container

    • Possible Backdoor using BPF

    • Write below etc

  • Added the following rules:

    • Query to Window Management System Detected

    • Access to Clipboard Data Detected

    • Service Discovery Activity Detected

    • Suspicious Access To Kerberos Secrets

    • SES Delete Identity Policy

    • SES Update Identity Policy

    • SES Attach Policy to Identity

  • Improved condition for the following rules:

    • Suspicious Home Directory Creation

    • Find GCP Credentials

    • Get Secret Value

    • Create Lambda Function Not Using Latest Runtime

  • Updated Indicators of Compromise (IoCs) rulesets with new findings.

  • Default Policy Changes

  • Added the following rules:

    • Query to Window Management System Detected

    • Access to Clipboard Data Detected

    • Service Discovery Activity Detected

    • Suspicious Access To Kerberos Secrets

    • SES Delete Identity Policy

    • SES Update Identity Policy

    • SES Attach Policy to Identity

0.136.0

January 22, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • eBPF Program Loaded into Kernel

    • Change thread namespace

    • Write below root

    • Contact K8S API Server From Container

    • Possible Backdoor using BPF

    • Mount Launched in Privileged Container

    • Non sudo setuid

    • Write below etc

    • Modification of pam.d detected

    • Launch Ingress Remote File Copy Tools in Container

  • Updated Indicators of Compromise (IoCs) rulesets with new findings.

0.135.5

January 19, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • nsenter Container Escape

    • Write below etc

    • Modification of pam.d detected

    • Write below root

    • Possible Backdoor using BPF

    • Contact K8S API Server From Container

    • Connection to IPFS Network Detected

    • Launch Root User Container

    • Create Symlink Over Sensitive Files

    • Non sudo setuid

  • Updated Indicators of Compromise (IoCs) rulesets with new findings.

0.135.4

January 18, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Contact K8S API Server From Container

    • Launch Sensitive Mount Container

    • Launch Root User Container

    • Write below root

0.135.3

January 18, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Non sudo setuid

    • Launch Privileged Container

    • Suspicious Cron Modification

  • Improved descriptions for Hide Process with Mount rule.

  • Improved output for Workload rules - Event Summary

  • Updated Indicators of Compromise (IoCs) rulesets with new findings.

0.135.2

January 17, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Possible Backdoor using BPF

    • Mount Launched in Privileged Container

  • Updated Indicators of Compromise (IoCs) rulesets with new findings.

0.135.1

January 16, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Mount Launched in Privileged Container

    • nsenter Container Escape

    • Possible Backdoor using BPF

    • eFileless Malware Detected (memfd)

  • Added the following rules:

    • Password Policy Discovery Activity Detected

    • Hide Process with Mount

    • Modify Grub Configuration Files

  • Updated IoCs

  • Updated tags for Contact K8S API Server From Container rule.

  • Improved conditions for cContact K8S API Server From Container rule.

  • Improved list package_mgmt_binaries and macro package_listing

  • Improved condition for Container image built on host rule.

  • Improved tags for Workload rules - MITRE T1550 list.

  • Improved iptables_similar list.

  • Improved iptables_similar list.

  • Improved iptables_similar list.

  • Deprecated the following rules:

    • Malicious process detected

    • Creation attempt Azure Secure Transfer Required Set to Disabled

    • Azure Access Level creation attempt for Blob Container Set to Publicrule.

    • Azure Blob Created

    • Azure Blob Deleted

    • Azure Create/Update a Storage Account

    • Azure Delete a Storage Account

    • Azure Delete Function Key

    • Azure Create/Update a Storage Account

    • Azure Create/Update a Storage Account

    Default Policy Changes

  • Added the following rules:

    • Password Policy Discovery Activity Detected

    • Hide Process with Mount

    • Modify Grub Configuration Files

  • Updated the policy for Ransomware Filenames Detectedrule.

  • Improved condition for Contact K8S API Server From Containerrule.

0.135.0

January 15, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Mount Launched in Privileged Container

    • Kernel startup modules changed

    • Possible Backdoor using BPF

    • eBPF Program Loaded into Kernel

    • Write below root

  • Improvedfalco_privileged_images and falco_sensitive_mount_images lists.

  • Updated IoCs

0.134.4

January 12, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Write below etc

    • PTRACE attached to process

    • Launch Sensitive Mount Container

  • Improved tags for Workload Rules - Financial Theft.

  • Improve output for Workload Rules - Event Summary - End of Enabled rules.

0.134.3

January 11, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Kernel startup modules changed

    • Possible Backdoor using BPF

    • Suspicious Cron Modification

    • Fileless Malware Detected (memfd)

  • Improved tags for Suspicious Operations with Firewalls rule.

  • Improved output for Workload Rules - Event Summary.

  • Updated Indicators of Compromise (IoCs) rulesets with new findings.

0.134.2

January 10, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Kernel startup modules changed

    • Possible backdoor using BPF

    • Launch Root User Container

    • Packet socket created in container

    • Suspicious Operations with Firewalls

  • Improved tags for Workload Rules.

  • Updated Indicators of Compromise (IoCs).

Default Policy Changes

  • Updated the policy for nsenter Container Escape rule.

0.134.1

January 09, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Possible Backdoor using BPF

    • Suspicious Cron Modification

    • Packet socket created in container

    • Clear Log Activities

  • Added the following rules:

    • Simple Email Service (SES) Verify Identity

    • SES Update Account Sending

    • SES Delete Identity

    • SES Create SMTP

    • SNS Delete Subscription

    • SNS Delete Topic

    • SNS Get SMS Sending Information

    • Organization Update Service Control Policy

    • Organization Create Service Control Policy

    • Organization Delete Service Control Policy

    • Repository Fork Set to Public

    • Repository Fork Set to Private

    • Attach SES Policy to User

    • Auditd Logging Commands

    • Repository Fork Set to Public

  • Improved output for Workload Rules - Event Summary.

  • Imoroved condition for the following rules:

    • Get Federation Token with Admin Policy
    • Ransomware Filenames Detected

    • Detect malicious cmdlines

    • nsenter Container Escape

    • Mount Launched in Privileged Container

    • Put Bucket ACL for AllUsers

    Default Policy Changes

  • Updated policies for the following rules:

    • AWS CLI used with endpoint url parameter rule

    • Ransomware Filenames Detected

    • Azure Blob Created, Azure Blob Deleted

0.134.0

January 08, 2024

Rule Changes

  • Reduced false positives for the following rule:

    • Contact EC2 Instance Metadata Service From Container

0.133.14

January 05, 2024

Rule Changes

  • Reduced for the following rules:

    • Modification of pam.d detected

    • Possible Backdoor using BPF

    • Suspicious Cron Modification

    • PTRACE attached to process

  • Updated the IoCs Ruleset with new findings.

  • Improved condition for the Ransomware Filenames Detectedrule.

0.133.13

January 04, 2024

Rule Changes

  • Reduced false positives for the following rules:

    •  Modification of pam.d detected

    • Non sudo setuid

    • Execution from /tmp

    • Suspicious Cron Modification

    • Suspicious Cron Modification

    • Set Setuid or Setgid bit

    • Read sensitive file untrusted

  • Updated the IoCs Ruleset with new findings.

  • Added the Ransomware Filenames Detectedrule.

Default Policy Changes

  • Added the Ransomware Filenames Detectedrule.

  • Policy updated for Azure Blob Created and Azure Blob Deletedrules.

0.133.12

January 03, 2024

    Rule Changes

  • Reduced false positives for the following rules:

    • Suspicious Cron Modification

    • Possible Backdoor using BPF

    • eBPF Program Loaded into Kernel

  • Updated the IoCs Ruleset with new findings.

0.133.11

December 22, 2023

Rule Changes

Reduced false positives for the following rules:

  • Change memory swap options

  • Packet socket created in container

  • eBPF Program Loaded into Kernel

0.133.10

December 21, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Read ssh information

    • eBPF Program Loaded into Kernel

  • Improved condition for the Detect outbound connections to Proxy/VPN rule.

  • Updated the IoCs Ruleset with new findings.

0.133.9

December 20, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Suspicious Cron Modification

    • Clear Log Activities

    • Possible Backdoor using BPF

  • Improved condition for the Detect outbound connections to TOR Entry Nodes rule.

  • Updated the IoCs Ruleset with new findings.

0.133.8

December 19, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Create Hidden Files or Directories

    • Suspicious Cron Modification

    • eBPF Program Loaded into Kernel

    • Write below etc

    • Launch Sensitive Mount Container

    • Launch Root User Container

  • Improved condition for the following rule:Connection to IPFS Network Detected

  • Updated the IoCs Ruleset with new findings.

0.133.7

December 18, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Non sudo setuid

    • Launch Root User Container

  • Improved condition for the following rules:

    • Unprivileged Delegation of Page Faults Handling to a Userspace Process

    • AWS CLI used with endpoint url parameter

  • Improved output for the Connection to IPFS Network Detectedrule.

  • Updated the IoCs Ruleset with new findings.

0.133.6

December 15, 2023

Rule Changes

  • Reduced false postives for the following rules:

    • Launch Privileged Container

    • Set Setuid or Setgid bit

    • AWS CLI used with endpoint url parameter

  • Improved output for the following rules:

    • Detect outbound connections to TOR Entry Nodes

    • Detect crypto miners using the Stratum protocol

    • Connection to IPFS Network Detected

  • Updated the IoCs Ruleset with new findings.

  • Improved coverage for the Inhibit System Recoverytechnique.

0.133.5

December 14, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Connection to IPFS Network Detected

    • Packet socket created in container

    • Possible Backdoor using BPF

    • eBPF Program Loaded into Kernel

  • Updated the IoCs Ruleset with new findings.

0.133.4

December 11, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Suspicious Cron Modification

    • eBPF Program Loaded into Kernel

    • Possible Backdoor using BPF

    • Launch Root User Containerl

    • Launch Sensitive Mount Container

    • Fileless Malware Detected (memfd)F

    • Create Symlink Over Sensitive Files

  • Updated the IoCs Ruleset with new findings.

0.133.1

December 04, 2023

Rule Changes

  • Improved condition for the following rules:

    • Redirect STDOUT/STDIN to Network Connection in Container

    • Redirect STDOUT/STDIN to Network Connection in Host

  • Improved output for the following rules:

    • Suspicious Home Directory Creation

    • Detect outbound connections to Proxy/VPN

  • Added the following rules:

    • New GitHub Action Workflow Deployed

    • Okta Multiple Application Requests with Invalid Credentials

    • Push on Github Actions Detected

    • Okta MFA Bypass Attempt

  • Remove macro from the Detect outbound connections to common miner pool ports rule.

  • Updated the IoCs Ruleset with new findings.

Default Policy Changes

Added the following rules:

  • New GitHub Action Workflow Deployed

  • Okta Multiple Application Requests with Invalid Credentials

  • Push on Github Actions Detected

  • Okta MFA Bypass Attempt

0.133.0

December 03, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Modify binary dirs

    • Packet socket created in container

    • Possible Backdoor using BPF

    • eBPF Program Loaded into Kernel

  • Updated the IoCs Ruleset with new findings.

0.132.5

November 30, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Write below etc

    • Azure RDP Access Is Allowed from The Internet

    • Possible Backdoor using BPF

    • Azure SSH Access Is Allowed from The Internet

    • Read Shell Configuration File

    • Packet socket created in container

  • Updated the IoCs Ruleset with new findings.

0.132.4

November 30, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Launch Privileged Container

    • Possible Backdoor using BPF

    • Modification of pam.d detected

    • Read ssh information

  • Updated the IoCs Ruleset with new findings.

0.132.2

November 29, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Read ssh information

    • Suspicious Cron Modification

    • Possible Backdoor using BPF

    • Non sudo setuid

  • Updated the IoCs Ruleset with new findings.

0.132.1

November 28, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Possible Backdoor using BPF

    • eBPF Program Loaded into Kernel

    • Fileless Malware Detected (memfd)

    • Modification of pam.d detected

    • Suspicious Cron Modification

  • Added the following rules:

    • Update Secret in Secrets Manager

    • Delete Secret in Secrets Manager

    • Create Secret in Secrets Manager

    • Cancel Secret Rotation in Secrets Manager

    • Azure Create/Update User Managed Identity

    • Azure Create/Update a Public IP Address

    • Azure Create/Update a Key Vault

    • Azure Delete a Public IP Address

    • Azure Delete a Key Vault

    • Azure Delete User Managed Identity

    • CODEOWNERS file modified

    • Okta One-Time Token Reused

  • Improved the network_tool_binaries list.

  • Updated the IoCs Ruleset with new findings.

Default Policy Changes

  • Added the following rules:

    • Update Secret in Secrets Manager

    • Delete Secret in Secrets Manager

    • Create Secret in Secrets Manager

    • Cancel Secret Rotation in Secrets Manager

    • Azure Create/Update User Managed Identity

    • Azure Create/Update a Public IP Address

    • Azure Create/Update a Key Vault

    • Azure Delete a Public IP Address

    • Azure Delete a Key Vault

    • Azure Delete User Managed Identity

    • CODEOWNERS file modified

    • Okta One-Time Token Reused

0.132.0

November 27, 2023

Rule Changes

  • Restored the Azure duplicated rules which were previously removed.

Default Policy Changes

  • Restored the Azure duplicated rules which were previously removed.

0.131.7

November 25, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Contact EC2 Instance Metadata Service From Containe

    • Non sudo setuid

  • Improved condition for the following:

    • Azure Delete a Run Command on the Virtual Machine rule.

    • chmod macro.

Default Policy Changes

  • Updated policy for Azure duplicated rules.

0.131.5

November 24, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Launch Sensitive Mount Container

    • Create Symlink Over Sensitive Files

    • Kernel startup modules changed

    • Execution from /tmp

  • Changed rule name Azure Terminate the Virtual Machine to Azure Stop a Virtual Machine

  • Updated the IoCs Ruleset with new findings.

  • Updated MITRE tags.

Default Policy Changes

  • Change rule name Azure Terminate the Virtual Machine to Azure Stop a Virtual Machine.

0.131.4

November 23, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Suspicious Cron Modification

    • Write below etc

    • Mount Launched in Privileged Container

    • Modification of pam.d detected

    • Read Environment Variable from /proc files in Container

  • Updated the IoCs Ruleset with new findings.

  • Updated MITRE tags.

Default Policy Changes

Updated policy for the Azure Terminate the Virtual Machine rule.

0.131.3

November 22, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • eBPF program loaded into kernel

    • Suspicious Cron Modification

    • Write below root

    • Non sudo setuid

  • Updated the IoCs Ruleset with new findings.

0.131.2

November 21, 2023

Default Policy Changes

  • Updated policy for the Assume Role performed by an Assumed Role Identity rule.

0.131.1

November 21, 2023

Rule Changes

  • Reduced false positive for the following rules:

    • eBPF program loaded into kernel

    • Suspicious Cron Modification

    • Set Setuid or Setgid bit

    • Write below root

    • Detect outbound connections to common miner pool ports

  • Added the following rules:

    • Cloudtrail Management Events Disabled via Event Selectors

    • Assume Role performed by an Assumed Role Identity

  • Updated the policy for the Contact K8S API Server From Container rule.

  • Updated the IoCs Ruleset with new findings.

Default Policy Changes

  • Added the following rules:

    • Cloudtrail Management Events Disabled via Event Selectors

    • Assume Role performed by an Assumed Role Identity

  • Updated the policy for following rules:

    • Contact K8S API Server From Container

    • Contact Task Metadata Endpoint

0.131.0

November 20, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • eBPF program loaded into kernel

    • PTRACE attached to process

    • Set Setuid or Setgid bit

    • Non sudo setuid

    • Packet socket created in container

  • Updated the IoCs Ruleset with new findings.

Default Policy Changes

  • Removed the Disallowed K8s User rule from Managed Policies.

0.130.8

November 17, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Modification of pam.d detected

    • Possible Backdoor using BPF

    • Packet socket created in container

    • Dump memory for credentials

    • Launch Remote File Copy Tools in Container

    • Suspicious cron modification

    • Base64-encoded Shell Script Execution

    • Fileless Malware Detected (memfd)

  • Fixed exception in Share RDS Snapshot with Foreign Account rule.

  • Improved output for the Github Webhook Connected rule.

  • Updated the indicators of compromise (IoC) Ruleset with new findings.

0.130.7

November 16, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • eBPF Program Loaded into Kernel

    • Launch Ingress Remote File Copy Tools in Container

    • Write below etc

    • Escape to host via command injection in process

  • Updated the IoCs Ruleset with new findings.

0.130.6

November 15, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Launch root user container

    • eBPF program loaded into kernel

    • Possible Backdoor using BPF

    • Non sudo setuid

    • Modification of pam.d detected

  • Improved output Okta ruleset.

  • Improved tags for the AWS RDS Master Password Update.

  • Updated the IoCs Ruleset with new findings.

0.130.5

November 14, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • eBPF program loaded into kernel

    • Mount Launched in Privileged Containe

    • Change thread namespace

  • Removed Sysdig images from the Terminal shell in container rule.

  • Improve description for the Okta Admin Console Access Velocity Behavior rule.

  • Updated policy for the SSM Get Parameter rule.

  • Updated the IoCs Ruleset with new findings.

Default Policy Changes

  • Updated the policy for the following rules:

    • EC2 Instance Connect/SSH Public Key Uploaded

    • SSM Get Parameter

0.130.4

November 13, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Non sudo setuid

    • Set Setuid or Setgid bit

    • Write below etc

    • Launch Sensitive Mount Container

    • Launch Root User Container

    • Write below root

    • Packet socket created in container

    • Launch privileged container

    • eBPF program loaded into kernel

0.130.3

November 10, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Mount Launched in Privileged Container

    • Possible Backdoor using BPF

    • Packet socket created in container

    • Non sudo setuid

0.130.2

November 08, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Modification of pam.d detected

    • Diamorphine Rootkit Activity

    • Write below root

    • eBPF program loaded into kernel

    • Write below etc

  • Updated the IoCs Ruleset with new findings.

0.130.1

November 07, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Suspicious Cron Modification

    • Mount Launched in Privileged Container

    • eBPF Program Loaded into Kernel

    • Modification of pam.d detected

  • Added the following rules:

    • Container image built on host

    • Leave Organization

    • EC2 Add User Data

    • SSM Get Parameter

    • EC2 Get User Data

  • Improved condition for the following rules:

    • System procs network activity

    • Potential UAC Bypass Using Registry Manipulation

    • ump memory for credentials

  • Improved the Windows suspicious_network_binaries list.

  • Updated description for the Malicious C2 IPs or domains exploiting log4j rule.

  • Updated the IoCs Ruleset with new findings.

Default Policy Changes

  • Added the following rules:

    • Container image built on host

    • Leave Organization

    • EC2 Add User Data

    • SSM Get Parameter

    • EC2 Get User Data

  • Updated the Remove MFA from user in Oktapolicy.

0.130.0

November 06, 2023

Rule Changes

Reduced false positives for the following rules:

  • eBPF Program Loaded into Kernel

  • Write below etc

  • Read Environment Variable from /proc files in Container

  • Modification of pam.d detected

  • Non sudo setuid

0.129.4

November 04, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Search Private Keys or Passwords

    • Fileless Malware Detected (memfd)

    • Mount Launched in Privileged Container

    • Modification of pam.d detected

    • SSH keys added to authorized_keys

    • Non sudo setuid

    • Possible backdoor using BPF

    • Change memory swap options

    • Kernel startup modules changed

  • Improved output for the Shutdown or Reboot detected rule.

  • Updated MITRE tags.

  • Improved condition for the Execution of binary using ld-linux rule.

0.129.3

November 02, 2023

Default Policy Changes

  • Updated theSysdig AWS Notable Events policy.

0.129.2

October 31, 2023

Rule Changes

  • Added the following rules:

    • Shutdown or Reboot detected

    • Get Federation Token with Admin Policy

    • Full Visibility on Federated Sessions

    • GCP CloudRun Service Started

    • Create Key Pair

    • Stop EC2 Instances

    • Get Lambda Function

    • Attach IAM Policy to Group

    • Escape to host via command injection in process

  • Updated the IoCs Ruleset with new findings.

  • Improved the network_tool_binarieslist.

  • Improved condition for the following rules:

    • GLIBC "Looney Tunables" Local Privilege Escalation

      CVE-2023-4911

    • Potential IRC connection detected

    • Put Object in Watched Bucket

Default Policy Changes

  • Added the following rules:

    • Shutdown or Reboot detected

    • Get Federation Token with Admin Policy

    • Full Visibility on Federated Sessions

    • GCP CloudRun Service Started

    • Create Key Pair

    • Stop EC2 Instances

    • Get Lambda Function

    • Attach IAM Policy to Group

    • Escape to host via command injection in process

  • Updated the policy for the following rule:

    • Change memory swap options

0.129.0

October 30, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Suspicious cron modification

    • Packet socket created in container

    • Fileless Malware Detected (memfd)

    • Modification of pam.d detected

    • Write below etc

    • Read SSH information

    • docker client is executed in a container

    • eBPF Program Loaded into Kernel

    • Write below rpm databasec

  • Updated the IoCs Ruleset with new findings.

  • Updated MITRE tags.

  • Improved output for the following:

    • Hexadecimal string detected

    • Output CloudRun Create Service

0.128.7

October 26, 2023

Added Windows support.

0.128.6

October 24, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Suspicious Cron Modification

    • Possible backdoor using BPF

    • Modification of pam.d detected

    • SSH keys added to authorized_keys

    • Kernel startup modules changed

  • Updated the IoCs Ruleset with new findings.

  • Updated MITRE tags.

  • Improved the condition for the Modification of pam.d detected rule.

0.128.4

October 23, 2023

Rule Changes

  • Updated Sysdig Mitre Attack Mapper.

  • Updated MITRE tags.

  • Reduced false positives for the following rules:

    • Fileless Malware Detected (memfd)

    • Modification of pam.d detected

    • Possible Backdoor using BPF

    • Suspicious Cron Modification

    • Packet socket created in container

    • Kernel startup modules changed

    • Modification of pam.d detected

    • Fileless Malware Detected (memfd)

    • Modify ld.so.preload

0.128.3

October 18, 2023

Rule Changes

Reduced false positives for the following rules:

  • Mount launched in privileged container

  • Kernel startup modules changed

  • Read SSH information

  • Possible Backdoor using BPF

0.128.2

October 17, 2023

Rule Changes

  • Reduced false positives for the following preview rules:

    • Unmount executed on host

    • System Time Discovery Detected

    • System Time Discovery Detected

    • Shutdown or Reboot detected

  • Updated MITRE tags.

  • Reduced false positives for the following rules:

    • Suspicious Cron Modification

    • Fileless Malware Detected (memfd)

    • eBPF Program Loaded into Kernel

0.128.1

October 06, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • eBPF Program Loaded into Kernel rule

    • Possible Backdoor using BPF

  • Improved condition for the GLIBC "Looney Tunables" Local Privilege Escalation (CVE-2023-4911) rule.

  • Updated the IoCs Ruleset with new findings.

0.127.7

October 04, 2023

Rule Changes

  • Added the following rules:

    • CodeBuild Create Project with Miner

    • CodeBuild Start Build with Miner

    • CodeCommit Create Repository

    • CodeCommit Git Push

    • CodeBuild Create Project

    • CloudFormation Create Stack

    • SSH keys added to authorized_keys

    • SageMaker Create Notebook Instance Lifecycle Configuration

    • Image Builder Create Component

    • Amplify Create App

    • EC2 Create Auto Scaling Group

    • Potential IRC connection detected

    • CodeBuild Start Build

    • ECS Create Cluster

    • EC2 Create Launch Template

    • Change memory swap options

    • Azure Update a Web App's configuration settings

    • Azure Function App Create/Update a Connection

    • Azure Create/Update Web Apps Hostname Bindings

    • Azure Cosmos DB Delete MongoDB Database

    • Azure Cosmos DB Delete SQL DB Container

    • Azure Cosmos DB Delete Postgres Firewall Rule

    • Azure Cosmos DB Delete Postgres Cluster

    • Azure Cosmos DB Delete Service

    • Azure Cosmos DB Delete MongoDB Role Definition

    • Azure Cosmos DB Delete MongoDB User Definition

    • Azure Cosmos DB Delete MongoDB Database Collection

    • Azure Cosmos DB Delete Gramlin Database

    • Azure Cosmos DB Delete Gremlin Database Graphs

    • Azure Cosmos DB Delete Cassandra Keyspace

    • Azure Cosmos DB Delete Cassandra Table

    • Azure Cosmos DB Delete Database Account

    • Azure Cosmos DB Delete Table

    • Azure Cosmos DB Delete Postgres Role

    • Azure Cosmos DB Delete SQL Assignment

    • Azure Cosmos DB Delete SQL Database

    • Azure Cosmos DB Delete SQL User Defined Function

    • Azure Cosmos DB Delete SQL Trigger

    • Azure Cosmos DB Delete SQL Stored Procedure

    • Azure Cosmos DB Create SQL Assignment

    • Azure Cosmos DB Create Postgres Role

    • Azure Cosmos DB Create SQL Definition

    • Azure Cosmos DB Create SQL Database

    • Azure Cosmos DB Create SQL User Defined Function

    • Azure Cosmos DB Create SQL Trigger

    • Azure Cosmos DB Create SQL Stored Procedure

    • Azure Cosmos DB Create SQL DB Container

    • Azure Cosmos DB Create Postgres Firewall Rule

    • Azure Cosmos DB Create MongoDB Database

    • Azure Cosmos DB Create Postgres Cluster

    • Azure Cosmos DB Create MongoDB Role Definition

    • Azure Cosmos DB Create MongoDB User Definition

    • Azure Cosmos DB Create MongoDB Database Collection

    • Azure Cosmos DB Create Gramlin Database

    • Azure Cosmos DB Create Gremlin Database Graphs

    • Azure Cosmos DB Create Cassandra Keyspace

    • Azure Cosmos DB Create Cassandra Table

    • Azure Cosmos DB Create Database Account

    • Azure Cosmos DB Create Table

    • Azure Cosmos DB Create Service

  • Reduced false positivess for the following rules:

    • Read Environment Variable from /proc files in Container

    • Set Setuid or Setgid bit

    • Launch Suspicious Network Tool in Container

    • Non sudo setuid

    • Clear log activities

    • eBPF Program Loaded into Kernel

    • Search Private Keys or Passwords

  • Improved condition for the following rules:

    • Detect curl Using Socks Proxy

    • Detect cloned process by PRoot

  • Updated MITRE tags.

  • Updated policy for the Modification of pam.d detected rule.

  • Improved log_files list.

  • Updated the IoCs Ruleset with new findings.

Default Policy Changes

  • Added the following rules:

    • CodeBuild Create Project with Miner

    • CodeBuild Start Build with Miner

    • CodeCommit Create Repository

    • CodeCommit Git Push

    • CodeBuild Create Project

    • CloudFormation Create Stack

    • SSH keys added to authorized_keys

    • SageMaker Create Notebook Instance Lifecycle Configuration

    • Image Builder Create Component

    • Amplify Create App

    • EC2 Create Auto Scaling Group

    • Potential IRC connection detected

    • CodeBuild Start Build

    • ECS Create Cluster

    • EC2 Create Launch Template

    • Change memory swap options

  • Updated policy for the following rules:

    • Suspicious device created in container

    • Modification of pam.d detected

  • Added Simple Systems Manager (SSM) rules to awscloudtrail policy.

0.128.0

October 04, 2023

Rule Changes

Added the GLIBC "Looney Tunables" Local Privilege Escalation (CVE-2023-4911) rule.

Default Policy Changes

Added the GLIBC "Looney Tunables" Local Privilege Escalation (CVE-2023-4911) rule.

0.127.6

October 04, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Modify ld.so.preload

    • Contact EC2 Instance Metadata Service From Containe

  • Updated the IoCs Ruleset with new findings.

0.127.5

October 03, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Read Environment Variable from /proc files in Container

    • Set Setuid or Setgid bit

    • Launch Suspicious Network Tool in Container

    • Non sudo setuid

    • Clear log activities

    • eBPF Program Loaded into Kernel

    • Search Private Keys or Passwords

  • Updated the IoCs Ruleset with new findings.

0.127.4

September 29, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Possible Backdoor using BPF

    • AWS CLI used with endpoint url parameter

    • eBPF Program Loaded into Kernel

    • Non sudo setuid

  • Updated the MITRE tags.

  • Added thedns_traffic macro.

  • Improved the Okta rules.

  • Updated the IoCs Ruleset with new findings.

0.127.3

September 28, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Set Setuid or Setgid bit

    • Non sudo setuid

    • Launch root user container

    • Packet socket created in container

    • Redirect STDOUT/STDIN to Network Connection in Container

    • Fileless Malware Detected (memfd)

  • Updated MITRE tags.

  • Added exception for the Suspicious Domain Contacted rule.

  • Updated the IoCs Ruleset with new findings.

0.127.2

September 27, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Set Setuid or Setgid bit

    • Launch excessively capable container

    • Possible backdoor using BPF

    • Launch privileged container

  • Improved output for the Fileless Malware Detected (memfd) rule.

  • Updated the IoCs Ruleset with new findings.

0.127.1

September 26, 2023

Rule Changes

  • Added the following rules:

    • GCP VPC Add Peering

    • Okta Suspicious User Activity Report

    • Okta Admin Console Access via New Device

    • Okta FastPass Phishing Attempt

    • Modification of pam.d detected

    • GCP Modified VPC Network

    • GCP Create VPC Network

    • GCP VPC Remove Peering

    • Okta Admin Console Access Velocity Behavior

    • GCP Create Role

    • GCP Delete Route

    • Suspicious device created in container

    • GCP Update CloudSQL

    • Okta Admin Console Access with New Behaviors

    • GCP Create Route

    • Okta Sign-in via Proxy

    • Okta Create Identity Provider

    • K8s Pod Deleted

    • GCP Update Role

    • GCP Modify Audit Policy

    • SSM Start Session

    • Okta Admin Console Access Failure

  • Reduced false positives for the following rules:

    • eBPF Program Loaded into Kernel

    • Set Setuid or Setgid bit

    • Mount Launched in Privileged Container

    • Suspicious Cron Modification

    • Possible Backdoor using BPF

  • Improved condition for the following rules:

    • Okta CAPTCHA Settings Updated

    • Okta Suspicious IP Inbound Request

  • Updated MITRE tags.

  • Improved output for the Packet socket created in container rule.

  • Updated the IoCs Ruleset with new findings.

Default Policy Changes

  • Added the following rules:

    • GCP VPC Add Peering

    • Okta Suspicious User Activity Report

    • Okta Admin Console Access via New Device

    • Okta FastPass Phishing Attempt

    • Modification of pam.d detected

    • GCP Modified VPC Network

    • GCP Create VPC Network

    • GCP VPC Remove Peering

    • Okta Admin Console Access Velocity Behavior

    • GCP Create Role

    • GCP Delete Route

    • Suspicious device created in container

    • GCP Update CloudSQL

    • Okta Admin Console Access with New Behaviors

    • GCP Create Route

    • Okta Sign-in via Proxy

    • Okta Create Identity Provider

    • K8s Pod Deleted

    • GCP Update Role

    • GCP Modify Audit Policy

    • SSM Start Session

    • Okta Admin Console Access Failure

  • Updated policy for the following rules:

    • AWS CLI used with endpoint url parameter

    • Hexadecimal string detected

0.127.0

September 22, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Kernel startup module changed

    • Launch root user container

    • Read shell configuration file

    • Write below etc

  • Improved output for the SSM Send Command rule.

  • Updated the IoCs Ruleset with new findings.

  • Updated MITRE tag.

0.126.3

September 21, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Non Sudo Setuid

    • Mount Launched in Privileged Container

    • Fileless Malware Detected (memfd)

    • Base64-encoded Shell Script Execution

    • Mount Launched in Privileged Container

    • Packet socket created in container

    • Write below etc

    • Launch sensitive mount container

  • Updated the IoCs Ruleset with new findings.

  • Updated MITRE tag.

0.126.2

September 20, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • kernel startup module changed

    • Launch Privileged Container

  • Updated the IoCs Ruleset with new findings.

  • Fixed incorrect tags.

Default Policy Changes

Updated policy for the following rules:

  • CloudWatch Delete Alarms

  • Schedule Key Deletion

  • CloudWatch Delete Log Group

0.126.1

September 19, 2023

Rule Changes

  • Reduced false positives for the following rules:

    • Redirect STDOUT/STDIN to Network Connection in Container

    • Launch Root User Container

    • Suspicious Operations with Firewalls

    • Non sudo setuid

    • Fileless Malware Detected (memfd)

    • Non Sudo Setuid

  • Added the following rules:

    • AWS CLI used with endpoint url parameter

    • Hexadecimal string detected

  • Improved condition for the Packet socket created in container rule.

Default Policy Changes

  • Added the following files:

    • AWS CLI used with endpoint url parameter

    • Hexadecimal string detected

  • Updated the policy for Container escape via discretionary access control.

  • Added the Sysdig Azure Threat Intelligencepolicy.

0.126.0

September 14, 2023

Rule Changes

  • Reduced false positives for the following rule:

    • Suspicious Operations with firewall

    0.125.3

    September 13, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Root User Container

      • Set Setuid or Setgid bit

      • Launch Suspicious Network Tool in Container

    • Updated the IoCs Ruleset with new findings.

    0.125.1

    September 12, 2023

    Rule Changes

    • Added the following files:

      • Unexpected Unshare event in Container

      • Disallowed SSH Connection Non Standard Port

      • Azure Suspicious IP Inbound Request

      • GCP Change Owner

      • Container escape via discretionary access control

    • Improved condition for the following:

      • Launch Privileged Container

      • Write below etc

      • Suspicious Operations with Firewalls

      • Launch Remote File Copy Tools in Container

    • Improved the sysdig_commercial_images list.

    • Improved the performance of the renamemacro.

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    Added the following files:

    • Unexpected Unshare event in Container

    • Disallowed SSH Connection Non Standard Port

    • Azure Suspicious IP Inbound Request

    • GCP Change Owner

    • Container escape via discretionary access control

    0.125.0

    September 08, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Ingress Remote File Copy Tools in Container

      • Launch Root User Container

      • Possible Backdoor using BPF

      • Fileless Malware Detected (memfd)

      • Packet socket created in container

      • Change thread namespace

    • Improved host and container tags.

    • Updated the IoCs Ruleset with new findings.

    0.124.3

    September 06, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • PTRACE attached to process

      • Mount Launched in Privileged Container

      • Launch Root User Container

      • Launch Sensitive Mount Container

      • Launch Privileged Container

    • Added the azure_trusted_images_launch_root_list list.

    • Updated the IoCs Ruleset with new findings.

    0.124.1

    September 05, 2023

    Rule Changes

    • Improved condition for the following:

      • Possible Backdoor using BPF

      • Create Symlink Over Sensitive Files

      • Suspicious Home Directory Creation

      • container_entrypoint

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the rule to the AWS IAM Credential Report Requestpolicy.

    • Update the policy for the Contact Task Metadata Endpoint rule.

    0.124.0

    September 04, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • The docker client is executed in a container

      • Possible Backdoor using BPF

      • Fileless Malware Detected (memfd)

    • Improved host and container tags.

    • Updated the IoCs Ruleset with new findings.

    0.123.3

    September 02, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • The docker client is executed in a container

      • Mount Launched in Privileged Container

      • Packet Socket Created in Container

      • Launch Root User Container

      • Launch Privileged Container

    • Improved condition for the following rule:

      • GCP Default Service Account Activity

    • Updated the IoCs Ruleset with new findings.

    • Improved the host and container tags.

    0.123.2

    August 30, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Packet Socket Created in Container

      • Read Shell Configuration File

      • Change Thread Namespace

      • eBPF Program Loaded into Kernel

      • Possible Backdoor using BPF

    • Updated the IoCs Ruleset with new findings.

    0.123.1

    August 29, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below root

      • Kernel startup modules changed

    • Improved condition for the following rules:

      • Contact Task Metadata Endpoint

      • Detect reconnaissance scripts

    • Improved output for the following rules:

      • Update Package Repository

      • Possible Backdoor using BPF

    • Updated the IoCs Ruleset with new findings.

    • Improved the miner_portslist.

    0.123.0

    August 28, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Read ssh information

      • Suspicious System Service Modification

      • Suspicious Cron Modification

      • Read Shell Configuration File

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    Reduced false positives for Put Object in Watched Bucket.

    0.122.5

    August 18, 2023

    Rule Changes

    Reduced false positives for the following rules:

    • Packet socket created in container

    • Change thread namespace

    • AWS SSM Agent File Write

    Default Policy Changes

    Downgraded AWS rules.

    0.122.4

    August 05, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Execution from /tmp

      • Launch Privileged Container

      • Packet socket created in container

    • Updated the IoCs Ruleset with new findings.

    0.122.3

    August 03, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below root

      • Set Setuid or Setgid bit

      • Possible Backdoor using BPF

      • Non sudo setuid

      • Launch Sensitive Mount Container

    • Updated the IoCs Ruleset with new findings.

    • Improved output for the Fileless Malware Detected (memfd) rule.

    Default Policy Changes

    Removed Packet socket created in container from the Sysdig Runtime Notable Events policy.

    0.122.2

    August 02, 2023

    Rule Changes

    • Improved condition for Azure RDP Access Is Allowed from The Internet rule.

    • Improved condition for Azure SSH Access Is Allowed from The Internet rule.

    Default Policy Changes

    Remove the AWS IAM Credential Report Request rule from policy.

    0.122.1

    August 01, 2023

    Rule Changes

    • Reduced false positives for the Launch Root User Container rule.

    • Added the following rules:

      • AWS ECS Create Task Definition

      • AWS RDS Master Password Update

      • AWS IAM Credential Report Request

    • Updated the IoCs Ruleset with new findings.

    • Improved the network_tool_binaries list.

    • Added support for accept4 syscall.

    Default Policy Changes

    Added the following rules:

    • AWS ECS Create Task Definition

    • AWS RDS Master Password Update

    • AWS IAM Credential Report Request

    0.122.0

    July 28, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Privileged Container

      • Write below rpm database

      • Write below binary dir

    • Updated the IoCs Ruleset with new findings.

    0.121.4

    July 27, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Fileless Malware Detected (memfd)

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Write below root

      • Packet socket created in container

      • Execution from /tmp

    • Increased the async limit to speed up validation times.

    • Updated the IoCs Ruleset with new findings.

    0.121.3

    July 26, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Fileless Malware Detected (memfd)

      • Contact GCP Instance Metadata Service from Container

    • Improved performance for Contact Task Metadata Endpoint

    • Updated the IoCs Ruleset with new findings.

    0.121.2

    July 25, 2023

    Rule Changes

    • Reduced false positives for the following rule: Fileless Malware Detected (memfd)

    • Tuned the preview rule:

      • Potential IRC connection detected<

    • Added the preview rule:

      • Contact AWS Fargate Task Metadata Endpoint

    0.121.1

    July 25, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • Execution from /tmp

      • Change thread namespace

      • Packet socket created in container

      • AWS SSM Agent File Write

    • Added the following rules:

      • Fileless Malware Detected (memfd)

      • Contact Azure Instance Metadata Service from Container

      • Contact GCP Instance Metadata Service from Container

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following rules:

      • Fileless Malware Detected (memfd)

      • Contact Azure Instance Metadata Service from Container

      • Contact GCP Instance Metadata Service from Container

    • Updated the policy for the following rules:

      • Find Azure Credentials

      • Find GCP Credentials

      • Download and launch remote file copy tools in container

      • Find GCP Credentials

      • Removed the Contact cloud metadata service from container rule from policies.

    0.121.0

    July 24, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Packet socket created in container

      • User Management Event Detected

      • Possible Backdoor using BPF

    • Updated the IoCs Ruleset with new findings.

    0.120.4

    July 22, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Change thread namespacer

      • Launch Privileged Container

      • Mount Launched in Privileged Container

      • Possible Backdoor using BPF

    • Improved outputs for the following rules:

      • Suspicious Domain Contacted

      • Suspicious Domain Contacted

      • non_system_user

      • Connection to IPFS Network Detected

    • Added the following macros to Threat Intel:

      • ipfs_domains_in_args

      • suspicious_domains_connection_data

    • Updated the IoCs Ruleset with new findings.

    0.120.0

    July 21, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious Domain Contacted

      • The docker client is executed in a container

      • eBPF Program Loaded into Kernel

      • Packet socket created in container

    • Updated the IoCs Ruleset with new findings.

    • Tuned thePotential IRC connection detected preview rule.

    0.120.3

    July 20, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Connection to IPFS Network Detected

      • Packet socket created in container

      • The docker client is executed in a container

      • Launch Privileged Container

    • Updated the IoCs Ruleset with new findings.

    0.120.2

    July 18, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Read Shell Configuration File

      • Read sensitive file untrusted

      • Read ssh information

      • Write below monitored dir

    • Added exception for the following rules:

      • Suspicious Domain Contacted

      • Connection to IPFS Network Detected

    • Improved performance for Write below monitored dir

    • Updated the IoCs Ruleset with new findings.

    0.120.1

    July 17, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below etc

      • The docker client is executed in a container

      • Change thread namespace

      • Packet socket created in container

      • Possible Backdoor using BPF

      • AWS SSM Agent File Write

    • Updated the IoCs Ruleset with new findings.

    0.119.4

    July 13, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • AWS SSM Agent File Write

      • Possible Backdoor using BPF

      • Change thread namespace

    • Improved performance for the following rules:

      • Shell binaries opening connections

      • Drop and execute new binary in container

    • Updated the IoCs Ruleset with new findings.

    0.119.3

    July 12, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • Packet socket created in container

      • Change thread namespace

      • Terminal shell in container

      • eBPF Program Loaded into Kernel

      • Write below root

    • Improved performance for the following rules:

      • Dump memory for credentials

      • Lastlog Files Cleared

      • Diamorphine Rootkit Activity

    • Updated the IoCs Ruleset with new findings.

    • Introduced retries for intermittent HTTP errors and improved logs.

    0.119.2

    July 11, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • Non sudo setuid

      • Run shell untrusted

      • Find GCP Credentials

      • Change thread namespace

    • Improved performance for the following rules:

      • Unprivileged Delegation of Page Faults Handling to a Userspace Process

      • Write below rpm database

      • DB program spawned process

      • Delete or rename shell history

    • Updated the IoCs Ruleset with new findings.

    0.119.1

    July 10, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Write below etc

      • Possible Backdoor using BPF

    • Excluded local IPv6 from macros.

    • Improved performance for the following rules:

      • Read sensitive file trusted after startup

      • Write below etc

      • System procs network activity

      • Read sensitive file untrusted

      • AWS SSM Agent Activity

    • Added the following rules:

      • EC2 Instance Connect System Access

      • AWS SSM Agent File Write

      • Removing MFA from Admin in Okta

      • Download and launch remote file copy tools in container

      • Find GCP Credentials

      • Find Azure Credentials

    • Updated the IoCs Ruleset with new findings.

    • Improved condition for the following rule:

      • Kernel startup modules changed

    • Default Policy Changes

    • Added the following rules:

      • EC2 Instance Connect System Access

      • AWS SSM Agent File Write

      • Removing MFA from Admin in Okta

      • Download and launch remote file copy tools in container

      • Find GCP Credentials

      • Find Azure Credentials

    0.119.0

    July 07, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • The docker client is executed in a container

      • Search Private Keys and Passwords

    • Updated the IoCs Ruleset with new findings.

    • Improved the network_tool_binaries list.

    0.118.3

    July 06, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Remote File Copy Tools in Container

      • Change thread namespace rule

      • Search Private Keys or Passwords

      • Packet socket created in container

    • Updated the IoCs Ruleset with new findings.

    0.118.2

    July 05, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Remote File Copy Tools in Container

      • Packet socket created in container

      • eBPF Program Loaded into Kernel

      • Launch Sensitive Mount Containe

    • Updated the IoCs Ruleset with new findings.

    • Fix exceptions for the AWS SSM Agent Activity rule.

    0.118.1

    June 30, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Privileged Container

      • Launch Root User Container

      • Detection bypass by symlinked files

      • Launch Ingress Remote File Copy Tools in Container

      • Possible Backdoor using BPF

    • Updated the IoCs Ruleset with new findings.

    0.117.8

    June 28, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • DB program spawned process

      • Launch Sensitive Mount Container

      • Launch Root User Container

    • Updated the IoCs Ruleset with new findings.

    • Improved the falco_sensitive_mount_imageslist.

    • Added preview structure for rules.

    Default Policy Changes

    • Added preview structure for rules.

    0.117.7

    June 26, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • Redirect STDOUT/STDIN to Network Connection in Host

      • Launch Sensitive Mount Containe

      • DB program spawned processt

      • Read ssh information

      • Non sudo Setuid

    • Updated the IoCs Ruleset with new findings.

    • Improved the process_name_exists macro.

    0.117.6

    June 23, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Terminal shell in container

      • Launch Sensitive Mount Container

      • Modify binary dirs

      • Set Setuid or Setgid bit

    • Updated the IoCs Ruleset with new findings.

    0.117.5

    June 22, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious System Service Modification

      • Write below root

      • Change thread namespace

      • Launch Sensitive Mount Container

    • Updated the IoCs Ruleset with new findings.

    • Improved performance for the Contact EC2 Instance Metadata Service From Container and Write below binary dir rules.

    0.117.4

    June 21, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Remote File Copy Tools in Container

      • Launch Sensitive Mount Container

      • Launch Root User Container

    • Updated the IoCs Ruleset with new findings.

    0.117.3

    June 19, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Ingress Remote File Copy Tools in Container

      • AWS SSM Agent Activity

      • Read Shell Configuration File

      • Write below rpm database

    • Updated the IoCs Ruleset with new findings.

    • Improved the falco_privileged_images list.

    0.117.2

    June 20, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below etc

      • AWS SSM Agent Activity

      • Suspicious Operations with Firewallse

      • Non sudo setuid

    • Updated the IoCs Ruleset with new findings.

    • Fixed exception value.

    • Removed append fields from rules and macros.

    0.117.1

    June 09, 2023

    Rule Changes

    • Removed duplicate tags in rules.

    0.116.5

    June 09, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Java Process Class File Download

      • Set Setuid or Setgid bit

      • User mgmt binaries

    • Updated the IoCs Ruleset with new findings.

    0.116.4

    June 08, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Write below etc

    • Improved output for The docker client is executed in a container rule.

    • Updated the IoCs Ruleset with new findings.

    0.116.3

    June 07, 2023

    Rule Changes

    • Removed the Okta 5 minute rules.

    • Improved the output for the Java Process Class File Downloadrule.

    Default Policy Changes

      Removed the Okta 5 minute rules.

    0.116.2

    May 31, 2023

    Rule Changes

    • Updated the IoCs Ruleset with new findings.

    • Added exception for the following rules:

      • Launch Privileged Container

      • Launch Excessively Capable Container

      • Launch Sensitive Mount Container

    0.115.1

    May 30, 2023

    Rule Changes

    • Reduced false positives for the Execution from /tm rule.

    • Added the following rules:

      • K8s Ingress Deleted

      • K8s Ingress Created/Modified

      • AWS EC2 Instance Connect/SSH Public Key Uploaded

      • Admin permission has been assigned to a group in Okta

    • Updated the IoCs Ruleset with new findings.

    • Improved condition for the following rules:

      • Find AWS Credentials

      • Okta CAPTCHA Settings Updated

      • Search Private Keys or Passwords

    • Default Policy Changes

    • Added the following rules:

      • K8s Ingress Deleted

      • K8s Ingress Created/Modified

      • AWS EC2 Instance Connect/SSH Public Key Uploaded

      • Admin permission has been assigned to a group in Okta

    0.115.0

    May 18, 2023

    Rule Changes

    • Added the Okta CAPTCHA Settings Updated rule.

    • Reduced false positives for the following rules:

      • Read ssh information

      • Write below root

      • Run shell untrusted

    • Updated the IoCs Ruleset with new findings.

    • Default Policy Changes

    • Added the Okta CAPTCHA Settings Updated rule.

    0.114.1

    May 17, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Privileged Container

      • Read sensitive file untrusted

      • Read Shell Configuration File

      • eBPF Program Loaded into Kernel

      • Write below etc

      • Launch Root User Container

      • Create files below dev

      • Non sudo setuid

    • Added the following rules:

      • Drop and execute new binary in container

      • GCP Cloud SQL Data Exfiltration

      • GCP Create Service Account

      • GCP Create or Modify Compute SSH Key

      • GCP Default Service Account Activity

      • Directory traversal monitored file read

      • Detection bypass by symlinked files

    • Updated the IoCs Ruleset with new findings.

    • Introduced v16 ruleset.

    • Improved condition for the OpenSSL File Read or Write rule.

    • Improved detection for the Suspicious System Service Modification rule.

    Default Policy Changes

    Added the following rules:

    • Drop and execute new binary in container

    • GCP Cloud SQL Data Exfiltration

    • GCP Create Service Account

    • GCP Create or Modify Compute SSH Key

    • GCP Default Service Account Activity

    • Directory traversal monitored file read

    • Detection bypass by symlinked files

    0.114.0

    May 10, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • User mgmt binaries

      • Write below etc

      • Execution from /tmp

      • Non sudo setuid

    • Updated the IoCs Ruleset with new findings.

    0.113.2

    May 09, 2023

    Rule Changes

      Reduced false positives for the following rules:

      • Shell binaries opening connections

      • Execution from /tmp

    0.113.1

    May 08, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Remote File Copy Tools in Container

      • Read Shell Configuration File

      • Write below etc

      • Set Setuid or Setgid bit

      • Change thread namespace

      • Write below rpm database

      • Launch Privileged Container

      • eBPF Program Loaded into Kernel

      • Set Setuid or Setgid bit

    • Updated the IoCs Ruleset with new findings.

    • Improved condition for the following rules:

      • Execution from /tmp

      • Redirect STDOUT/STDIN to Network Connection in Host

    • Added the following rules:

      • Shell binaries opening connections

      • AWS Attach IAM Policy to Role

    • Added exceptions for the Ingress Object without TLS Certificate Created rule.

    Default Policy Changes

    Added the following rules:

    • Shell binaries opening connections

    • AWS Attach IAM Policy to Role

    0.113.0

    May 05, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Set Setuid or Setgid bit

      • Non sudo setuid

    • Updated the Sysdig Mitre Attack mapper.

    • Updated the IoCs Ruleset with new findings.

    0.112.3

    May 04, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Suspicious Network Tool in Container

      • Write below rpm database

      • Launch Remote File Copy Tools in Container

    • Updated the IoCs Ruleset with new findings.

    0.112.2

    May 01, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below etc

      • Read sensitive file untrusted

      • Kernel startup modules changed

      • Launch Privileged Container

      • Mount Launched in Privileged Container

      • Launch Ingress Remote File Copy Tools in Container

      • Non sudo setuid

    • Updated the IoCs Ruleset with new findings.

    • Enable theJava Process Class File Download rule by default.

    Default Policy Changes

    Enable the following rules by default:

    • Java Process Class File Download

    • Kernel startup modules changed

    0.112.0

    April 26, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Run shell untrusted

      • eBPF Program Loaded into Kernel

      • Launch Sensitive Mount Container

      • Launch Package Management Process in Container

      • Launch Root User Container

    • Updated the following tags:

      • AWS MITRE ATT&CK

      • Azure MITRE ATT&CK

      • GCP MITRE ATT&CK 

    • Updated the IoCs Ruleset with new findings.

    • Improved the MITRE ATT&CK tags.

    • Improved the sysdig_commercial_images list.

    Default Policy Changes

    Updated policy for the following rules:

    • Packet socket created in container

    • Create Hardlink Over Sensitive Files

    0.111.0

    April 17, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Non sudo setuid

      • Write below etc

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Read ssh information

      • Clear Log Activities

      • Modify Shell Configuration File

      • System ClusterRole Modified/Deleted

    • Updated policy for the following rules:

      • Unprivileged Delegation of Page Faults Handling to a Userspace Process

      • Detect release_agent File Container Escapes

    • Updated IoCs Ruleset with new findings.

    • Improved output for the Launch Excessively Capable Container rule.

    • Added the Kernel startup modules changed rule.

    Default Policy Changes

    • Added the Kernel startup modules changed rule.

    • Updated policy for the following rules:

      • Unprivileged Delegation of Page Faults Handling to a Userspace Process

      • Detect release_agent File Container Escapes

      • Register Domain

      • Disable Security Hub

    0.110.0

    April 11, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Package Management Process in Container

      • Read sensitive file untrusted

      • Write below etc

      • Netcat Remote Code Execution in Container

      • Container Run as Root User

      • Set Setuid or Setgid bit

      • Mount Launched in Privileged Container

      • Launch Root User Container

      • Non sudo setuid

    • Added tags for the following rules:

      • Detect release_agent File Container Escapes

      • Unprivileged Delegation of Page Faults Handling to a Userspace Process

      • Launch Excessively Capable Container

    • Updated IoCs Ruleset with new findings.

    • Moved malicious_download_tools in Suspicious Network tools rules

    • Improved list network_tool_binaries rule.

    • Fixed Set Setuid or Setgid bit tag.

    Default Policy Changes

    Updated policy for the following rules:

    • Security Hub Disassociate From Master Account

    • Security Hub Delete Members

    • Security Hub Disassociate Members

    0.109.0

    April 07, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Set Setuid or Setgid bit

      • Suspicious Cron Modification

      • Disallowed K8s User

      • The docker client is executed in a container

      • Launch Package Management Process in Container

      • Clear Log Activities

      • Launch Package Management Process in Container

      • Write below etc

      • Read sensitive file untrusted

      • PTRACE attached to process

      • Launch Excessively Capable Container

      • eBPF Program Loaded into Kernel

      • Read sensitive file untrusted

      • Non sudo setuid

      • Write below root

      • Read sensitive file untrusted

      • Write below rpm database

      • Launch Sensitive Mount Container

      • Launch Root User in Container

    • Added the following rules:

      • Detect release_agent File Container Escapes

      • Java Process Class File Download

      • Launch Excessively Capable Container

      • Unprivileged Delegation of Page Faults Handling to a Userspace Process

    • Updated IoCs Ruleset with new findings.

    • Added Falco rules versioning support.

    • Added an exception for the Outbound Connection to C2 Servers rule.

    Default Policy Changes

    • Added the following rules:

      • Detect release_agent File Container Escapes

      • Java Process Class File Download

      • Launch Excessively Capable Container

      • Unprivileged Delegation of Page Faults Handling to a Userspace Process

    • Updated policy for the following rules:

      • Guard Duty Disassociate Members

      • Guard Duty Disassociate from Master Account

      • Guard Duty Delete Members

    • Added Falco rules versioning support.

    • Removed the following rules from policies:

      • Launch Disallowed Container

      • Interpreted procs inbound network activity

      • Interpreted procs outbound network activity

    0.108.0

    March 13, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Clear Log Activities

      • Launch Package Management Process in Container

      • Container Run as Root User

      • Launch Remote File Copy Tools in Container

      • Launch Root User Container

    • Improved condition for the following rules:

      • Launch Ingress Remote File Copy Tools in Container

      • Modify Timestamp attribute in File

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    Updated policy for the following rules:

    • OpenSSL File Read or Write

    • CloudTrail Logging Disabled

    • Disable GuardDuty

    0.106.0

    March 07, 2023

    Rule Changes

    • Added the following rules:

      • Create Bucket

      • Delete Bucket

    • Improved the output for the following rules:

      • Read Shell Configuration File

      • Set Setuid or Setgid bit

      • Launch Root User Container

    • Updated the MITRE, GCP MITRE, and AWS MITRE tags.

    • Improved condition for the Tampering with Security Software in Container rule.

    • Reduced false positives for the following rules:

      • The docker client is executed in a container

      • Launch Privileged Container

      • Write below root

      • Schedule Cron Jobs

      • Suspicious Cron Modification

      • Launch Remote File Copy Tools in Container

      • Launch Suspicious Network Tool on Host

      • System procs activity

      • Modify Shell Configuration File

      • Write below etc

      • Launch Sensitive Mount Container

      • Mount Launched in Privileged Container

      • PTRACE attached to process

    • Updated Kubernetes image registry domains.

    • Improved the falco_privileged_imageslist.

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following rules:

      • Create Bucket

      • Delete Bucket

    • Updated the policy for the following rules:

      • Deactivate MFA for Root User

      • CloudTrail Trail Deleted

    0.105.0

    February 28, 2023

    Rule Changes

    • Added the following rules:

      • Create Hardlink Over Sensitive Files

      • Azure Storage Account Created

      • Azure Storage Account Deleted

      • GCP Create Project

      • GCP Create Compute VM Instance

      • GCP Enable API

    • Reduced false positives for the following rules:

      • Suspicious Operations with Firewalls

      • Linux Kernel Module Injection Detected

      • PTRACE attached to process

      • Read sensitive file untrusted

    • Improved condition for the following rules:

      • Execution of binary using ld-linux

      • Mount Launched in Privileged Container

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    Added the following rules:

    • Create Hardlink Over Sensitive Files

    • Azure Storage Account Created

    • Azure Storage Account Deleted

    • GCP Create Project

    • GCP Create Compute VM Instance

    • GCP Enable API

    0.104.1

    February 24, 2023

    Rule Changes

    • Improved output for the Modify Timestamp attribute in File rule.
    • Reduced false positives for the following rules:

      • Linux Kernel Module Injection Detected

      • Launch Privileged Container

      • Reconnaissance attempt to find SUID binaries

    • Updated IoCs Ruleset with new findings.

    0.103.1

    February 23, 2023

    Rule Changes

    • Added the following rules:

      • Modify Timestamp attribute in File

      • Launch Code Compiler Tool in Container

      • Put Bucket ACL for AllUsers

    • Reduced false positives for the following rules:

      • Launch Package Management Process in Container

      • PTRACE anti-debug attempt

    • Improved condition for the following rule: Put Bucket Lifecycle

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following rules:

      • Modify Timestamp attribute in File

      • Launch Code Compiler Tool in Container

      • Put Bucket ACL for AllUsers

    • Updated policy for the following rules:

      • Launch Code Compiler Tool in Container

      • Connection to IPFS Network Detected

      • Detect outbound connections to Proxy/VPN

    0.103.0

    February 14, 2023

    Rule Changes

    • Added the following rules:

      • User Management Event Detected

      • Users Group Management Event Detected

      • OpenSSL File Read or Write

    • Reduced false positives for the following rules:

      • Modify ld.so preload

      • Clear Log Activities

      • Read sensitive file untrusted

      • Read Shell Configuration File

    • Improved condition for the following rules:

      • Delete Bash History

      • Delete or rename shell history

      • Detect malicious cmdlines

    • Improved the sensitive_kernel_parameter_fileslist.

    • Updated IoCs Ruleset with new findings.

    • Added an exception for the OpenSSL File Read or Write rule.

    Default Policy Changes

    • Added the following rules:

      • User Management Event Detected

      • Users Group Management Event Detected

      • OpenSSL File Read or Write

    • Update policies for SuspiciousOpenSSL Shared Object Loaded rule.

    0.102.1

    February 08, 2023

    Rule Changes

    • Added the following list: Add list security_processes

    • Improved the following list: network_tool_binaries

    • Reduced false positives for the following rules:

      • Contact EC2 Instance Metadata Service From Container

      • Run shell untrusted

      • System procs network activity

      • Set Setuid or Setgid bit

      • eBPF Program Loaded into Kernel

    • Improved the condition for the following rule: Detect reconnaissance scripts

    • Updated IoCs Ruleset with new findings.

    0.101.1

    January 26, 2023

    Rule Changes

    • Added the following rules:

      • K8s CronJob Deleted

      • K8s CronJob Created/Modified

      • Read Environment Variable from /proc files in Container

      • Suspicious OpenSSL Shared Object Loaded

    • Reduced false positives for the following rules:

      • Run shell untrusted

      • Find AWS Credentials

      • PTRACE attached to process

      • Clear Log Activities

      • Non sudo setuid

      • Redirect STDOUT/STDIN to Network Connection in Host

    • Improved condition for the following rule: GPG Key Reconnaissance

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    Added the following rules:

    • K8s CronJob Deleted

    • K8s CronJob Created/Modified

    • Read Environment Variable from /proc files in Container

    • Suspicious OpenSSL Shared Object Loaded

    0.100.2

    January 20, 2023

    Rule Changes

    • Added the following rules:

      • Modify Security Group Rule Allowing Ingress Open to the World

      • Connection to IPFS Network Detected

    • Improved condition for the following rules:

      • Create Security Group Rule Allowing Ingress Open to the World

      • Create a Network ACL Entry Allowing Ingress Open to the World

      • Detect reconnaissance scripts

      • Lastlog Files Cleared

      • Launch Remote File Copy Tools in Container

      • Put Bucket Lifecycle

      • Delete or rename shell history

    • Added exception for the following rules:

      • Put Bucket Lifecycle

      • Update Assume Role Policy

    • Updated IoCs Ruleset with new findings.

    • Reduced false positives for the following rule Find AWS Credentials rule.

    • Default Policy Changes

      Added the following rules:

      • Modify Security Group Rule Allowing Ingress Open to the World

      • Connection to IPFS Network Detected

    0.99.0

    January 09, 2023

    Rule Changes

    • Reduced false positives for the Container Run as Root User rule.

    • Improved condition for the Suspicious Operations with Firewalls rule.

    • Added the following rules:

      • K8s Networkpolicy Deleted

      • Modify Security Group

      • K8s Networkpolicy Created/modified

      • AWS SSM Send Command

    • Added tags to the K8s Networkpolicy Deleted rule.

    • Added exceptions for the following:

      • Delete Organization Config Rule

      • Delete Cluster

      • Elasticsearch Domain Creation without Encryption at Rest

      • ECR Image Pushed

      • Put Remediation Configurations

      • Delete Configuration Aggregator

      • Put Organization Config Rule

      • Put Organization Conformance Pack

      • Stop Configuration Recorder

      • Delete Organization Conformance Pack

      • ECS Service Created

      • ECS Service Deleted

      • Terminal Shell in ECS Container

      • ECS Task Run or Started

      • ECS Service Task Definition Updated

      • ECS Task Stopped

      • Create HTTP Target Group without SSL

      • Elasticsearch Domain Creation without VPC

      • Run Instances

      • CloudTrail Trail Created

      • Create Security Group Rule Allowing SSH Ingress

      • Guard Duty Disassociate from Master Account

      • Guard Duty Delete Members

      • Disable GuardDuty

      • Delete Detector

      • Create Access Key for Root User

      • Guard Duty Disassociate Members

      • Stop Monitoring Members

      • Password Recovery Requested

      • Deactivate Hardware MFA for Root User

      • Add AWS User to Group

      • Attach Administrator Policy

      • Attach IAM Policy to User

      • Deactivate MFA for Root User

      • Create Group

      • Create IAM Policy that Allows All

      • Create Access Key for User

      • Deactivate Virtual MFA for Root User

      • Delete Virtual MFA for Root User

      • Create AWS user (SSO)

      • Create AWS user

      • Delete AWS user (SSO)

      • Deactivate MFA for User Access

      • Delete Group

      • Put IAM Inline Policy to User

      • Delete AWS user

      • Remove AWS User from Group

      • Update Account Password Policy Not Expiring

      • Update Account Password Policy Expiring in More Than 90 Days

      • Update Account Password Policy Not Preventing Reuse of Last 24 Passwords

      • Update Account Password Policy Not Preventing Reuse of Last 4 Passwords

      • Update Account Password Policy Not Requiring 14 Characters

      • Update Account Password Policy Not Requiring 7 Characters

      • Update Account Password Policy Not Requiring Lowercase

      • Update Account Password Policy Not Requiring Number

      • Update Account Password Policy Not Requiring Symbol

      • Update Account Password Policy Not Requiring Uppercase

      • Replace Route

      • Modify Image Attribute

      • Modify Snapshot Attribute

      • Revoke Security Group Egress

      • Revoke Security Group Igress

      • Run Instances in Non-approved Region

      • Create Internet-facing AWS Public Facing Load Balancer

      • Delete Listener

      • Modify Listener

      • Disable EBS Encryption by Default

      • Contact EC2 Instance Metadata Service From Container

      • EC2 Serial Console Access Enabled

      • Make EBS Snapshot Public

      • Get Password Data

    • Default Policy Changes

    • Added the following rules:

      • K8s Networkpolicy Deleted

      • Modify Security Group

      • K8s Networkpolicy Created/modified

      • AWS SSM Send Command

    0.98.2

    January 04, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • aws_latest_runtimes

      • Read sensitive file untrusted

      • Read Shell Configuration File

    • Updated IoCs Ruleset with new findings.

    • Added exception for the DB program spawned process rule.

    • Improved output for the Suspicious System Service Modification rule.

    0.98.0

    December 04, 2022

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • Non sudo setuid

      • Read SSH information

      • Read Shell Configuration File

      • Write below etc

      • Reconnaissance attempt to find SUID binaries

      • Suspicious Domain Contacted

    • Updated IoCs Ruleset with new findings.

    • Improved detection for the Non sudo setuid rule.

    • Added the following rule: Detect cloned process by PRoot

    • Default Policy Changes

      Added the Detect cloned process by PRoot rule.

    0.96.0

    December 01, 2022

    Rule Changes

    Disabled the Create Hidden Files or Directories rule.

    0.94.2

    November 29, 2022

    Rule Changes

    • Improved output for the Suspicious Cron Modification rule.

    • Reduced false positive for the Read SSH information rule.

    • Updated IoCs Ruleset with new findings.

    • Enabled the Create Hidden Files or Directoriesrule.

    • Added the Create/modify EKS serviceaccount boundrule to the AWS Identity and Access Management (IAM) role.

    • Added the Suspicious Domain Contactedrule.

    Default Policy Changes

    • Added the Suspicious Domain Contactedrule.

    • Added the Create/modify EKS serviceaccount boundrule to the AWS IAM role.

    0.94.0

    November 22, 2022

    Rule Changes

    • Reduced false positives for the following rules:

      • Privileged Shell Spawned Inside Container

      • Clear Log Activities

      • Read ssh information

      • Search Private Keys or Passwords

      • Launch Suspicious Network Tool in Container

      • Container Run as Root User

      • Change Thread Namespace

      • Read Shell Configuration File

    • Improved tags for the eBPF Program Loaded into Kernelrule.

    • Updated IoCs Ruleset with new findings.

    • Improved detection for the Non sudo setuid rule.

    • Added the following rules:

      • Mutated Pod Detected

      • Configmap aws-auth changed

    • Default Policy Changes

      • Added the following rules:

        • Mutated Pod Detected

        • Configmap aws-auth changed

    0.93.0

    November 10, 2022

    Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious Kernel Parameter Modification

      • The docker client is executed in a container

      • Mount Launched in Privileged Container

      • Reconnaissance attempt to find SUID binaries

      • PTRACE attached to process

      • Linux Kernel Module Injection Detected

    • Updated IoCs Ruleset with new findings.

    • Improved detection for the Non sudo setuid rule.

    • Added the following rules:

      • Redirect STDOUT/STDIN to Network Connection in Host

      • Lastlog files cleared

    • Default Policy Changes

      • Added the following rules:

        • Redirect STDOUT/STDIN to Network Connection in Host

        • Lastlog files cleared

      • Move the Unexpected Connection from legitimate Process/Port rule to Default Policy

    0.92.0

    October 19, 2022

    Rule Changes

    • Renamed lists, macros, and rules for Falco Cloud.

    • Added the Unexpected Connection from legitimate Process/Port rule.

    • Updated IoCs Ruleset with new findings.

    • Edited the output for the  Reconnaissance attempt to find SUID binaries rule.

    Default Policy Changes

    • Renamed lists, macros, and rules for Falco Cloud.

    • Added the Unexpected Connection from legitimate Process/Port rule.

    0.91.0

    October 14, 2022

    Rule Changes

    • Updated the sensitive_kernel_parameter_files list to detect changes on the ptrace_scope file.

    • Added the Diamorphine Rootkit Activity rule.

    • Updated IoCs Ruleset with new findings.

    • Reduced false positives in the Dump memory for credentials rule.

    Default Policy Changes

    • Added the Diamorphine Rootkit Activity rule.

    • Reduced false positives in the Dump memory for credentials rule.

    0.90.0

    October 07, 2022

    Rule Changes

    • Tuning the Dump memory for credentials on rule.

    • Added the following rules:

      • kill malicious process
      • detect dump memory for credentials
    • Updated IoCs Ruleset with new findings.

    • Updated Cloud Mitre tags.

    • Reduced false positives in Falco Rules.

    • Added new ruless:

      • Dump memory for credentials
      • Kill known malicious process
    • Use glob in the user_ssh_directory macro and remove openat2 from conditions.

    • Added an exception to the AWS Command Executed by Untrusted User rule.

    • Changed exception in the Change Resource Record Sets rule.

    • Changed the allowed_k8s_users list.

    Default Policy Changes

    • Tuned the Dump memory for credentials rule.

    • Added new rules:

      • Dump memory for credentials
      • Kill known malicious process

    0.89.0

    September 27, 2022

    Rule Changes

    • Increased IoCs and added additional exceptions.

    • Disabled Simple Storage Service (S3) versioning.

    Default Policy Changes

    Disabled S3 versioning

    0.88.0

    September 23, 2022

    Rule Changes

    • Increased IoCs and added additional exceptions.

    • Added exclusions to reduce false positives.

    • Adding additional parameters to sensitive_kernel_parameter_files list.

    0.87.0

    September 09, 2022

    Rule Changes

    • Added exception to reduce false positives in the sysdig_commercial_imagesmacro.

    • Updated IoCs Ruleset with new findings.

    0.86.0

    September 08, 2022

    Rule Changes

    • Added additional exceptions to aid in addressing false positives: Suspicious Kernel Parameter Modification.

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    Removed the following rules from default policies:Scripting Language Execution below dev.

    0.85.0

    August 24, 2022

    Rule Changes

    • New rules:Share RDS Snapshot with Foreign Account

    • Rule tuning for the following:

      • PTRACE anti-debug attempt

      • Suspicious Cron Modification

      • Suspicious Java Child Processes

      • Create Symlink Over Sensitive Files

      • Netcat Remote Code Execution in Container

      • eBPF Program Loaded into Kernel

    • Updated IoCs Ruleset with new findings.

    0.83.0

    August 19, 2022

    Rule Changes

    • Fixed the output for two PTRACE rules.

    • Added additional conditions to improve detections for Delete/rename Bash History.

    • Enable the do_unexpected_udp_checkmacro.

    • Added the new rule: GCP Firewall Remote Access from Internet. It detects remote access ports allowed through the firewall from the public internet (0.0.0.0/0).

    Auto-Tuner Exception Updates

    • Added additional exceptions for Privileged Shell Inside Container.

    • Added Azure core image to the exception, Suspicious Cron Modification.

    0.82.0

    Aug 11, 2022

    Rule Changes

    • Added Azure rule: Azure RDP Access Is Allowed from The Internet

    • Updated auto-tuner exceptions to reduce excessive noise:

      • Change Resource Record Sets (AWS)

      • Create Hidden Files or Directories

      • Describe Instances (AWS)

      • GCP Delete Compute VM Instance

      • GCP Operation by a Non-corporate Account

      • List Buckets (AWS)

      • Non sudo setuid

      • Root User Executing AWS Command

      • Run shell untrusted

      • The docker client is executed in a container

      • User mgmt binaries

    • Updated IoCs Ruleset with new findings.

    • Default Policy Changes

      Added new rules: Azure RDP Access Is Allowed from The Internet

    0.81.2

    Aug 05, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positives:

      • Linux Kernel Module Injection Detected

      • eBPF Program Loaded into Kernel

      • Privileged Shell Spawned Inside Container

    • Added the following new rules:

      • GPG Key Reconnaissance

      • Create Access Key for User

    • Extended the condition of the following rules:

      • Base64-encoded Python Script Execution

      • nsenter Container Escape

    • Updated IoCs Ruleset with new findings.

    • Default Policy Changes

      Added new rules to default policies.

      • nsenter Container Escape

      • GPG Key Reconnaissance

      • Create Access Key for User

    0.80.1

    July 26, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positives:

      • Non sudo setuid

      • Set Setuid or Setgid bit

      • eBPF Program Loaded into Kernel

    • Added the following new rules:

      • PTRACE anti-debug attempt

      • PTRACE attached to process

      • Detect reconnaissance scripts

      • Detect malicious cmdlines

      • GCP Create DNS Record

      • GCP Create DNS Zone

      • GCP Delete DNS Record

      • GCP Update DNS Record

      • GCP Update DNS Zone

      • GCP Cloud Armor Blocked Connection

      • GCP Cloud IDS Alert

      • Delete AWS user (SSO)

    • Updated the following rule: Reconnaissance attempt to find SUID binaries

    • Updated the following lists: falco_privileged_images

    • Updated IoCs Ruleset with new findings.

    • Default Policy Changes

      Added new rules to default policies.

    0.79.2

    July 15, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positives:

      • Non sudo setuid

      • Set Setuid or Setgid bit

      • eBPF Program Loaded into Kernel

    • Added the following new rules:

      • Detect curl Using Socks Proxy

      • Create AWS user (SSO)

      • GCP Delete VPN

      • GCP App Engine Firewall Rule Created

      • GCP Compute Firewall Rule Created

      • GCP Create VPN

      • GCP Sensitive Role Added to User

    • Added additional exceptions to:

      • Read sensitive file untrusted

      • Run shell untrusted

      • Non sudo setuid

      • Clear Log Activities

      • Execution of binary using ld-linux

      • eBPF Program Loaded into Kernel

      • Terminal shell in container

      • The docker client is executed in a container

    • Added the Detect curl Using Socks Proxy rule to IoCs Malware Activity and Sysdig Runtime Threat Detection policies

    • Added Create AWS user (SSO) to the Sysdig AWS Activity Logs policy.

    • Added GCP Delete VPN and GCP Sensitive Role Added to the User rules to Sysdig GCP Notable Events policy.

    • Added the GCP App Engine Firewall Rule Created, GCP Compute Firewall Rule Created, and GCP Create VPN rules to the Sysdig GCP Activity Logs policy.

    • Split AWS rules into individual files and moved lists out of individual files and into its own file at the top of the output aws_cloudtrail.yaml.

    • Fixed tag in the Delete Cluster rule.

    • Updated IoCs Ruleset with new findings.

    0.78.0

    July 08, 2022

    Rule Changes

    • Restored the following missing rule: nsenter Container Escape

    • Cleaned up the following duplicate macro: falco_sensitive_mount_containers

    • Adjusted the following eBPF rule: eBPF Program Loaded into Kernel

    • Updated IoCs Ruleset with new findings.

    • Updated all the Cloudtrail rules to add ARNs to output.

    Default Policy Changes

    Modified to work with both old default_policies and managed default_policies.

    0.77.0

    July 01, 2022

    Rule Changes

    Added Miner IP Pool Threat Intelligence: Detect outbound connections to common miner pool ports

    0.76.1

    June 30, 2022

    Rule Changes

    • Added additional exceptions : Linux Kernel Module Injection Detected

    • Created the following new rules:

      • GCP App Engine Firewall Rule Deleted

      • GCP App Engine Firewall Rule Updated

      • GCP Create Cloud Function v2 Not Using Latest Runtime

      • GCP Create Cloud Function v2

      • GCP Compute Firewall Rule Deleted

      • GCP Compute Firewall Rule Updated

      • GCP Delete Compute VM Instance

      • GCP Update Cloud Function v2

      • Malicious Environment Variable in Spawned Process

      • nsenter Container Escape

    • Updated the following GCP rules:

      • GCP Create Cloud Function Not Using Latest Runtime

      • GCP Create Cloud Function

      • GCP Create DLP Job

      • GCP Delete DLP Job

      • GCP Paused DLP Job

      • GCP Suspicious IP Inbound Request

      • GCP Update Cloud Function

      • GCP Updated DLP Job

    • Added CIS tag to the rules related to Center for Internet Security (CIS) Docker Security Benchmark controls:

      • Container Run as Root User

      • Disallowed SSH Connection

      • Launch Privileged Container

      • Launch Root User Container

      • Launch Sensitive Mount Container

      • Mount Launched in Privileged Container

      • Privileged Shell Spawned Inside Container

      • Reconnaissance attempt to find SUID binaries

      • The docker client is executed in a container

      • Write below root

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    Added the following rules to the default policy:

    • GCP App Engine Firewall Rule Deleted

    • GCP Compute Firewall Rule Deleted

    • Malicious Environment Variable in Spawned Process

    • nsenter Container Escape

    0.76.0

    June 24, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positives:

      • Create Symlink Over Sensitive Files

      • Execution of binary using ld-linux

      • Run shell untrusted

    • Modified the following macros:

      • truncate_shell_history

      • modify_shell_history

    • Extended the condition of the rule, Detect crypto miners using the Stratum protocol, to improve detection capabilites.

    • New rules created:

      • Launch malicious container image

      • GCP Suspicious IP Inbound Request

      • GCP Allow Public Access to Bucket

      • GCP KMS Schedule Key Deletion

      • GCP Create DLP Job

      • GCP Delete DLP Job

      • GCP Update DLP Job

      • GCP Paused DLP Job

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following rule to the default policy, IoCs Malware Activity: Launch malicious container image

    • Added the following rules to the default policy, Sysdig GCP Best Practices:

      • GCP Suspicious IP Inbound Request

      • GCP Allow Public Access to Bucket

      • GCP KMS Schedule Key Deletion

      • GCP Delete DLP Job

      • GCP Paused DLP Job

    0.75.0

    June 17, 2022

    Rule Changes

    • Added the following new rules:

      • AWS Suspicious IP Inbound Request

      • eBPF Program Loaded into Kernel

    • Modified the following rules:

      • Symlink over Sensitive Files

      • Container Drift rules (with new exceptions)

    • Updated the macro: sysdig_commercial_images. It now contains two new Kubernetes Security Posture Management (KSPM) images.

    • Added the new macro ti_anon_ips  for Tor source IP addresses.

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the new rule,  AWS Suspicious IP Inbound Request to the Sysdig AWS Best Practices policy.

    • Added the new rule, eBPF Program Loaded into Kernel  to the Suspicious Container Activity policy.

    0.74.3

    June 03, 2022

    Rule Changes

    • Added a new rule: Suspicious Java Child Processes

    • Updated the package_mgmt_procs macro to detect package management processes with Python.

    • Updated some exceptions in the rule,Change thread namespace

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    Added the new rule, Suspicious Java Child Processes,to the IoCs Malware Activity

    0.72.0

    May 26, 2022

    Rule Changes

    • Added the following new rules:

      • Reconnaissance attempt to find SUID binaries

      • Suspicious Home Directory Creation

    • Modified exceptions to reduce noise:

      • Change thread namespace

      • Contact cloud metadata service from container

      • DB program spawned process

      • K8s ConfigMap Created

      • K8s ConfigMap Deleted

      • K8s Serviceaccount Created

      • Netcat Remote Code Execution in Container

      • Privileged Shell Spawned Inside Container

      • Set Setuid or Setgid bit

      • System ClusterRole Modified/Deleted

      • Write below monitored dir

      • Write below root

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following new policies:

      • Reconnaissance attempt to find SUID binaries

      • Suspicious Home Directory Creation

    0.70.3

    May 20, 2022

    Rule Changes

    • Added additional exceptions to the following rules to aid in addressing false positives:

      • Set Setuid or Setgid bit

      • Execution from /tmp

    • Fixed the condition of the following rules:

      • Execution from /tmp

      • Execution from /dev/shm

    • Updated IoCs Ruleset with new findings.

    0.69.0

    May 13, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positives:

      • Run shell untrusted

      • Launch Privileged Container

      • Container Run as Root User

      • Write below root

      • Write below rpm database

      • DB program spawned process

      • Privileged Shell Spawned Inside Container

      • Launch Suspicious Network Tool in Container

      • Remove Bulk Data from Disk

      • Set Setuid or Setgid bit

      • Packet socket created in container

      • Execution from /tmp

    • Created the new rule, Possible Backdoor using BPF. This rule triggers if a process was seen attaching a Berkeley Packet Filter (BPF) filter on a network socket. This could indicate packet sniffing for use in a backdoor such as BPFDoor. Network diagnostic tools may also trigger this rule.

    • Created the new rule, Execution of binary using ld-linux. This method can be used to execute programs that do not have the exec bit set and may possibly evade detection measures.

    • Fixed the condition of the following rules:

      • Write below binary dir

      • Set Setuid or Setgid bit

    • Updated IoCs Ruleset with new findings

    Default Policy Changes

      • Added the  Possible Backdoor using BPF rule to the Notable Network Activity policy.

      • Added the new rule,  Execution of binary using ld-linux to the IoCs Malware Activity policy.

    0.68.1

    May 6, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positives:

      • Modify binary dirs

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Container Run as Root User

      • Execution from /tmp

    • Created the new rule Tampering with Security Software in Container. This rule detects common techniques by threat actors to disable runtime security software.

    • Created the new rule Detect outbound connections to TOR Entry Nodes. This rule detects when clients reach the Tor network through its entry nodes. Note that this is an experimental rule and only contains a subset of Tor entry nodes. It will be improved upon in the future.

    • Fixed the condition of the following rule: Execution from /tmp

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    • Moved the Redirect STDOUT/STDIN to Network Connection in Container rule to the Notable Container Activity default policy.

    • Added the Tampering with Security Software in Container rule to the Suspicious Container Activity default policy.

    • Added the Detect outbound connections to TOR Entry Nodes rule to the IoCs Malware Activity default policy.

    0.67.1

    April 28, 2022

    Rule Changes

    • Added a new rule file, threat_intelligence_feed.yaml , with lists and macros directly updated by theSysdig Threat Research Team.

    • Updated the following list: sysdig_commercial_images

    • Updated IoCs Ruleset with new findings.

    • Updated Falco rules conditions:

      • Execution from /tmp

      • Execution from /dev/shm

      • Network Connection outside Local Subnet

    • Added additional exceptions to aid in addressing false positives:

      • Execution from /tmp

      • Create Symlink Over Sensitive Files

      • Change thread namespace

      • DB program spawned process  

      • Suspicious Cron Modification

    0.66.1

    April 21, 2022

    Rule Changes

    • Added a new AWS Cloudtrail rule: Create RDS DB Instance with Public Access

    • Added the following Falco rules:

      • Base64-encoded Shell Script Execution
      • Execution from /dev/shm
    • Added additional exceptions to aid in addressing false positives:

      • Service Account Created in Kube Namespace
      • K8s Serviceaccount Created
    • Modified to add a list of malicious IPs: Outbound Connection to C2 Servers

    • Updated IoCs Ruleset with new findings

    Default Policy Changes

    • Added the following:

      • Base64-encoded Shell Script Execution
      • Execution from /dev/shm
    • Moved to enabled policy: Outbound Connection to C2 Servers

    0. 65.1

    April 18, 2022

    Rule Changes

    Added additional exceptions to the following rules to aid in addressing false positives:

    • Change thread namespace

    • Create Symlink Over Sensitive Files

    • Container Run as Root User

    • DB program spawned process

    • Privileged Shell Spawned Inside Container

    • Run shell untrusted

    • Set Setuid or Setgid bit

    • Write below etc

    0.65.0

    April 17, 2022

    Rule Changes

    Added additional exceptions to the following rules to aid in addressing false positives: Privileged Shell Spawned Inside Container

    0.64.1

    April 15, 2022

    Rule Changes

    • Added additional exceptions to the following rules to aid in addressing false positives:

      • Packet socket created in container

      • Change thread namespace

      • Run shell untrusted

      • Container Run as Root User

    • Created the new rule Base64-encoded Python Script Execution. This rule detects base64-encoded Python scripts on command line arguments. Base64 can be used to encode binary data for transfer to ASCII-only command lines. Attackers can leverage this technique in various exploits to load shellcode and evade detection.

    • Fixed the output of the following rules:

      • K8s Serviceaccount Created

      • K8s Serviceaccount Deleted

    • Updated IoCs Ruleset with new findings

    Rule Changes

    • Added the Base64-encoded Python Script Execution  rule to the IoCs Malware Activity default policy

    • Added the Launch Ingress Remote File Copy Tools in Container rule to the Notable Container Activity default policy

    • Created the new default policy,  Known Exploit Detection. This policy embeds the rules that can identify potential exploits of well-known CVEs.

    0.64.0

    April 12, 2022

    Rule Changes

    • Added additional exceptions to the following rules to aid in addressing false positives:

      • Schedule Cron Jobs

      • Set Setuid or Setgid bit

      • Create Symlink Over Sensitive Files

    • Disabled the Unprivileged Delegation of Page Faults Handling to a Userspace Process rule removing its condition.

    0.63.0

    April 09, 2022

    Rule Changes

    • Updated the following rules:

      • Simple output changes to the Detect outbound connections to common miner pool ports rule.

      • Updated priority and included additional cron paths for the Create Symlink Over Sensitive Files rule.

      • Updated IoCs Ruleset with new findings

    • The following new rules have been introduced.

      • Privileged Shell Spawned Inside Container. This rule detects a root shell being opened by a compromised process for interaction by the attack.

      • Debugfs Launched in Privileged Container. This rule detects file system debugger, debugfs, launched inside a privileged container which might lead to container escape.

      • Mount Launched in Privileged Container. This rule detects file system mount occurrence inside a privileged container which might lead to container escape.

      • Unprivileged Delegation of Page Faults Handling to a Userspace Process. This rule detects a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs

      • Launch Ingress Remote File Copy Tools in Container. This rule detects ingress remote file copy tools launched in a container. For example, curl and wget.

      • Suspicious Cron Modification. This rule detects direct writes to cron job files.

    Default Policy Changes

    • Policy: Notable Filesystem Changes

      • added the Suspicious Cron Modification rule.

      Policy: Suspicious Container Activity

      • Added the Debugfs Launched in Privileged Container rule.

      • Added the Unprivileged Delegation of Page Faults Handling to a Userspace Process rule.

      Policy: Suspicious Lateral Movement Activity to Cloud

      • Added the Mount Launched in Privileged Container rule.

      Policy: Unexpected Spawned Processes

      • Added the Privileged Shell Spawned Inside Container rule.

    0.62.1

    April 06, 2022

    Rule Changes

    Reduced noise for the rulesWrite below monitored dir and write below etc by adding additional exceptions.

    0.62.0

    March 25, 2022

    Rule Changes

    • Added the following new rules:

      • Base64'd ELF file on Command Line

      • Execution from /tmp

    • Updated auto-tuner exceptions for the following:

      • Launch Sensitive Mount Container

      • Service Account Created in Kube Namespace

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following new rules:

      • Base64'd ELF file on Command Line

      • Execution from /tmp

    0.60.0

    March 18, 2022

    Rule Changes

    • Updated the Launch Root User Container condition rule.

    • Updated the following lists to address false positive:

      • miner_domains

      • allowed_k8s_users

    • Updated some exceptions in the  Schedule Cron Jobs rule.

    • Created the sssd_writing_krb  macro from the new release of OSS Falco.

    • Updated IoCs Ruleset with new findings.

    • Updated the following macros based on the changes in Falco OS:

      • modify_shell_history

      • truncate_shell_history

      • write_etc_common

    Default Policy Changes

    • Updated the IoCs Malware Activity policy.

      • Malicious filenames writtenadded.

      • Malicious process detected removed.

    • Removed some rules from Notable Filesystem Changes policy:

      • Write below etc

      • Write below root

      • Write below rpm database

      • Write below binary dir

    • Removed one rule from the Notable Container Activity policy: Change thread namespace

    0.59.2

    March 10, 2022

    Rule Changes

    • Excluded ptp and dp from the Change thread namespacerule.

    • Excluded self from the K8s Serviceaccount Created rule.

    • Excluded known cron writers from the Schedule Cron Jobs rule.

    • Updated the IoCs Ruleset with new findings.

    0.58.1

    March 06, 2022

    Rule Changes

    • Added additional exceptions to aid in addressing false positive for rules:

      • Schedule Cron Jobs

      • Non sudo setuid

      • Launch Privileged Container

      • K8s Serviceaccount Created

    • Updated the following macros baed on the changes in Falco OS:aws_eks_core_images

    • Updated IoCs Ruleset with new findings.

    0.57.2

    March 03, 2022

    Rule Changes

    Fixed exception to aid in addressing false positives for rules: Contact K8S API Server From Container

    0.56.5

    March 01, 2022

    Rule Changes

    • Update rule: DB program spawned process

    • Create macro:pgbackrest_info_childs

    0.56.4

    February 18, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positive for rules:

      • Modify Shell Configuration File

      • Modify Shell Configuration File

      • Write below etc

      • Write below rpm database

      • DB program spawned process

      • Clear Log Activities

      • Launch Root User Container

    • Updated the following macros based on the changes in Falco OS:

      • containerd_shell_modify

      • tanium_client_running_python

      • postgres_running_pgbackrest

      • proc_file_suffix

      • known_redirect_procs

    • Updated the following lists to address false positives:

      • known_setuid_binaries

      • known_k8s_api_programs

      • gke_trusted_images_launch_root_list

    • Updated IoCs Ruleset with new findings.

    0.55.2

    February 10, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positive for rules:

      • Change thread namespace

      • Write below rpm database

      • Write below root

      • Clear Log Activities

      • Launch Root User Container

    • Updated the following macros based on the changes in Falco OS:

      • parent_python_running_sdchecks

      • python_running_sdchecks

      • exe_sysdig

      • tanium_client_running_python

      • sysdig_dragent

      • trusted_logging_images

    • Updated the following lists based on the changes in Falco OS:

      • sysdig_commercial_images

      • allowed_dev_files

      • user_known_chmod_applications

      • miner_domains

    • Updated IoCs Ruleset with new findings.

    0.54.3

    February 07, 2022

    Rule Changes

      Added additional exceptions to older agent versions to aid in addressing false positive for rules: Launch Root User Container

    0.53.4

    February 04, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positive for rules:

      • Modify Shell Configuration File

      • Write below etc

      • Write below root

      • Read sensitive file trusted after startup

      • Change thread namespace

      • Launch Suspicious Network Tool in Container

      • Redirect STDOUT/STDIN to Network Connection in Container

    • Updated the following macros based on the changes in Falco OS:

      • spawned_process

      • sensitive_mount

    • Updated the following lists based on the changes in Falco OS:

      • falco_hostnetwork_images

      • deb_binaries

      • known_sa_list

      • falco_sensitive_mount_images

    • Updated the following lists to address false positives:

      • db_server_binaries

      • user_known_chmod_applications

    • Updated IoCs Ruleset with new findings.

    0.53.3

    January 29, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positives for rules:Write below etc.

    • Updated IoCs Ruleset with new findings.

    • Added new rules:

      • Modify ld.so.preload

      • Polkit Local Privilege Escalation Vulnerability(CVE-2021-4034)

    0.52.0

    January 21, 2022

    Rule Changes

    Updated IoCs Ruleset with new findings.

    0.51.1

    January 14, 2022

    Rule Changes

    • Created a new AWS Rule: Read Object through AWSSupportServiceRolePolicy Assumed Role.

    • Updated tags for AWS Rule:AWS Command Executed on Unused Region.

    • Updated tags for the following Google Cloud Platform (GCP) Rules:

      • GCP Invitation Sent to Non-corporate Account

      • GCP Create User-managed Service Account Key

      • GCP Create GCP-managed Service Account Key

      • GCP Create Cloud Function Not Using Latest Runtime

      • GCP Set Bucket IAM Policy

      • GCP Create Bucket

    0.50.5

    Topics in This Section
    2021 Archive

    2021 Archive of released Falco Rules.

    2020 Archive

    2020 Archive of released Falco Rules.

    2019 Archive

    2019 Archive of released Falco Rules.