June 30, 2025 | Rule Changes | 0.210.3 |
June 27, 2025 | Rule Changes | 0.210.2 |
June 25, 2025 | Rule Changes Reduce false positives for GCP Rules. Reduced false positives for the following rules: Modify binary dirs
Sensitive File Tampered Using Capabilities
- Read K8s Service Account Token from Terminal
BPFDoor Backdoor Activity Detected
Hexadecimal string detected
Dump Memory using /proc Filesystem
Improved output for CloudWatch Delete Log Stream rule.
| 0.210.1 |
June 24, 2025 | Rule Changes | 0.210.0 |
June 23, 2025 | Rule Changes | 0.209.5 |
June 20, 2025 | Rule Changes | 0.209.3 |
June 19, 2025 | Rule Changes | 0.209.2 |
June 18, 2025 | Rule Changes | 0.209.1 |
June 17, 2025 | Rule Changes Default Policy Changes | 0.209.0 |
June 16, 2025 | Rule Changes | 0.208.3 |
June 13, 2025 | Rule Changes | 0.208.2 |
June 12, 2025 | Rule Changes | 0.208.1 |
June 10, 2025 | Rule Changes Added rule Local Privilege Escalation Using SETGID Capability. Reduced false positives for the following rules: Find GCP Credentials
Reverse Shell Redirects STDIN/STDOUT Using UNIX Socket
Connection to IPFS Network Detected
Dynamic Linker Hijacking Detected
Archive or Compression Activity Detected
Dynamic Linker Hijacking Detected
Read sensitive file untrusted
DNS Lookup for Uncommon TLD Domain Detected
Dynamic Linker Hijacking Using ld.so Files
Disable or Modify Linux Audit System
Service Discovery Activity Detected
Reverse Shell Spawned From Binary Through Pipes
Drop and Execute /tmp Binary
DNS Lookup for IPFS Domain Detected
Read sensitive file untrusted
Read K8s Service Account Token from Terminal
Default Policy Changes | 0.208.0 |
June 05, 2025 | Rule Changes Reduced false positives for the following rules: Dynamic Linker Hijacking Detected
Memory Manipulation by Fileless Program
Create Hardlink Over Sensitive Files
Read K8s Service Account Token from Terminal
Local Privilege Escalation Using SETUID Capability
File Modified in System Directory
Create Symlink Over Sensitive Files
| 0.207.2 |
June 04, 2025 | Rule Changes Reduced false positives for the following rules: Dynamic Linker Hijacking Detected
Memory Manipulation by Fileless Program
Local Privilege Escalation Using SETUID Capability
Reverse Shell Redirects STDIN/STDOUT Using UNIX Socket
Reverse Shell Spawned From Interpreted or Compiled Program Through Pipes
PTRACE anti-debug attempt
Dynamic Linker Hijacking Using ld.so Files
Read K8s Service Account Token from Terminal
Default Policy Changes | 0.207.1 |
June 03, 2025 | Rule Changes Default Policy Changes Added the following rules: Malicious Process Reaching K8S API Server Detected
Sensitive File Tampered Using Capabilities
Local Privilege Escalation Using SETUID Capability
File Modified in System Directory
Process Run in Non-System Directory
Github Branch Protection Rule Edited
| 0.207.0 |
May 30, 2025 | Rule Changes Reduced false positives for the following rules: File Created in System Directory
Windows Shell Spawned Inside Container
Dynamic Linker Hijacking Detected
Execution from /tmp
New Kernel Module Created and Loaded
Read sensitive file untrusted
Read K8s Service Account Token from Terminal rules Fix.
Disable or Modify Linux Audit System
Dynamic Linker Hijacking Detected
Dynamic Linker Hijacking Using ld.so Files
Suspicious RC Script Modification
| 0.206.2 |
May 29, 2025 | Rule Changes Reduced false positives for the following rules: Malicious Powershell Cmdlet detected
Execution from /tmp
File Created in System Directory
Potential Application Shimming
LSASS Memory Read Access
Windows Shell Spawned Inside Container
Dump Memory using /proc Filesystem
PTRACE anti-debug attempt
Read K8s Service Account Token from Terminal
| 0.206.1 |
May 27, 2025 | Rule Changes Added the Outbound Connection Detected During Pip Install rule. Improved condition for the following rules: User accessing app via single sign on Okta Rule.
Okta Sign-in via Proxy Rule.
Network Tool Executed During NPM Install rule.
Reduced false positives for the following rules: Linux Kernel Module Injection Detected
Reverse Shell Detected
Reverse Shell Spawned From Interpreted or Compiled Program Through Pipes
Windows Shell Spawned Inside Container
LSASS Memory Read Access
Potential DLL Injection via AppCertDLLs
Possible COM Hijacking
Potential Application Shimming
Malicious Powershell Cmdlet detected
File Created in System Directory
Offensive Security Tool Detected
Dynamic Linker Hijacking Detected
System procs network activity
Dump Memory using /proc Filesystem
Dynamic Linker Hijacking Using ld.so Files
Modify binary dirs
Launch Suspicious Network Tool in Container
Suspicious Home Directory Creation
Read K8s Service Account Token from Terminal
PTRACE anti-debug attempt
Exfiltration of GCP IMDS Credentials Using LOTL Binary
Describe Instances
Read sensitive file untrusted
Read K8s Service Account Token from Terminal
Fileless Malware Detected (memfd)
Dump Memory using /proc Filesystem
Create Symlink Over Sensitive Files
Find GCP Credentials
Linux Kernel Module Injection Detected
| Default Policy Changes
0.206.0 |
May 20, 2025 | Rule Changes Added the following rules: Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Dump Memory using /proc Filesystem
Read K8s Service Account Token from Terminal
Suspicious Home Directory Creation
PTRACE anti-debug attempt
Drop and Execute /tmp Binary
Container escape via discretionary access control
User Management Event Detected
The docker client is executed in a container
DNS Fast Flux Activity Detected
DNS Lookup for Uncommon TLD Domain Detected
Suspicious Home Directory Creation
Dynamic Linker Hijacking Using ld.so Files
Drop and Execute /tmp Binary
Read K8s Service Account Token from Terminal
Read sensitive file untrusted
Default Policy Changes Added the following rules: | 0.205.0 |
May 14, 2025 | Rule Changes Default Policy Changes | 0.204.1 |
May 13, 2025 | Rule Changes Improved condition for the following rules: Added policy for Create Hidden Files or Directories rule. Reduced false positives for the following rules: Dynamic Linker Hijacking Using ld.so Files
Suspicious Home Directory Creation
Reverse Shell Spawned From Binary Through Pipes
Read K8s Service Account Token from Terminal
Create Symlink Over Sensitive Files
Default Policy Changes | 0.204.0 |
May 12, 2025 | Rule Changes Improving description of Possible Arbitrary Command Execution through CUPS (CVE-2024-47177) rule. Reduced false positives for the following rules: Drop and Execute /tmp Binary
Socat Reverse Shell Detected
Contact K8S API Server From Container
Mount on Container Path Detected
Dynamic Linker Hijacking Using ld.so Files
Find GCP Credentials
Dynamic Linker Hijacking Detected
Read K8s Service Account Token from Terminal
Dump Memory using /proc Filesystem
Reverse Shell Detected
Reverse Shell Redirects STDIN/STDOUT Using UNIX Socket
Clear Log Activities
Reduced false positives for AWS read rules by filtering out Amazon activity and Sysdig posture. Reduced false positives related to Synk Cloud.
| 0.203.5 |
May 09, 2025 | Rule Changes Reduced false positives for the following rules: Dynamic Linker Hijacking Using ld.so Files
Socat Reverse Shell Detected
Contact K8S API Server From Container
Read K8s Service Account Token from Terminal
Run shell untrusted
Suspicious device created in container
DNS Fast Flux Activity Detected
Terminal shell in container
Linux Kernel Module Injection Detected
Suspicious RC Script Modification
Dump Memory using /proc Filesystem
| 0.203.4 |
May 08, 2025 | Rule Changes Improved the same_file observation link. Improved output for the Dump Memory using /proc Filesystem rule. Reduced false positives for the following rules: DNS Fast Flux Activity Detected
Redirect STDOUT/STDIN to Network Connection in Container
Drop and Execute /tmp Binary
Suspicious RC Script Modification
Fileless Malware Detected (memfd)
Read K8s Service Account Token from Terminal
Dynamic Linker Hijacking Detected
Suspicious io_uring Activity Detected
Socat Reverse Shell Detected
PTRACE anti-debug attempt
Debugfs Launched in Privileged Container
Contact K8S API Server From Container
Suspicious Home Directory Creation
Run shell untrusted
Create Symlink Over Sensitive Files
Reverse Shell Redirects STDIN/STDOUT Using UNIX Socket
| 0.203.3 |
May 07, 2025 | Rule Changes Reduced false positives for the following rules: Dynamic Linker Hijacking Using ld.so Files
Dump Memory using /proc Filesystem
Exfiltration of GCP IMDS Credentials Using LOTL Binary
Read K8s Service Account Token from Terminal
Modify Shell Configuration File
Read Shell Configuration File
Launch Ingress Remote File Copy Tools in Container
Contact K8S API Server From Container
Dynamic Linker Hijacking Detected
| 0.203.2 |
May 06, 2025 | Rule Changes Reduced false positives for the following rules: Read K8s Service Account Token from Terminal
Dynamic Linker Hijacking Detected
Read Shell Configuration File
Contact K8S API Server From Container
Find Authentication Certificates
Run shell untrusted
Redirect STDOUT/STDIN to Network Connection in Container
Terminal shell in container
| 0.203.1 |
May 06, 2025 | Rule Changes Added the following rules: Improved output for Workload rules. Improved condition for the following rules: same_file observation rules.
Offensive Security Tool Contacting Cloud Instance Metadata Service
Socat Reverse Shell Detected
Reverse Shell Spawned From Binary Through Pipes
Reduced false positives for the following rules: Get Secret Value
Read Shell Configuration File
Drop and Execute /tmp Binary
Reverse Shell Redirects STDIN/STDOUT Using UNIX Socket
Launch Suspicious Network Tool in Container
Contact K8S API Server From Container
Reverse Shell Detected
Find GCP Credentials
Drop and Execute /tmp Binary
Hide Process with Mount
Create Symlink Over Sensitive Files
Reverse Shell Detected
Connection to TOR Domain Detected
Reverse Shell Spawned From Binary Through Pipes
Dump Memory using /proc Filesystem
AWS SSM Agent Activity using StartSession
Password Policy Discovery Activity Detected
Suspicious io_uring Activity Detected
Run shell untrusted
Code compiler downloaded and launched in container
Default Policy Changes | 0.203.0 |
May 02, 2025 | Rule Changes | 0.202.2 |
April 30, 2025 | Rule Changes | 0.202.1 |
April 29, 2025 | Rule Changes Improved condition for sysdig_images_endswith macro. Improved condition for the following rules: Suspicious Command Executed by Web Server
Connection with Suspicious User Agent Detected
Offensive Security Tool Detected
MITRE Tag Update: Enterprise ATT&CK v17.0. Improved output for Hide Process with Mount rule. Reduced false positives for the following rules: Hide Process with Mount
Dump Memory using /proc Filesystem
Dynamic Linker Hijacking Using ld.so Files
Suspicious System Service Modification
Leading or Trailing Space Detected in Filename
Reverse Shell Spawned From Interpreted or Compiled Pipes
Reverse Shell Detected
Tampering with Security Software in Container
Drop and Execute /tmp Binary
Connection to IPFS Network Detected
Process memory injection via process_vm_writev
Execution from /tmp
Suspicious System Service Modification
| 0.202.0 |
April 28, 2025 | Rule Changes | 0.201.3 |
April 25, 2025 | Rule Changes | 0.201.2 |
April 25, 2025 | Rule Changes Default Policy Changes | 0.201.1 |
April 25, 2025 | Rule Changes Default Policy Changes | 0.201.0 |
April 24, 2025 | Rule Changes | 0.200.2 |
April 23, 2025 | Rule Changes | 0.200.1 |
April 22, 2025 | Rule Changes Improved the container_entrypoints list. Added the Connection to TOR Domain Detected rule. Reduced false positives for the following rules: Drop and Execute /tmp Binary
Detect curl Using Socks Proxy
Read sensitive file untrusted
Run shell untrusted
Mount Launched in Privileged Container
Reverse Shell Detected
Modify Grub Configuration Files
PTRACE anti-debug attempt
Launch Ingress Remote File Copy Tools in Container
Dynamic Linker Hijacking Using ld.so Files
Disable or Modify Linux Audit System
Default Policy Changes | 0.200.0 |
April 17, 2025 | Rule Changes Reduced false positives for the following rules: Launch Suspicious Network Tool in Container
Find Azure Credentials
Suspicious Home Directory Creation
Suspicious RC Script Modification
Connection to IPFS Network Detected
DNS Lookup for Uncommon TLD Domain Detected
Modify binary dirs
Redirect STDOUT/STDIN to Network Connection in Container
Disable or Modify Linux Audit System
Launch Sensitive Mount Container
Suspicious Operations with Firewalls
Privileged Shell Spawned Inside Container
Run shell untrusted
Create HostNetwork Pod
Create Sensitive Mount Pod
Create Privileged Pod
Read sensitive file untrusted
Improved condition for GCP Modify Audit Policy rule. Improved output for Hexadecimal string detected rule.
| 0.199.2 |
April 16, 2025 | Rule Changes | 0.199.1 |
April 15, 2025 | Rule Changes Added rule Offensive Security Tool Contacting Cloud Instance Metadata Service. Reduced false positives for the following rules: Reverse Shell Spawned From Binary Through Pipes
Debugfs Launched in Privileged Container
Create Hardlink Over Sensitive Files
Dump Memory using /proc Filesystem
Process memory injection via process_vm_writev
Improved condition for the following rules:
Default Policy Changes | 0.199.0 |
April 15, 2025 | Rule Changes | 0.198.6 |
April 10, 2025 | Rule Changes Reduced false positives for the following rules: Read sensitive file untrusted
Create files below dev
Drop and Execute /tmp Binary
DNS Lookup for Uncommon TLD Domain Detected
DNS Fast Flux Activity Detected
Fileless Malware Detected (memfd)
Reverse Shell Detected
New Kernel Module Created and Loaded
Reverse Shell Redirects STDIN/STDOUT Using UNIX Socket
| 0.198.4 |
April 09, 2025 | Rule Changes | 0.198.3 |
April 08, 2025 | Rule Changes Reduced false positives for the DNS Fast Flux Activity Detected rule. | 0.198.1 |
April 08, 2025 | Rule Changes Improved condition for DNS Fast Flux Activity Detected rule. Added the Drop and Execute /tmp Binary rule. Added principalId to output of AWS rules - 1st batch. Reduced false positives for the following rules: Suspicious Operations with Firewalls
Dynamic Linker Hijacking Detected
Linux Kernel Module Injection Detected
Redirect STDOUT/STDIN to Network Connection in Container
Dynamic Linker Hijacking Using ld.so Files
Network Relay Binary Exfiltration Activities Detected
Dump Memory using /proc Filesystem
Default Policy Changes | 0.198.0 |
April 07, 2025 | Rule Changes Reduced false positives for the following rules: DNS Fast Flux Activity Detected
Create Symlink Over Sensitive Files
Terminal shell in container
Reverse Shell Redirects STDIN/STDOUT Using UNIX Socket
Dump Memory using /proc Filesystem
Execution from /tmp
Reverse Shell Detected
Dynamic Linker Hijacking Using ld.so Files
Reverse Shell Spawned From Binary Through Pipes
Reverse Shell Spawned From Interpreted or Compiled Program Through Pipes
Fileless Malware Detected (memfd)
Create Hardlink Over Sensitive Files
Service Discovery Activity Detected
Database Dump Command Detected
Network Relay Binary Exfiltration Activities Detected
Dynamic Linker Hijacking Detected
| 0.197.1 |
April 01, 2025 | Rule Changes Improved condition for Set Setuid or Setgid bit rule. Added the following rules: Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Reverse Shell Spawned From Binary Through Pipes
Dump Memory using /proc Filesystem
Dynamic Linker Hijacking Detected
Mount Launched in Privileged Container
Suspicious Operations with Firewalls
Dynamic Linker Hijacking Using ld.so Files
Reverse Shell Redirects STDIN/STDOUT Using UNIX Socket
PTRACE attached to process
Detection bypass by symlinked files
DNS Lookup for Miner Pool Domain Detected
Modify Grub Configuration Files
Launch Sensitive Mount Container
Reverse Shell Detected
DNS Lookup for Uncommon TLD Domain Detected
Find GCP Credentials
Improved tags for container rules.
Default Policy Changes Added rule EC2 Replace IAM Instance Profile Association. Updated policy for the following rules: Full Visibility on Federated Sessions
Launch Package Management Process in Container
Launch Privileged Container
Dump Sensitive Environment Variables
Drop Malicious Program in /tmp
Network Relay Binary Exfiltration Activities Detected
Improved condition for Set Setuid or Setgid bit rule.
| 0.197.0 |
March 27, 2025 | Rule Changes Reduced false positives for the following rules: Reverse Shell Spawned From Binary Through Pipes
Dynamic Linker Hijacking Detected
Clear Log Activities
Fileless Malware Detected (memfd)
Memory Manipulation by Fileless Program
| 0.196.4 |
March 27, 2025 | Rule Changes Updated Indicators of Compromise (IoCs) rulesets with new findings. Improved macro network_tool_procs. Reduced false positives for the following rules: Disable or Modify Linux Audit SystemProcess memory injection via process_vm_writev
Clear Log Activities
Fileless Malware Detected (memfd)
Launch Excessively Capable Container
Malicious filenames written
Modify Grub Configuration Files
New Kernel Module Created and Loaded
| 0.196.3 |
March 26, 2025 | Rule Changes Default Policy Changes | 0.196.2 |
March 25, 2025 | Rule Changes | 0.196.1 |
March 25, 2025 | Rule Changes Added the following rules: Potential IngressNightmare Vulnerability Exploitation.
Drop Malicious Program in /tmp.
Direct Memory Overwrite Detected
Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Kernel module unloaded
Leading or Trailing Space Detected in Filename
Suspicious System Service Modification
Suspicious Capabilities Granted to File
Launch Package Management Process in Container
Create files below dev
Read sensitive file untrusted
Suspicious Cron Modification
Execution from Temporary Filesystem (tmpfs)
Disable or Modify Linux Audit System
Clear Log Activities
Process memory injection via process_vm_writev
Execution from /tmp
Improved condition for Dump Sensitive Environment Variables and System Geolocation Discovery rules.
Default Policy Changes Added the following rules: Potential IngressNightmare Vulnerability Exploitation.
Drop Malicious Program in /tmp.
Direct Memory Overwrite Detected
| 0.196.0 |
March 24, 2025 | Rule Changes | 0.195.8 |
March 24, 2025 | Rule Changes Reduced false positives for the following rules: PTRACE anti-debug attemptClear Log ActivitiesProcess memory injection via process_vm_writev
Disable or Modify Linux Audit System
| 0.195.7 |
March 22, 2025 | Rule Changes Reduced false positives for the following rules: | 0.195.6 |
March 21, 2025 | Rule Changes | 0.195.5 |
March 21, 2025 | Rule Changes | 0.195.4 |
March 21, 2025 | Rule Changes Default Policy Changes | 0.195.3 |
March 20, 2025 | Rule Changes | 0.195.2 |
March 19, 2025 | Rule Changes Default Policy Changes | 0.195.1 |
March 18, 2025 | Rule Changes Added the following rules: Brute-force Tool Detected
Network Relay Binary Exfiltration Activities Detected
Dump Sensitive Environment Variables
Improved condition for the following rules: Exfiltration of Azure IMDS Credentials Using LOTL Binary
Exfiltration of GCP IMDS Credentials Using LOTL Binary
Exfiltration of AWS IMDS Credentials Using LOTL Binary
Dynamic Linker Hijacking Using ld.so Files
Interactive Reconnaissance Activity Detected
Reverse Shell Redirects STDIN/STDOUT To Sibling Processes Using Named Pipe
Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Dynamic Linker Hijacking Detected/p>
Dump Memory using /proc Filesystem
Service Discovery Activity Detected
Reverse Shell Detected
Modify Grub Configuration Files
Launch Package Management Process in Container
Launch Privileged Container
Disable or Modify Linux Audit System
Find Authentication Certificates
Exfiltration of GCP IMDS Credentials Using LOTL Binary
New Kernel Module Created and Loaded
Packet socket created in container
Read sensitive file untrusted
Suspicious Access To Kerberos Secrets
DNS Lookup for Uncommon TLD Domain Detected
Fileless Malware Detected (memfd)
Memory Manipulation by Fileless Program
Default Policy Changes | 0.195.0 |
March 17, 2025 | Rule Changes Reduced false positives for the following rules: Reverse Shell Spawned From Interpreted or Compiled Program Through Pipes
Inline Shell Execution by Wget/Curl
Dump Memory using /proc Filesystem
DNS Lookup for Uncommon TLD Domain Detected
Clear Log Activities
DNS Lookup for Tunneling Service Domain Detected
DNS Lookup for Suspicious Domain Detected
DNS Lookup for Offensive Security Tool Domain Detected
Reverse Shell Redirects STDIN/STDOUT Using UNIX Socket
Launch Package Management Process in Container
Dump Memory using /proc Filesystem
Modify binary dirs
Mount Launched in Privileged Container
Dynamic Linker Hijacking Detected
Redirect STDOUT/STDIN to Network Connection in Container
OpenSSL Reverse Shell Detected
Reverse Shell Detected
Data Exfiltration using DNS
Linux Kernel Module Injection Detected
Service Discovery Activity Detected
Improved output for Find and Execute SUID Binary Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.194.4 |
March 14, 2025 | Rule Changes Default Policy Changes | 0.194.3 |
March 13, 2025 | Rule Changes Updated Indicators of Compromise (IoCs) rulesets with new findings. Updated policy for the Launch Remote File Copy Tools in Container rule. Reduced false positives for the following rules: Find AWS Credentials
Mount Launched in Privileged Container
Find and Execute SUID Binary
Suspicious RC Script Modification
Memory Manipulation by Fileless Program
Dynamic Linker Hijacking Detected
Read sensitive file untrusted
Modify ld.so.preload
Kernel startup modules changed
DNS Lookup for Reconnaissance Service Detected
Suspicious System Service Modification
Dump Memory using /proc Filesystem
Service Discovery Activity Detected rule.
Default Policy Changes
| 0.194.2 |
March 12, 2025 | Rule Changes Reduced false positives for the following rules: Clear Log Activities
Find AWS Credentials
Create Symlink Over Sensitive Files
PTRACE anti-debug attempt
Possible SSH Hijacking Attempt Detected
Reverse Shell Detected
Dynamic Linker Hijacking Detected
Kernel startup modules changed
DNS Lookup for Tunneling Service Domain Detected
DNS Lookup for Uncommon TLD Domain Detected
DNS Tunneling Activity Detected
Reverse Shell Detected
Memory Manipulation by Fileless Program
Dump Memory using /proc Filesystem
Debugfs Launched in Privileged Container
Find GCP Credentials
Improved output for the following rules: Updated Indicators of Compromise (IoCs) rulesets with new findings.
Default Policy Changes | 0.194.1 |
March 11, 2025 | Rule Changes Added the Exfiltration of GCP IMDS Credentials Using LOTL Binary rule. Added the Find and Execute SUID Binary rule. Improved condition for the following rules: OpenSSL File Read or Write
Possible SSH Hijacking Attempt Detected
Inline Shell Execution by Wget/Curl
DNS Tunneling Activity Detected
Netcat Remote Code Execution on Host
Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Find Private Keys or Passwords rule.
DNS Lookup for Reconnaissance Service Detected
DNS Lookup for Uncommon TLD Domain Detected
DNS Lookup for Tunneling Service Domain Detected
DNS Fast Flux Activity Detected
DNS Lookup for Dynamic DNS Domain Detected
Dump Memory using /proc Filesystem
Modification of pam.d detected
System procs network activity
Suspicious device created in container
Launch Suspicious Network Tool on Host
Terminal shell in container
Run shell untrusted
Launch Ingress Remote File Copy Tools in Container
System Geolocation Discovery
Set Setuid or Setgid bit
Reverse Shell Detected
New Kernel Module Created and Loaded
DNS Lookup for Proxy/VPN Domain Detected
Find AWS Credentials
Modify Grub Configuration Files
Modify ld.so.preload
Base64-encoded Shell Script Execution
Dump memory for credentials
Perl Remote Command Execution Detected
Suspicious RC Script Modification
PTRACE anti-debug attempt
Default Policy Changes Added the Exfiltration of GCP IMDS Credentials Using LOTL Binary rule. Added the Find and Execute SUID Binary rule. Updated policy for the following rules: Dump memory for credentials
Detect outbound connections to Proxy/VPN
Download and launch remote file copy tools in container
Outbound Connection to C2 Servers
DNS Lookup for Canary Domain
Removed Non sudo setuid rule from managed policies.
| 0.194.0 |
March 11, 2025 | Rule Changes | 0.193.7 |
March 10, 2025 | Rule Changes | 0.193.6 |
March 05, 2025 | Rule Changes | 0.193.5 |
March 01, 2025 | Rule Changes | 0.193.4 |
February 28, 2025 | Rule Changes Updated Indicators of Compromise (IoCs) rulesets with new findings. Improved output for Inline Shell Execution by Wget/Curl rule. Reduced false positives for the following rules: Reverse Shell Detected
Create Hardlink Over Sensitive Files
Dump memory for credentials
Download and launch remote file copy tools in container
Memory Manipulation by Fileless Program
Suspicious Home Directory Creation
Dynamic Linker Hijacking Using ld.so Files
Kernel startup modules changed
Suspicious System Service Modification
Modify Grub Configuration Files
Create Symlink Over Sensitive Files
| 0.193.3 |
February 27, 2025 | Rule Changes Reduced false positives for the following rules: Dump Memory using /proc Filesystem
Kernel Module Loaded by Unexpected Program
OpenSSL File Read or Write
| 0.193.2 |
February 26, 2025 | Rule Changes Reduced false positives for the following rules: Read sensitive file untrusted
The docker client is executed in a container
Inline Shell Execution by Wget/Curl
Service Discovery Activity Detected
Possible Backdoor using BPF
New Kernel Module Created and Loaded
PTRACE anti-debug attempt
Memory Manipulation by Fileless Program
Dump memory for credentials
| 0.193.1 |
February 25, 2025 | Rule Changes Added the following rules: Improved conditions for the following rules: Search Private Keys or Passwords
Contact Azure Instance Metadata Service from Host
Contact Azure Instance Metadata Service from Container
Find Authentication Certificates
Inline Shell Execution by Wget/Curl
Updated Indicators of Compromise (IoCs) rulesets with new findings. Improved output for Entra Hard Delete Application. Reduced false positives for the following rules: Launch Privileged Container
Modification of pam.d detected
Fileless Malware Detected (memfd)
Reverse Shell Detected
Read sensitive file untrusted
Possible Backdoor using BPF
Execution of binary using ld-linux
Clear Log Activities
Run shell untrusted
Launch Root User Container
Write below root
Linux Kernel Module Injection Detected
Dynamic Linker Hijacking Using ld.so Files
Default Policy Changes | 0.193.0 |
February 24, 2025 | Rule Changes | 0.192.6 |
February 22, 2025 | Rule Changes | 0.192.5 |
February 22, 2025 | Rule Changes Reduced false positives for the following rules: Kernel startup modules changed
Modification of pam.d detected
Mount Launched in Privileged Container
eBPF Program Loaded into Kernel
Fileless Malware Detected (memfd)
Base64-encoded Shell Script Execution
Modify ld.so.preload
Reverse Shell Redirects STDIN/STDOUT Using UNIX Socket
Find Authentication Certificate
Change memory swap options
Contact Azure Instance Metadata Service from Host
Contact Azure Instance Metadata Service from Container
Disable or Modify Linux Audit System
DNS Lookup for Tunneling Service Domain Detected
Suspicious System Service Modification
Service Discovery Activity Detected
Change thread namespace
Read sensitive files untrusted
Updated Indicators of Compromise (IoCs) rulesets with new findings Improve output for Kernel Module Loaded by Unexpected Program and Offensive Security Tool Detected rules.
Default Policy Changes | 0.192.4 |
February 20, 2025 | Rule Changes | 0.192.3 |
February 19, 2025 | Rule Changes | 0.192.2 |
February 18, 2025 | Rule Changes Reduced false positives for the Reverse Shell Redirects STDIN/STDOUT Using UNIX Socket rule. | 0.192.1 |
February 18, 2025 | Rule Changes Added the following rules: Exfiltration of AWS IMDS Credentials Using LOTL Binary
Reverse Shell Redirects STDIN/STDOUT Using UNIX Socket
Reverse Shell Redirects STDIN/STDOUT To Sibling Processes Using Named Pipe
Improved condition for the following rules: Staged Meterpreter Reverse Shell
Reverse Shell Spawned From Interpreted or Compiled Program Through Pipes
Discovery Security Service Activity Detected
SSH Exfiltration Activities Detected
Netcat Remote Code Execution in Container
Improved output for Entra and Azure rules. Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: New Kernel Module Created and Loaded
Modify ld.so.preload
DNS Lookup for Uncommon TLD Domain Detected
Kernel startup modules changed
Dynamic Linker Hijacking Using ld.so Files
Dump Memory using /proc Filesystem
Default Policy Changes | 0.192.0 |
February 12, 2025 | Rule Changes Updated Indicators of Compromise (IoCs) rulesets with new findings. Improved description for Reverse Shell Redirects STDIN/STDOUT Through Pseudoterminals rule. Improved output for Dump Memory using /proc Filesystem rule. Reduced false positives for the following rules: Reverse Shell Detected
Write below root
Modify ld.so.preload
GPG Key Reconnaissance
Find AWS Credentials
Dynamic Linker Hijacking Using ld.so Files
Reverse Shell Spawned From Binary Through Pipes
Kernel Module Loaded by Unexpected Program
| 0.191.1 |
February 11, 2025 | Rule Changes Added the following rules: Grant Public Invoke Permission to Lambda Function
Route53 Delete DNS Resolver Query Logging
Route53 Delete DNS Hosted Zone Query Logging
SSH Exfiltration Activities Detected
Offensive Security Tool Detected
Reverse Shell Redirects STDIN/STDOUT Through Pseudoterminals
Improved conditions for the following rules: Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Modification of pam.d detected
Kernel Module Loaded by Unexpected Program
Modify ld.so.preload
Dynamic Linker Hijacking Detected
Dump Memory using /proc Filesystem
Reverse Shell Spawned From Interpreted or Compiled Program Through Pipes
Dump memory for credentials
Improved output for Kernel Module Loaded by Unexpected Program rule.
Default Policy Changes | 0.191.0 |
February 10, 2025 | Rule Changes | 0.190.6 |
February 07, 2025 | Rule Changes Default Policy Changes | 0.190.5 |
February 06, 2025 | Rule Changes Reduced false positives for Hexadecimal string detected rule. | 0.190.4 |
February 05, 2025 | Rule Changes | 0.190.2 |
February 04, 2025 | Rule Changes | 0.190.1 |
February 04, 2025 | Rule Changes Added the following rules: Improved condition for the following rules: Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Reverse Shell Spawned From Interpreted or Compiled Program Through Pipes
Non sudo setuid
PTRACE anti-debug attempt
Suspicious RC Script Modification
Reverse Shell Detected
Fileless Malware Detected (memfd)
Default Policy Changes Added the following rules: Updated policy for BPF Command Executed by Fileless Program rule. Removed Staged Meterpreter Reverse Shell from managed policy. Deprecated Okta rules.
| 0.190.0 |
February 03, 2025 | Rule Changes | 0.189.5 |
January 31, 2025 | Rule Changes | 0.189.4 |
January 30, 2025 | Rule Changes | 0.189.3 |
January 29, 2025 | Rule Changes Updated Indicators of Compromise (IoCs) rulesets with new findings. Improved output for Workload rules. Reduced false positives for the following rules: Search Private Keys or Passwords
Dump Memory using /proc Filesystem
Kernel startup modules changed
Reverse Shell Detected
New Kernel Module Created and Loaded
| 0.189.2 |
January 28, 2025 | Rule Changes Reduced false positives for the Reverse Shell Spawned From Binary Through Pipes rule. | 0.189.1 |
January 28, 2025 | Added the following rules: Reverse Shell Redirects STDIN/STDOUT To Socket With Pipes
Reverse Shell Spawned From Interpreted or Compiled Program Through Pipes
Reverse Shell Spawned From Binary Through Pipes
New Kernel Module Created and Loaded
Dynamic Linker Hijacking Using LD_AUDIT
Possible Jynx Rootkit Detected
Container Launched In Host IPC Namespace
Azure Create/Update a Virtual Machine with Password Authentication Enabled
Azure Create/Update a Virtual Machine With Managed Identity Assigned
Improved condition for Suspicious Command Executed by Web Server and Data Exfiltration using DNS rules Updated Indicators of Compromise (IoCs) rulesets with new findings Reduced false positives for the following rules: GPG Key Reconnaissance rule
Mount on Container Path Detected rule
Download and launch remote file copy tools in container rule
Dump Memory using /proc Filesystem rule
Suspicious Command Executed by Web Server rule
Dynamic Linker Hijacking Detected rule
Dynamic Linker Hijacking Using ldso Files rule
Removed exception for Modify ld.so.preload rule
Default Policy Changes | 0.189.0 |
January 24, 2025 | Rule Changes | 0.188.2 |
January 23, 2025 | Rule Changes Default Policy Changes | 0.188.1 |
January 21, 2025 | Rule Changes Added the following rules: Azure Create/Update Gallery Image
Azure Delete Gallery Image
Container Launched In Host PID Namespace
Container Launched In Host Network Namespace
BPF Command Executed by Fileless Program
Improved conditions for the following rules: Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Non sudo setuid
Modify ld.so.preload
Find GCP Credentials
Mount Launched in Privileged Container
Dump memory for credentials
Dynamic Linker Hijacking Detected
Dynamic Linker Hijacking Using ld.so Files
Dump Memory using /proc Filesystem
Improved outputs for Workload rules.
Default Policy Changes | 0.188.0 |
January 17, 2025 | Added the Possible Remote Code Execution using rsync rule. Default Policy Changes Added the Possible Remote Code Execution using rsync rule. | 0.187.0 |
January 16, 2025 | Rule Changes | 0.186.4 |
January 15, 2025 | Rule Changes | 0.186.3 |
January 15, 2025 | Rule Changes | 0.186.2 |
January 14, 2025 | Rule Changes | 0.186.1 |
January 14, 2025 | Added the following rules: IAM Privilege Escalation API called from Kali Linux/Part OS
S3 Impactful API called from Kali Linux/Parrot OS
RDS Restore Public DB Instance from Snapshot
Inline Shell Execution by Wget/Curl
Suspicious Command Executed by Web Server
Dynamic Linker Hijacking Using ld.so Files
Dump Memory using /proc Filesystem
Improved condition for Data Exfiltration using DNS rule. Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Suspicious RC Script Modification
Modify ld.so.preload
Netcat Remote Code Execution in Container
Dynamic Linker Hijacking Detected
Default Policy Changes | 0.186.0 |
January 13, 2025 | Rule Changes | 0.185.2 |
January 10, 2025 | Rule Changes Default Policy Changes | 0.185.1 |
January 07, 2025 | Rule Changes Added policy Sysdig Runtime Behavioral Analytics. Added the following rules: Dynamic Linker Hijacking Detected
Process Injection using PTRACE
Staged Meterpreter Reverse Shell
Data Exfiltration using DNS
Log File Symlink to Null
Improved condition for Executable File Dropped in Container via Kubectl. Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Suspicious RC Script Modification
Potential IRC connection detected
Fileless Malware Detected (memfd)
Kernel startup modules changed
Launch Suspicious Network Tool on Host
Kernel Module Loaded by Unexpected Program
Modify Grub Configuration Files
Hexadecimal string detected
Updated policy for Hardware Added to the System rule.
Default Policy Changes Updated policy for Hardware Added to the System rule. Added policy Sysdig Runtime Behavioral Analytics. Added the following rules: Dynamic Linker Hijacking Detected
Process Injection using PTRACE
Staged Meterpreter Reverse Shell
Data Exfiltration using DNS
Log File Symlink to Null
| 0.185.0 |
