December 04, 2022 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Non sudo setuid
Read SSH information
Read Shell Configuration File
Write below etc
Reconnaissance attempt to find SUID binaries
Suspicious Domain Contacted
Updated IoCs Ruleset with new findings. Improved detection for the Non sudo setuid rule. Added the following rule: Detect cloned process by PRoot Default Policy Changes Added the Detect cloned process by PRoot rule.
| 0.96.0 |
December 01, 2022 | Rule Changes Disabled the Create Hidden Files or Directories rule. | 0.94.2 |
November 29, 2022 | Rule Changes Improved output for the Suspicious Cron Modification rule. Reduced false positive for the Read SSH information rule. Updated IoCs Ruleset with new findings. Enabled the Create Hidden Files or Directoriesrule. Added the Create/modify EKS serviceaccount boundrule to the AWS Identity and Access Management (IAM) role. Added the Suspicious Domain Contactedrule.
Default Policy Changes | 0.94.0 |
November 22, 2022 | Rule Changes Reduced false positives for the following rules: Privileged Shell Spawned Inside Container
Clear Log Activities
Read ssh information
Search Private Keys or Passwords
Launch Suspicious Network Tool in Container
Container Run as Root User
Change Thread Namespace
Read Shell Configuration File
Improved tags for the eBPF Program Loaded into Kernelrule. Updated IoCs Ruleset with new findings. Improved detection for the Non sudo setuid rule. Added the following rules: Default Policy Changes
| 0.93.0 |
November 10, 2022 | Rule Changes Reduced false positives for the following rules: Suspicious Kernel Parameter Modification
The docker client is executed in a container
Mount Launched in Privileged Container
Reconnaissance attempt to find SUID binaries
PTRACE attached to process
Linux Kernel Module Injection Detected
Updated IoCs Ruleset with new findings. Improved detection for the Non sudo setuid rule. Added the following rules: Default Policy Changes
| 0.92.0 |
October 19, 2022 | Rule Changes Renamed lists, macros, and rules for Falco Cloud. Added the Unexpected Connection from legitimate Process/Port rule. Updated IoCs Ruleset with new findings. Edited the output for the Reconnaissance attempt to find SUID binaries rule.
Default Policy Changes Renamed lists, macros, and rules for Falco Cloud. Added the Unexpected Connection from legitimate Process/Port rule.
| 0.91.0 |
October 14, 2022 | Rule Changes Updated the sensitive_kernel_parameter_files list to detect changes on the ptrace_scope file. Added the Diamorphine Rootkit Activity rule. Updated IoCs Ruleset with new findings. Reduced false positives in the Dump memory for credentials rule.
Default Policy Changes | 0.90.0 |
October 07, 2022 | Rule Changes Tuning the Dump memory for credentials on rule. Added the following rules: kill malicious processdetect dump memory for credentials
Updated IoCs Ruleset with new findings. Updated Cloud Mitre tags. Reduced false positives in Falco Rules. Added new ruless: Dump memory for credentialsKill known malicious process
Use glob in the user_ssh_directory macro and remove openat2 from conditions. Added an exception to the AWS Command Executed by Untrusted User rule. Changed exception in the Change Resource Record Sets rule. Changed the allowed_k8s_users list.
Default Policy Changes | 0.89.0 |
September 27, 2022 | Rule Changes Default Policy Changes Disabled S3 versioning | 0.88.0 |
September 23, 2022 | Rule Changes Increased IoCs and added additional exceptions. Added exclusions to reduce false positives. Adding additional parameters to sensitive_kernel_parameter_files list.
| 0.87.0 |
September 09, 2022 | Rule Changes | 0.86.0 |
September 08, 2022 | Rule Changes Default Policy Changes Removed the following rules from default policies:Scripting Language Execution below dev. | 0.85.0 |
August 24, 2022 | Rule Changes New rules:Share RDS Snapshot with Foreign Account Rule tuning for the following: PTRACE anti-debug attempt
Suspicious Cron Modification
Suspicious Java Child Processes
Create Symlink Over Sensitive Files
Netcat Remote Code Execution in Container
eBPF Program Loaded into Kernel
Updated IoCs Ruleset with new findings.
| 0.83.0 | August 19, 2022 | Rule Changes Fixed the output for two PTRACE rules. Added additional conditions to improve detections for Delete/rename Bash History. Enable the do_unexpected_udp_checkmacro. Added the new rule: GCP Firewall Remote Access from Internet. It detects remote access ports allowed through the firewall from the public internet (0.0.0.0/0).
Auto-Tuner Exception Updates Added additional exceptions for
Privileged Shell Inside Container. Added Azure core image to the exception, Suspicious Cron Modification.
| 0.82.0 |
Aug 11, 2022 | Rule Changes Added Azure rule: Azure RDP Access Is Allowed from The Internet Updated auto-tuner exceptions to reduce excessive noise: Change Resource Record Sets (AWS)
Create Hidden Files or Directories
Describe Instances (AWS)
GCP Delete Compute VM Instance
GCP Operation by a Non-corporate Account
List Buckets (AWS)
Non sudo setuid
Root User Executing AWS Command
Run shell untrusted
The docker client is executed in a container
User mgmt binaries
Updated IoCs Ruleset with new findings. Default Policy Changes Added new rules: Azure RDP Access Is Allowed from The Internet
| 0.81.2 |
Aug 05, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Linux Kernel Module Injection Detected
eBPF Program Loaded into Kernel
Privileged Shell Spawned Inside Container
Added the following new rules: Extended the condition of the following rules: Updated IoCs Ruleset with new findings. Default Policy Changes Added new rules to default policies.
| 0.80.1 |
July 26, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Added the following new rules: PTRACE anti-debug attempt
PTRACE attached to process
Detect reconnaissance scripts
Detect malicious cmdlines
GCP Create DNS Record
GCP Create DNS Zone
GCP Delete DNS Record
GCP Update DNS Record
GCP Update DNS Zone
GCP Cloud Armor Blocked Connection
GCP Cloud IDS Alert
Delete AWS user (SSO)
Updated the following rule: Reconnaissance attempt to find SUID binaries Updated the following lists: falco_privileged_images Updated IoCs Ruleset with new findings. Default Policy Changes Added new rules to default policies.
| 0.79.2 |
July 15, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Added the following new rules: Detect curl Using Socks Proxy
Create AWS user (SSO)
GCP Delete VPN
GCP App Engine Firewall Rule Created
GCP Compute Firewall Rule Created
GCP Create VPN
GCP Sensitive Role Added to User
Added additional exceptions to: Read sensitive file untrusted
Run shell untrusted
Non sudo setuid
Clear Log Activities
Execution of binary using ld-linux
eBPF Program Loaded into Kernel
Terminal shell in container
The docker client is executed in a container
Added the Detect curl Using Socks Proxy rule to IoCs Malware Activity and Sysdig Runtime Threat Detection policies Added Create AWS user (SSO) to the Sysdig AWS Activity Logs policy. Added GCP Delete VPN and GCP Sensitive Role Added to the User rules to Sysdig GCP Notable Events policy. Added the GCP App Engine Firewall Rule Created, GCP Compute Firewall Rule Created, and GCP Create VPN rules to the Sysdig GCP Activity Logs policy. Split AWS rules into individual files and moved lists out of individual files and into its own file at the top of the output aws_cloudtrail.yaml. Fixed tag in the Delete Cluster rule. Updated IoCs Ruleset with new findings.
| 0.78.0 |
July 08, 2022 | Rule Changes Restored the following missing rule: nsenter Container Escape Cleaned up the following duplicate macro: falco_sensitive_mount_containers Adjusted the following eBPF rule: eBPF Program Loaded into Kernel Updated IoCs Ruleset with new findings. Updated all the Cloudtrail rules to add ARNs to output.
Default Policy Changes Modified to work with both old default_policies and managed default_policies. | 0.77.0 |
July 01, 2022 | Rule Changes Added Miner IP Pool Threat Intelligence: Detect outbound connections to common miner pool ports | 0.76.1 |
June 30, 2022 | Rule Changes Added additional exceptions : Linux Kernel Module Injection Detected Created the following new rules: GCP App Engine Firewall Rule Deleted
GCP App Engine Firewall Rule Updated
GCP Create Cloud Function v2 Not Using Latest Runtime
GCP Create Cloud Function v2
GCP Compute Firewall Rule Deleted
GCP Compute Firewall Rule Updated
GCP Delete Compute VM Instance
GCP Update Cloud Function v2
Malicious Environment Variable in Spawned Process
nsenter Container Escape
Updated the following GCP rules: GCP Create Cloud Function Not Using Latest Runtime
GCP Create Cloud Function
GCP Create DLP Job
GCP Delete DLP Job
GCP Paused DLP Job
GCP Suspicious IP Inbound Request
GCP Update Cloud Function
GCP Updated DLP Job
Added CIS tag to the rules related to Center for Internet Security (CIS) Docker Security Benchmark controls: Container Run as Root User
Disallowed SSH Connection
Launch Privileged Container
Launch Root User Container
Launch Sensitive Mount Container
Mount Launched in Privileged Container
Privileged Shell Spawned Inside Container
Reconnaissance attempt to find SUID binaries
The docker client is executed in a container
Write below root
Updated IoCs Ruleset with new findings.
Default Policy Changes Added the following rules to the default policy: GCP App Engine Firewall Rule Deleted
GCP Compute Firewall Rule Deleted
Malicious Environment Variable in Spawned Process
nsenter Container Escape
| 0.76.0 |
June 24, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Modified the following macros: truncate_shell_history
modify_shell_history
Extended the condition of the rule, Detect crypto miners using the Stratum protocol, to improve detection capabilites. New rules created: Launch malicious container image
GCP Suspicious IP Inbound Request
GCP Allow Public Access to Bucket
GCP KMS Schedule Key Deletion
GCP Create DLP Job
GCP Delete DLP Job
GCP Update DLP Job
GCP Paused DLP Job
Updated IoCs Ruleset with new findings.
Default Policy Changes Added the following rule to the default policy, IoCs Malware Activity: Launch malicious container image Added the following rules to the default policy, Sysdig GCP Best Practices: GCP Suspicious IP Inbound Request
GCP Allow Public Access to Bucket
GCP KMS Schedule Key Deletion
GCP Delete DLP Job
GCP Paused DLP Job
| 0.75.0 |
June 17, 2022 | Rule Changes Added the following new rules: Modified the following rules: Updated the macro: sysdig_commercial_images. It now contains two new Kubernetes Security Posture Management (KSPM) images. Added the new macro ti_anon_ips for Tor source IP addresses. Updated IoCs Ruleset with new findings.
Default Policy Changes Added the new rule, AWS Suspicious IP Inbound Request to the Sysdig AWS Best Practices policy. Added the new rule, eBPF Program Loaded into Kernel to the Suspicious Container Activity policy.
| 0.74.3 |
June 03, 2022 | Rule Changes Added a new rule: Suspicious Java Child Processes Updated the package_mgmt_procs macro to detect package management processes with Python. Updated some exceptions in the rule,Change thread namespace Updated IoCs Ruleset with new findings.
Default Policy Changes Added the new rule, Suspicious Java Child Processes,to the IoCs Malware Activity | 0.72.0 |
May 26, 2022 | Rule Changes Added the following new rules: Modified exceptions to reduce noise: Change thread namespace
Contact cloud metadata service from container
DB program spawned process
K8s ConfigMap Created
K8s ConfigMap Deleted
K8s Serviceaccount Created
Netcat Remote Code Execution in Container
Privileged Shell Spawned Inside Container
Set Setuid or Setgid bit
System ClusterRole Modified/Deleted
Write below monitored dir
Write below root
Updated IoCs Ruleset with new findings.
Default Policy Changes | 0.70.3 |
May 20, 2022 | Rule Changes Added additional exceptions to the following rules to aid in addressing false positives: Set Setuid or Setgid bit
Execution from /tmp
Fixed the condition of the following rules: Execution from /tmp
Execution from /dev/shm
Updated IoCs Ruleset with new findings.
| 0.69.0 |
May 13, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Run shell untrusted
Launch Privileged Container
Container Run as Root User
Write below root
Write below rpm database
DB program spawned process
Privileged Shell Spawned Inside Container
Launch Suspicious Network Tool in Container
Remove Bulk Data from Disk
Set Setuid or Setgid bit
Packet socket created in container
Execution from /tmp
Created the new rule, Possible Backdoor using BPF. This rule triggers if a process was seen attaching a Berkeley Packet Filter (BPF) filter on a network socket. This could indicate packet sniffing for use in a backdoor such as BPFDoor. Network diagnostic tools may also trigger this rule. Created the new rule, Execution of binary using ld-linux. This method can be used to execute programs that do not have the exec bit set and may possibly evade detection measures. Fixed the condition of the following rules: Write below binary dir
Set Setuid or Setgid bit
Updated IoCs Ruleset with new findings
Default Policy Changes Added the Possible Backdoor using BPF rule to the Notable Network Activity policy. Added the new rule, Execution of binary using ld-linux to the IoCs Malware Activity policy.
| 0.68.1 |
May 6, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Created the new rule Tampering with Security Software in Container. This rule detects common techniques by
threat actors to disable runtime security software. Created the new rule Detect outbound connections to TOR Entry Nodes. This rule detects when clients reach the Tor network through its entry nodes. Note that this is an experimental rule and only contains a subset of Tor entry nodes. It will be improved upon in the future. Fixed the condition of the following rule: Execution from /tmp Updated IoCs Ruleset with new findings.
Default Policy Changes Moved the Redirect STDOUT/STDIN to Network Connection in Container rule to the Notable Container Activity default policy. Added the Tampering with Security Software in Container rule to the Suspicious Container Activity default policy. Added the Detect outbound connections to TOR Entry Nodes rule to the IoCs Malware Activity default policy.
| 0.67.1 |
April 28, 2022 | Rule Changes Added a new rule file, threat_intelligence_feed.yaml
, with lists and macros directly updated by theSysdig Threat Research Team. Updated the following list: sysdig_commercial_images Updated IoCs Ruleset with new findings. Updated Falco rules conditions: Added additional exceptions to aid in addressing false positives: Execution from /tmp
Create Symlink Over Sensitive Files
Change thread namespace
DB program spawned process
Suspicious Cron Modification
| 0.66.1 |
April 21, 2022 | Rule Changes Added a new AWS Cloudtrail rule:
Create RDS DB Instance with Public Access Added the following Falco rules: Base64-encoded Shell Script ExecutionExecution from /dev/shm
Added additional exceptions to aid in addressing false positives: Service Account Created in Kube NamespaceK8s Serviceaccount Created
Modified to add a list of malicious IPs:
Outbound Connection to C2 Servers Updated IoCs Ruleset with new findings
Default Policy Changes | 0. 65.1 |
April 18, 2022 | Rule Changes Added additional exceptions to the following rules to aid in addressing false positives: Change thread namespace
Create Symlink Over Sensitive Files
Container Run as Root User
DB program spawned process
Privileged Shell Spawned Inside Container
Run shell untrusted
Set Setuid or Setgid bit
Write below etc
| 0.65.0 |
April 17, 2022 | Rule Changes Added additional exceptions to the following rules to aid in addressing false positives: Privileged Shell Spawned Inside Container | 0.64.1 |
April 15, 2022 | Rule Changes Added additional exceptions to the following rules to aid in addressing false positives: Created the new rule Base64-encoded Python Script Execution. This rule detects base64-encoded Python scripts on command line arguments. Base64 can be used to encode binary data for transfer to ASCII-only command lines. Attackers can leverage this technique in various exploits to load shellcode and evade detection. Fixed the output of the following rules: Updated IoCs Ruleset with new findings
Rule Changes Added the Base64-encoded Python Script Execution rule to the IoCs Malware Activity default policy Added the Launch Ingress Remote File Copy Tools in Container rule to the Notable Container Activity default policy Created the new default policy, Known Exploit Detection. This policy embeds the rules that can identify potential exploits of well-known CVEs.
| 0.64.0 |
April 12, 2022 | Rule Changes Added additional exceptions to the following rules to aid in addressing false positives: Disabled the Unprivileged Delegation of Page Faults Handling to a Userspace Process rule removing its condition.
| 0.63.0 |
April 09, 2022 | Rule Changes Default Policy Changes Policy: Notable Filesystem Changes Policy: Suspicious Container Activity Policy: Suspicious Lateral Movement Activity to Cloud Policy: Unexpected Spawned Processes
| 0.62.1 |
April 06, 2022 | Rule Changes Reduced noise for the rulesWrite below monitored dir and write below etc by adding additional exceptions. | 0.62.0 |
March 25, 2022 | Rule Changes Added the following new rules: Updated auto-tuner exceptions for the following: Updated IoCs Ruleset with new findings.
Default Policy Changes | 0.60.0 |
March 18, 2022 | Rule Changes Updated the Launch Root User Container condition
rule. Updated the following lists to address false positive: miner_domains
allowed_k8s_users
Updated some exceptions in the Schedule Cron Jobs rule. Created the sssd_writing_krb macro from the new release of OSS Falco. Updated IoCs Ruleset with new findings. Updated the following macros based on the changes in Falco OS: modify_shell_history
truncate_shell_history
write_etc_common
Default Policy Changes Updated the IoCs Malware Activity policy. Removed some rules from Notable Filesystem Changes policy: Write below etc
Write below root
Write below rpm database
Write below binary dir
Removed one rule from the Notable Container Activity policy: Change thread namespace
| 0.59.2 |
March 10, 2022 | Rule Changes Excluded ptp and dp from the Change thread namespacerule. Excluded self from the K8s Serviceaccount Created rule. Excluded known cron writers from the Schedule Cron Jobs rule. Updated the IoCs Ruleset with new findings.
| 0.58.1 |
March 06, 2022 | Rule Changes Added additional exceptions to aid in addressing false positive for rules: Updated the following macros baed on the changes in Falco OS:aws_eks_core_images Updated IoCs Ruleset with new findings.
| 0.57.2 |
March 03, 2022 | Rule Changes Fixed exception to aid in addressing false positives for rules:
Contact K8S API Server From Container | 0.56.5 |
March 01, 2022 | Rule Changes | 0.56.4 |
February 18, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positive for rules: Modify Shell Configuration File
Modify Shell Configuration File
Write below etc
Write below rpm database
DB program spawned process
Clear Log Activities
Launch Root User Container
Updated the following macros based on the changes in Falco OS: Updated the following lists to address false positives: Updated IoCs Ruleset with new findings.
| 0.55.2 |
February 10, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positive for rules: Updated the following macros based on the changes in Falco OS: Updated the following lists based on the changes in Falco OS: Updated IoCs Ruleset with new findings.
| 0.54.3 |
February 07, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positive for rules: Launch Root User Container
| 0.53.4 |
February 04, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positive for rules: Modify Shell Configuration File
Write below etc
Write below root
Read sensitive file trusted after startup
Change thread namespace
Launch Suspicious Network Tool in Container
Redirect STDOUT/STDIN to Network Connection in Container
Updated the following macros based on the changes in Falco OS: spawned_process
sensitive_mount
Updated the following lists based on the changes in Falco OS: Updated the following lists to address false positives: Updated IoCs Ruleset with new findings.
| 0.53.3 |
January 29, 2022 | Rule Changes | 0.52.0 |
January 21, 2022 | Rule Changes Updated IoCs Ruleset with new findings. | 0.51.1 |
January 14, 2022 | Rule Changes Created a new AWS Rule: Read Object through AWSSupportServiceRolePolicy Assumed Role. Updated tags for AWS Rule:AWS Command Executed on Unused Region. Updated tags for the following Google Cloud Platform (GCP) Rules: GCP Invitation Sent to Non-corporate Account
GCP Create User-managed Service Account Key
GCP Create GCP-managed Service Account Key
GCP Create Cloud Function Not Using Latest Runtime
GCP Set Bucket IAM Policy
GCP Create Bucket
| 0.50.5 |
