Detects processes or binaries executed from trusted directories (e.g., System32) or using trusted names (e.g., svchost.exe) where the metadata, hash, or parent process does not align with legitimate activity patterns.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| trusted_directory_list | Paths such as C:\Windows\System32 that adversaries may abuse |
| process_baseline_age | Time window to determine process novelty (e.g., 30 days) |
Detects renamed binaries or scripts placed into trusted paths like /usr/bin or /lib with mismatched metadata or unexpected creation/modification times.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Access (DC0055) | auditd:SYSCALL | open |
| Process Modification (DC0020) | auditd:SYSCALL | rename |
| File Metadata (DC0059) | linux:osquery | Filesystem modifications to trusted paths |
| Field | Description |
|---|---|
| monitored_paths | Set of system or application directories considered sensitive or trusted |
| hash_validation_window | Timeframe during which a newly created file should have its hash validated (e.g., within 5 minutes of write) |
Detects binaries or launch daemons in /System/Library or /Applications with mismatched bundle names, unexpected metadata, or improper installation origin.
| Data Component | Name | Channel |
|---|---|---|
| Process Metadata (DC0034) | macos:unifiedlog | log collect from launchd and process start |
| File Metadata (DC0059) | fs:fsusage | filesystem monitoring of exec/open |
| Field | Description |
|---|---|
| expected_bundle_names | List of known application names and paths to validate against |
| signed_by_apple_check | Toggle to enforce checks for Apple-signed binaries in trusted directories |
Detects malicious containers or pods using names, labels, or namespaces that mimic legitimate workloads; also checks for image layer mismatches and unauthorized resource deployments.
| Data Component | Name | Channel |
|---|---|---|
| Image Metadata (DC0028) | kubernetes:apiserver | Resource creation and update logs |
| Process Metadata (DC0034) | containerd:events | Docker or containerd image pulls and process executions |
| Field | Description |
|---|---|
| trusted_namespace_list | List of namespaces that should not be used by unprivileged users or workloads |
| image_baseline_hashes | Reference hashes of approved container images |
Detects VIBs, scripts, or binaries placed into directories like /bin or /etc/vmware with names mimicking standard ESXi components. Also monitors unauthorized creation of services.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | esxi:vmkernel | Exec |
| Module Load (DC0016) | esxi:vmkernel | module load |
| Service Metadata (DC0041) | esxi:hostd | Service events |
| Scheduled Job Creation (DC0001) | esxi:hostd | task creation events |
| Field | Description |
|---|---|
| esxi_baseline_file_list | Known good binaries and their expected paths |
| service_creation_alert_threshold | Threshold for unknown service names or mismatched digital signatures |