Agent Detection Schema๐
DetectionCategory๐
The Detection Category is high-level taxonomy of detections based on what subsystem they belong to.
| Name | Number | Description |
|---|---|---|
| CATEGORY_UNSPECIFIED | 0 | |
| GENERIC | 1 | |
| PROCESS | 2 | |
| MEMORY | 3 | |
| KERNEL | 4 | |
| FILESYSTEM | 5 | |
| REGISTRY | 6 | |
| CONTAINER | 7 |
DetectionType๐
DetectionType describes the exact detection that was detected on the agent.
| Name | Number | Description |
|---|---|---|
| DETECTION_UNSPECIFIED | 0 | per protobuf style guide, enums should have UNSPECIFIED suffixed zero |
| KEY_LOGGER | 1 | a keylogger (see event_name) was detected |
| RANSOMWARE_LIKE_BEHAVIOR | 2 | detected ransomware like behavior (mix of encryption & numerous file ops) |
| EXECUTABLE_ENTROPY | 3 | t1027.002 exe may be packed using upx, etc. acting_process populated. |
| LOCAL_PRIVILEGE_ESCALATION | 4 | LPE detected |
| DNS_TAMPERING | 5 | DNS / DNS Cache tampering detected |
| PROTOCOL_HIJACKING | 6 | Detected exfiltration / c2 over trusted protocol such as DNS |
| EVENTLOG_BYPASS | 7 | Logging was bypassed (or attempted) |
| SETTIME | 8 | System clock time changed - potential time stomp? |
| INTEGRITY_DISABLED | 9 | e.g. SIP disabled on macos |
| NAME_RESOLUTION_TAMPERING | 10 | Link-local hostname redirection other network tampering detected |
| EXECUTION_OF_MODIFIED_CODE | 20 | an allocated page or file-backed page was modified and executed |
| EXECUTABLE_PAGE_PROTECTION_CHANGE | 21 | a page was made executable or an executable page was made writable |
| SELF_MODIFYING_CODE | 22 | detected self-modifying (rwx) code |
| WRITE_TO_EXECUTABLE_CODE | 23 | detected acting_process writing to a code (text section) page of target_process (maybe same) |
| THREAD_HIJACKING | 24 | target_thread context changed in target_process by acting_process and acting_thread_id |
| RAW_SYSCALL_IN_ALLOCD_EXEC_MEM | 25 | a raw syscall was detected in allocated executable memory (likely an attempt to bypass api hooks, etc.) |
| NON_SYSTEM_APC_DELIVERED | 26 | an apc was delivered to execute in memory not backed by a system dll |
| PROCESS_OPENED_INTRUSIVE | 27 | acting_process opened target_process with rights allowing state / virtual memory modifications |
| PROCESS_OPENED_NON_INTRUSIVE | 28 | acting_process opened target_process with read-only rights |
| PACKET_CAPTURE | 29 | acting_process started capturing packets |
| HIGH_CPU_USAGE | 30 | acting_process steadily reporting high cpu usage |
| UAC_BYPASS | 31 | Process attempted UAC bypass/explorer impersonation |
| PROCESS_GHOSTING | 32 | Process ghosting detected |
| PROCESS_HOLLOWING | 34 | Process hollowing detected |
| EXECUTION_PROXY | 35 | An execution proxy was detected |
| INVALID_CODE_SIGNATURE | 36 | code signature on the acting_process is invalid |
| DEP_DISABLED | 37 | Data Execution Prevention (NX) was disabled |
| OVERWRITE_OF_IMAGE_BACKED_CODE | 40 | file-backed exectuable memory overwritten, e.g. setting hooks, etc. |
| OVERWRITE_OF_IMAGE_BACKED_RODATA | 41 | file-backed read-only memory overwritten, e.g. setting iat/eat hooks, .pdata, etc. |
| MITIGATION_DISABLED | 42 | a mitigation was disabled |
| LEAKED_WRITABLE_EXECUTABLE_MEMORY | 43 | wx memory was leaked leaving process vulnerable |
| SHELLCODE_SYMBOL_RESOLUTION | 44 | Shellcode attempted to resolve symbols needed for unpacking/decryption/execution |
| AGENT_HOOK_TAMPERING | 45 | An agent hook was tampered with / disabled / bypassed |
| BEACON_ENCRYPTION_OBFUSCATION | 46 | Timer, or encryption, or page protection changes of periodic/polling tasking code detected |
| NAMED_KERNEL_OBJECT_CREATED | 60 | a named kernel object was created (see event_name and kernel_object_type) |
| INVALID_DRIVER_SIGNATURE | 61 | a driver with no or an invalid signature was loaded |
| KNOWN_BAD_DRIVER | 62 | indicates a driver with a known vulnerability (which could be known to be used maliciously) was loaded |
| KERNEL_CALLBACKS_DISABLED | 63 | A rootkit/exploit disabled kernel callbacks (e.g. nt!PspNotifyEnableMask) |
| MASTER_BOOT_RECORD_MODIFIED | 80 | the mbr was modified, check memory for new record |
| VOLUME_BOOT_RECORD_MODIFIED | 81 | the vbr was modified, check memory for new record |
| ATTEMPT_TO_MODIFY_PROTECTED_FILE | 82 | an attempt to modify a protected file |
| ATTEMPT_TO_MODIFY_PROTECTED_REG_OBJ | 100 | an attempt to modify a protected registry key or value |
| HKCU_COM_OBJECT_BYPASS | 101 | A COM object was instanciated from HKCU (current user) instead of HKLM (local machine) |
| CONTAINER_TYPE | 1000 | Suspicious event inside a container detected by linux agent |
KernelContext๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| kernel_object_type | KernelObjectType | if present, the type of kernel named object created | |
| kernel_object_name | string | kernelObjectName$ | if present, the name of kernel object created |
KernelObjectType๐
The type of kernel named object.
| Name | Number | Description |
|---|---|---|
| KERNEL_OBJ_UNSPECIFIED | 0 | |
| EVENT | 1 | |
| JOB | 2 | |
| MUTEX | 3 | |
| SECTION | 4 | |
| SEMAPHORE | 5 | |
| WAITABLE_TIMER | 6 |
ExecutionContext๐
Details about the current state of processor and memory at the time the detection was detected.
| Field | Type | Parser Field | Description |
|---|---|---|---|
| acting_thread_id | uint64 | actingThreadId$ | if present, the thread_id of the acting thread |
| target_process_correlation_id | string | targetProcessCorrelationId$ | if present, the 'other' process being acted upon |
| target_thread_id | uint64 | targetThreadId$ | if present, the thread_id of the impacted thread |
| cpu_context | CPUContext | if present the cpu context in question (e.g. threadhijacking) | |
| target_memory_address | uint64 | targetMemoryAddress$ | if present the address of the occurence (e.g. selfmodifyingcodepage, remotecodewrite) |
| symbol | string | symbol$ | if present, the symbol + offset of the target_address |
| memory | bytes | if present, scannable memory of the event (e.g. selfmodifyingcodepage, remotecodewrite) | |
| return_memory_address | ReturnMemoryAddress | if present, image-backed return location | |
| stack_backtrace | string | if present, the stack backtrace dump | |
| execution_offset | uint64 | executionOffset$ | if present, offset address of the executable |
| page_protection | uint32 | pageProtection$ | if present, the protection bits for target_address (r/w/x etc.) |
| access_rights | uint32 | accessRights$ | if present, requested object access rights |
| target_image_path | string | targetImagePath$ | Path of the process binary |
| memory_hash_sha256 | string | memoryHashSha256$ | SHA256 hash of the memory |
CPUContext๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| architecture | string | architecture$ | |
| registers | Register[] | the register state where possible |
Register๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| name | string | name$ | |
| value | int64 | value$ | |
| file_object_attrs | FileObjectAttrs | If the address points to mapped file, the unique id of that file | |
| memory | bytes | If the register value is a valid address, 256 bytes of data at that address | |
| file_base | uint64 | fileBase$ | Base address of the file mapping |
| file_path | string | filePath$ | Path of the file from memory |
| symbol | string | symbol$ | If available, the symbol the address points to (function name, public variable symbol etc.) |
| page_protection | uint32 | pageProtection$ | Page protections of the memory page at value |
ReturnMemoryAddress๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| memory_address | uint64 | memoryAddress$ | |
| file_object_attrs | FileObjectAttrs | ||
| file_base | uint64 | fileBase$ | |
| file_path | string | filePath$ | |
| symbol | string | symbol$ |
FileObjectAttrs๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| device_id | uint64 | deviceId$ | Present for MacOS and Unix |
| inode | uint64 | inode$ | Present for MacOS and Unix |
| volume_guid | bytes | Present for Windows | |
| file_guid | bytes | Present for Windows |
RegistryContext๐
Registry details for detections involving specific registry objects.
| Field | Type | Parser Field | Description |
|---|---|---|---|
| key | Registry.RegistryKey | ||
| value | Registry.RegistryValue | ||
| event_type | Registry.RegEventType |
FileSystemContext๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| impacted_file | FileInfo | if present, the impacted file (e.g. overwriteofimagebackedcode, overwriteofimagebackedrodata) |
ContainerContext๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| mounts | ContainerMountInfo | Mounts from host to container | |
| ports | ContainerPortMapping | Ports mapped from host to container | |
| id | string | id$ | Container ID |
| name | string | name$ | Container name |
| image | string | image$ | Image name |
| image_id | string | imageId$ | Image ID |
| image_repo | string | imageRepo$ | Image repository |
| image_tag | string | imageTag$ | Image tag |
| image_digest | string | imageDigest$ | Image digest |
| command | string | command$ | Command run in the container |
| container_ip | string | containerIp$ | Container IP address |
| privileged | bool | privileged$ | Whether the container is privileged |
| env | string[] | env$ | Environment variables in the container |
| is_pod_sandbox | bool | isPodSandbox$ | Whether the container is in a pod sandbox |
| full_id | string | fullId$ | Full container ID |
| type | ContainerType | type$ | Container type |
| labels | map |
labels$ | Labels on the container |
| container_state | ContainerState | containerState$ | State of the container |
| created_time | uint64 | createdTime$ | Time the container was created in nanoseconds since epoch |
| user | string | user$ | User that the container is running as |
| cni_json | string | cniJson$ | Container Network Interface. Not sure what it looks like, possibly exists in k8s pods |
| action | ContainerAction | action$ | Container Action |
ContainerMountInfo๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| source | string | source$ | Host path |
| destination | string | destination$ | Mount path inside the container |
| mode | string | mode$ | Mount mode |
| is_read_write | bool | isReadWrite$ | Whether the container can write to the mount |
| propagation | string | propagation$ | Whether to share bind mounts between container and host. Possible values: "private", "shared", or "slave" |
ContainerPortMapping๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| host_port | uint32 | hostPort$ | Host port |
| container_port | uint32 | containerPort$ | Container port |
| host_ip_addr | string | hostIpAddr$ | Host IP address |
ContainerType๐
Container runtime type.
| Name | Number | Description |
|---|---|---|
| CONTAINER_TYPE_UNSPECIFIED | 0 | |
| CONTAINER_TYPE_DOCKER | 1 | |
| CONTAINER_TYPE_LXC | 2 | |
| CONTAINER_TYPE_LIBVIRT_LXC | 3 | |
| CONTAINER_TYPE_MESOS | 4 | |
| CONTAINER_TYPE_RKT | 5 | |
| CONTAINER_TYPE_CUSTOM | 6 | |
| CONTAINER_TYPE_CRI | 7 | |
| CONTAINER_TYPE_CONTAINERD | 8 | |
| CONTAINER_TYPE_CRIO | 9 | |
| CONTAINER_TYPE_BPM | 10 | |
| CONTAINER_TYPE_STATIC | 11 | |
| CONTAINER_TYPE_PODMAN | 12 |
ContainerState๐
State of the container.
| Name | Number | Description |
|---|---|---|
| CONTAINER_STATE_STARTED | 1 | |
| CONTAINER_STATE_SUCCESSFUL | 2 | |
| CONTAINER_STATE_FAILED | 3 |
ContainerAction๐
Action on the container that triggered the event.
| Name | Number | Description |
|---|---|---|
| CONTAINER_ACTION_UNSPECIFIED | 0 | |
| CONTAINER_ACTION_SEEN | 1 | |
| CONTAINER_ACTION_CREATED | 2 | |
| CONTAINER_ACTION_STARTED | 3 | |
| CONTAINER_ACTION_STOPPED | 4 | |
| CONTAINER_ACTION_DELETED | 5 |
RedirectionContext๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| raddr | bytes | The resolved remote address (bytes) | |
| raddr_str | string | raddrStr$ | The resolved remote address (string) |
| ip_version | int32 | ipVersion$ | (4=IPV4 6=IPV6 0=unspecified) |
| hostname | string | hostname$ | The randomized hostname that was queried |