Detections Reference

Lacework leverages several detections to swiftly identify security incidents, enabling you to mitigate risks and protect sensitive data. These detections are generated by security tools and systems that monitor network traffic, system logs, user behavior, and other data sources to identify signs of cyber threats and attacks.

The table below lists common detection names and descriptions that you may see when navigating the Events tab:

Detection Name	Description	What It Means
linux_command_and_control_ git_clone_suspicious_repository	Git clone suspicious repository	Lacework has detected a suspicious clone of your GitHub repositories, possibly indicating an attacker's attempt to download the tooling they need. False Positive The clone can be legitimately conducted by an authorized user.
linux_credentials_access_ using_grep_or_find	Find or grep command looking for credentials	Lacework has detected attempts to find credentials on the local file system, which may indicate an actor trying to discover sensitive information. False Positive Legitimate searches for credentials made by administrators or developers.
linux_defense_evasion_base64_ encoded_shebang_in_shell	Possible obfuscated script detected (base64 encoded shebangs)	Lacework has detected attempts to find credentials on the local file system, which may indicate an actor trying to discover sensitive information. False Positive Legitimate searches for credentials made by administrators or developers.
linux_defense_evasion_ clear_linux_logs	Attempts to clear linux logs detected	Lacework has detected attempts to clear logs on the system. Such actions are often carried out by adversaries to conceal evidence of an intrusion. False Positive Legitimate administrative activities.
linux_defense_evasion_clear_syslog	Commands to clear or remove the Syslog	Lacework has detected specific commands commonly employed by attackers to remove or empty the system log, a method frequently used to conceal their tracks. False Positive A legitimate log rotation.
linux_defense_evasion_deobfuscate_ base64_using_perl	Possible obfuscated script detected (perl decoding of base64)	Lacework has detected the utilization of Perl commands involving the MIME::Base64 and decode_base64 functions to decode files or information. This activity may indicate an attempt to deobfuscate or reveal hidden information. False Positive The legitimate use of Perl and the MIME::Base64 library is common among developers and system administrators.
linux_defense_evasion_deobfuscate_ base64_using_python	Possible obfuscated script detected (python decoding of base64)	Lacework has detected the use of Python by an attacker to deobfuscate base64-encoded information. This activity may indicate an attempt to decode malicious files or information. False Positive Python and the b64decode function are commonly utilized for legitimate, non-malicious tasks.
linux_defense_evasion_encode_ base64_using_perl	Possible obfuscated script detected (perl encoding of base64)	Lacework has detected the utilization of Perl commands involving the MIME::Base64 and encode_base64 functions to encode files or information. This activity may indicate an attempt to obfuscate or conceal information. False Positive The legitimate use of Perl and the MIME::Base64 library is common among developers and system administrators.
linux_defense_evasion_encode_ base64_using_python	Possible obfuscated script detected (python encoding of base64)	Lacework has detected an attacker using base64 encoding in conjunction with Python. This activity may suggest an attempt to conceal or obfuscate malicious files or information. False Positive Python and the b64encode function are commonly utilized for legitimate, non-malicious purposes.
linux_defense_evasion_pipe_to_shell	Possible defense evasion by piping commands to shell observed	Lacework has detected a suspicious process command line that begins with a shell, executes something, and ultimately gets piped into another shell. False Positive This pattern is used by legitimate software.
linux_defense_evasion_shell-based_ decoding_files_or_information	Possible obfuscated script detected (bash decoding using base64)	Lacework has detected the use of shell commands to decode files or information using the `base64` command. This activity may indicate an attempt to deobfuscate or reveal hidden information. False Positive Base64 decoding is commonly used legitimately by developers or system administrators.
linux_defense_evasion_shell-based_ hex_decoding_files_or_information	Possible obfuscated script detected (bash decoding using `xxd`)	Lacework has detected the use of shell commands to decode files or information using the `xxd` command. This activity may indicate an attempt to deobfuscate or reveal hidden information. False Positive Developers or system administrators commonly use the `xxd` command for legitimate purposes such as Hex decoding.
linux_discovery_apt_gtfobin_abuse	Possible use of apt or apt-get as a GTFOBin	Lacework has detected the usage of `apt` and `apt-get` as a GTFOBin technique to execute and proxy command and binary execution.
linux_discovery_capabilities_discovery	Possible use of getcap binary for recon	Lacework has detected the usage of the `getcap` command. This is often employed during reconnaissance activities to identify potential binaries that can be exploited as GTFOBins or for other malicious purposes.
linux_discovery_common_scanners	Use of network scanners detected	Lacework has detected the usage of common network scanners, including nmap and masscan . False Positive System admins commonly use scanner tools as part of their routine work.
linux_discovery_local_system_ accounts_discovery	Enumeration of local system accounts detected	Lacework has detected the enumeration of local system accounts. This information can assist adversaries in determining the existence of local accounts on a system, aiding them in subsequent activities. False Positive Legitimate administrative activities.
linux_discovery_potential_discovery_ activity_using_find	Potential discovery activity using find detected	Lacework has detected the usage of the `find` command in a suspicious manner, possibly for performing discovery activities.
linux_discovery_remote_ system_discovery	Remote system discovery using Ping or ARP observed	Lacework has detected the enumeration of remote systems. It's a process of actively gathering information about the various systems connected to a network from a remote location. False Positive Legitimate administrative activities.
linux_discovery_security_ software_discovery	Possible security software discovery detected	Lacework has detected the usage of system utilities, specifically `grep` and `egrep`, for security software discovery. These commands are commonly used for various tasks, such as log analysis, file content filtering, and searching for specific information in text files. False Positive Legitimate activities.
linux_discovery_system_ network_discovery	Enumeration of local network configuration observed	Lacework has detected the enumeration of the local network configuration, which includes the discovery of firewall settings, IP addresses, and routing information. As with any discovery, this activity can assist attackers in gaining a better understanding of the target network. False Positive Legitimate administrative activities.
linux_execution_exploit_ cve-2021-26084	Command line indicators of CVE-2021-26084 exploits	Lacework has detected endpoints or URL paths that are vulnerable to CVE-2021-26084, identified from command-line artifacts. False Positive Legitimate interaction with the endpoints.
linux_execution_kubectl_chmod	Possible privilege escalation via `kubectl chmod`	Lacework has detected instances where an attacker attempts to change the permissions of a script or binary in a Kubernetes pod using the `kubectl chmod` command. This activity may indicate a malicous attempt to gain unauthorized access or escalate privileges. False Positive The `kubectl chmod` command is legitimately used by system administrators or developers for routine tasks.
linux_execution_kubectl_cp	Possible copying of malicious scripts or tools via `kubectl cp`	Lacework has detected instances where files or scripts are copied into a Kubernetes pod using the `kubectl cp` command. This activity may indicate an actor attempting to copy malicious scripts or tools into a pod. False Positive The `kubectl cp` command is legitimately used by system administrators or developers for routine tasks.
linux_impact_crypto_mining_indicators	Command line indicators of cryptomining observed	Lacework has detected command-line parameters or strings commonly associated with crypto miners. False Positive The legitimate use of crypto miners.
linux_impact_crypto_mining_ indicators_syscall	Command line indicators of cryptomining observed	Lacework has detected command-line parameters or strings commonly associated with crypto miners. This may indicate the presence of crypto mining activities. False Positive The legitimate use of crypto miners.
linux_impact_user_deleted_via_userdel	User has been deleted via `userdel`	Lacework has detected the execution of the `userdel` command, a utility used to delete a user account and related files. This tool is sometimes abused by threat actors to cover their tracks. False Positive Legitimate administrator activities.
linux_privilege_escalation_container_ escape_check_docker_sock	Possible testing for container escape methods via docker.sock	The Docker socket, typically located at `/var/run/docker.sock`, is a Unix socket that allows communication between the Docker daemon and the Docker CLI or other Docker API clients. When a container has access to this socket, it effectively has the same privileges as the Docker daemon, which usually runs with root privileges on the host system. As a result, exploiting this Docker-in-Docker situation is a common attack vector for container escape. Before initiating this vector, an attacker must verify if the socket is exposed within a container and this detection is aimed at identifying such behavior. False Positive Red team activities (a set of cybersecurity exercises to simulate real-world cyberattacks) CI/CD-related or container orchestration tools
linux_privilege_escalation_container_ escape_check_linux_capabilities	Possible testing for container escape methods via permissive linux capabilities	Certain container escape exploits exploit excessively permissive Linux capabilities granted to a container. For instance: CAP_SYS_ADMIN enables an attacker to mount the RDMA cgroup controller; and CAP_SYS_MODULE allows them to install an arbitrary kernel module These capabilities aid in escaping to the host. To plan a specific attack, the attacker must first assess the capabilities assigned to the current process. This detection is designed to identify such behavior. False Positive Performing an audit of process capabilities is essential for security and compliance purposes.
linux_privilege_escalation_container_ escape_create_privileged_container	Possible testing for container escape methods via permissive linux	Attackers frequently exploit a mounted Docker socket inside a container. Once they confirm the presence of the mounted Docker socket, attackers typically create a privileged container using a Linux image such as Ubuntu, Alpine Linux, or BusyBox. With root access in the container and default access to the host's `/dev` directory, they can mount the host's root device files (for example, `/dev/xvda1`). This enables them to escape to the host and gain read and write access to any file in the host file system. For instance, attackers can manipulate the host's `/etc/passwd` file or interfere with cron jobs. False Positive Red team activities (a set of cybersecurity exercises to simulate real-world cyberattacks) Administrative tasks
linux_privilege_escalation_container_ escape_download_exploit_tools	Use of known container privilege escalation and exploit tools	Once inside a container, attackers aim to identify vulnerabilities using pre-built privilege escalation or container escape tools such as Linpeas, Deepce, CDK (container breakout development kit), LinEnum, and BotB (box of tricks). This detection can help identify the download of these tools. False Positive Red team activities (a set of cybersecurity exercises to simulate real-world cyberattacks)
linux_privilege_escalation_ container_escape_write_overlay_path	Write of container overlay path to host system files observed	Attackers exploit the Linux kernel's ability to run user-supplied programs in response to system events, using read/write access to the host's `/proc` or `/sys` file system to modify a special callback file (`/proc/sys/kernel/core_pattern`). Triggering a system event, such as a segmentation fault, allows the malicious program to run in the host context, facilitating container escape. The attack flow consists of the following steps: Retrieve overlay path from /etc/mtab, providing host process data on container-related locations. Set payloadPath = $overlay/payload, where payload is the malicious program for execution. Mount /special/fs to modify the special callback file. echo $payloadPath > /special/fs/callback. This detection aims to identify the 4th step of the above flow. False Positive Red team activities (a set of cybersecurity exercises to simulate real-world cyberattacks)
linux_privilege_escalation_user_ added_to_root_sudoers_ group_using_usermod	User added to root/sudoers group using usermod	Lacework has detected the usage of the `usermod` command to add users to the root or sudoers groups. False Positive Legitimate administrator activities.