Operational Security
Detects operational security risks: untrusted package repositories, rogue CA certificates, network reconnaissance, log tampering, unauthorized persistence mechanisms, SSH tunneling, database CLI abuse, and untrusted Ansible Galaxy roles.
127 rules in operational_security.yml
CRITICAL: 40 | HIGH: 69 | MEDIUM: 14 | LOW: 4
| Rule ID | Severity | Title | Description | Refs |
|---|---|---|---|---|
arp_ | CRITICAL | ARP Spoofing / Cache Poisoning | Uses ARP spoofing tools to intercept network traffic on the local network | |
audit_ | CRITICAL | Audit System Tampering | Stops or modifies the Linux audit system (auditd) to hide activity | |
aws_ | CRITICAL | AWS Backup Vault Lock Removed Or Vault Deleted (Ransomware Pre-Stage) | A task calls aws backup delete-backup-vault, delete-backup-vault-lock-configuration, or sets community.aws.backup_vault with state: absent / removes backup_vault_lock. AWS Backup Vault Lock (GA 2022) is the WORM equivalent for AWS Backup recovery points - once locked in COMPLIANCE mode, backups cannot be deleted even by the root account until retention expires. Pre-attack, ransomware affiliates disable or delete the vault to ensure post-encrypt recovery is impossible. 2024 Mandiant M-Trends lists this as a Top-5 cloud-ransomware pre-stage action. | |
aws_ | CRITICAL | AWS CloudTrail Event-Selector Set To WriteOnly Or Trail Deleted / Logging Stopped | A task runs aws cloudtrail delete-trail, aws cloudtrail stop-logging, aws cloudtrail put-event-selectors with ReadWriteType: WriteOnly, or the equivalent amazon.aws.cloudtrail / community.aws.cloudtrail module calls. Deleting / stopping a trail is the single most common MITRE T1562.008 action in every AWS breach post-mortem (Capital One 2019, SolarWinds-AWS pivot 2020, Uber 2022, CircleCI 2023). ReadWriteType: WriteOnly is the subtler variant: it preserves the trail (so audit checklists pass) but hides all Describe*/List*/Get* recon activity from forensics, which is specifically what ransomware affiliates enable before lateral-movement. | |
aws_ | CRITICAL | AWS Credentials File Created | Writes directly to ~/.aws/credentials or AWS config files, persisting long-lived keys | |
aws_ | CRITICAL | AWS GuardDuty / Security Hub / Config Disabled Or Detector Deleted | A task runs aws guardduty delete-detector, aws guardduty disassociate-from-master-account, aws securityhub disable-security-hub, aws config stop-configuration-recorder, or aws config delete-configuration-recorder. Each of these disables a primary AWS detective control: GuardDuty (ML-based threat detection on VPC Flow / DNS / CloudTrail), Security Hub (aggregated findings from GuardDuty + Inspector + Macie + 3rd party), or AWS Config (resource-configuration history + compliance rules). Disabling any one is a MITRE T1562.001/T1562.008 action and a CIS AWS Benchmark 3.x finding. | |
aws_ | CRITICAL | AWS Organizations SCP Detached Or Deleted (Org-Wide Guardrail Removed) | A task runs aws organizations detach-policy --policy-id <scp> (detaches SCP from OU/account) or aws organizations delete-policy --policy-id <scp> (removes the policy entirely). Service Control Policies are the org-wide always-on guardrails (block root usage, deny CloudTrail-disable, deny region-usage outside approved list). Removing one drops the entire set of protections for every account below that OU simultaneously. Every 2024 enterprise-level AWS ransomware / crypto-mining incident with lateral movement between accounts (Mandiant M-Trends 2025) involves SCP detachment as a pre-attack step. | |
aws_ | CRITICAL | AWS S3 Object Lock Disabled Or WORM/Retention Removed (Ransomware Pre-Stage) | A task calls aws s3api put-object-lock-configuration with ObjectLockEnabled=Disabled, put-bucket-versioning with Status=Suspended on a bucket that had Object Lock, or removes DefaultRetention. Object Lock is the WORM/immutable-backup primitive that defeats the ransomware-encrypt-and-overwrite playbook. Every 2024 major ransomware intrusion (LockBit, Akira, Black Basta affiliates) includes an S3 Object-Lock-disable step when the victim is cloud-native, because without it the attacker can overwrite all backup objects. | |
azure_ | CRITICAL | Azure Defender For Cloud Downgraded To Free Or Sentinel Data-Connector Removed | A task runs az security pricing create --tier Free / Set-AzSecurityPricing -PricingTier Free (disables Defender Plans) OR removes a Sentinel data-connector via az sentinel data-connector delete / Remove-AzSentinelDataConnector. Downgrading Defender to Free disables server-threat-detection, SQL-threat-detection, storage-threat-detection, and Azure Arc monitoring across the subscription. Removing Sentinel data-connectors blinds the SIEM - both are the Azure equivalent of the CloudTrail/GuardDuty disablement pattern and appear in 2024 Microsoft Incident Response reports for 100% of cloud-ransomware intrusions. | |
backup_ | CRITICAL | Backup Repository Immutability / Object-Lock Disabled (Veeam / Commvault / Rubrik / Cohesity) | A task renders a backup-repository config with immutability disabled: Veeam SOBR / Repository makeRecentBackupsImmutableDays: 0 / immutabilityEnabled: false, Commvault Lock-enabled: false on a WORM cloud library, Rubrik retention_lock_enabled: false, Cohesity dataLockConfig.lockDurationUsecs: 0, or aws s3 put-object-lock-configuration with Status: Disabled on a backup bucket. Ransomware operators’ 2023-2025 playbook (LockBit, ALPHV/BlackCat, Akira, Black Basta) specifically targets backup infrastructure FIRST - Mandiant M-Trends 2025 found 78% of ransomware victims had backups compromised before encryption. Immutability (WORM / Object Lock in Compliance mode) is the only backup defense that cannot be disabled even by a domain-admin-equivalent actor within the retention window. Veeam v12+ enforces immutability by default; explicitly disabling it is a deliberate downgrade. | |
cdk_ | CRITICAL | CDK Container Penetration Toolkit | Runs CDK (cdk-team/CDK), a container exploitation toolkit for enumeration and escape | |
cgroup_ | CRITICAL | Cgroup Escape Technique | Manipulates cgroups to escape container resource limits or execute code on the host | |
crypto_ | CRITICAL | Cryptocurrency Miner Detected | Installs or executes cryptocurrency mining software, abusing compute resources | |
crypto_ | CRITICAL | Cryptocurrency Mining Pool Connection | Connects to a known mining pool, strong indicator of unauthorized crypto mining | |
deepce_ | CRITICAL | DEEPCE Container Escape Tool | deepce.sh - a Docker enumeration and container-escape script - is being executed (bash deepce.sh or ./deepce.sh). Legitimate ops do not run container-escape utilities in production. | |
docker_ | CRITICAL | Docker Socket Mounted Into Container (Host Escape Primitive) | A task mounts the host’s Docker socket (/var/run/docker.sock) INTO a container via -v, --mount, Kubernetes hostPath, or an Ansible volumes:/mounts: field. A container with access to the host Docker socket can docker run --privileged -v /:/host ... chroot /host to become root on the host - it’s the canonical container-escape primitive. This rule fires ONLY on mount / bind contexts; dockerd -H unix:///var/run/docker.sock ... (the daemon’s OWN listen-socket config) is a different class of issue (covered by docker_api_exposed_plaintext) and is NOT a container-escape vector. | |
esxi_ | CRITICAL | VMware ESXi Shell / SSH Enabled Via vim-cmd (Ransomware Lateral-Movement TTP) | A task runs vim-cmd hostsvc/enable_ssh, vim-cmd hostsvc/enable_esx_shell, esxcli system settings advanced set -o /UserVars/SuppressShellWarning, or equivalent. 2024’s most-exploited data-center lateral-movement TTP: ESXi hypervisors with SSH/Shell enabled let ransomware operators (Akira, Black Basta, Play, ALPHV/BlackCat, LockBit) deploy encryptors directly to the hypervisor, encrypting hundreds of guest VMs at once while bypassing every endpoint-EDR on the guests. Default on ESXi is SSH/Shell = disabled; this is a deliberate unhardening. | |
firewall_ | CRITICAL | Host Firewall Disabled | Disables or flushes iptables/nftables/firewalld rules on the host | |
grub_ | CRITICAL | GRUB Bootloader Modification | Modifies GRUB bootloader configuration, which can be used for rootkit persistence or boot-time attacks | |
history_ | CRITICAL | Shell History Tampering | Clears or disables shell command history to hide executed commands | |
initramfs_ | CRITICAL | Initramfs/Initrd Modification | Modifies initial ramdisk which executes before the main OS, enabling pre-boot persistence | |
ipmi_ | CRITICAL | IPMI/BMC Out-of-Band Management Access | Accesses server IPMI/BMC interface which has full hardware control including power, console, and firmware | |
iptables_ | CRITICAL | Network Traffic Redirection via iptables NAT | Configures iptables NAT rules to redirect network traffic, enabling MITM attacks | |
iptables_ | CRITICAL | iptables -F Or nft flush ruleset Followed By ACCEPT-Any / Default-ACCEPT Policy | A playbook flushes the host firewall (iptables -F, iptables -X, iptables -Z, ip6tables -F, or nftables nft flush ruleset) AND either sets a default-ACCEPT policy (iptables -P INPUT ACCEPT, iptables -P FORWARD ACCEPT) OR immediately installs a 0.0.0.0/0 ACCEPT rule. This is the canonical T1562.004 firewall-evasion pattern used by Kinsing, TeamTNT, SysJoker, and the 2024 Perfctl cryptominer campaigns to expose a previously-isolated host to inbound attacker traffic. Legitimate firewall-rule-reset scripts always re-apply a baseline policy in the same playbook - detecting the flush without a baseline rebuild is high-signal. | |
kernel_ | CRITICAL | Kernel Module Loading | Loads kernel modules, which could install rootkits or keyloggers | |
ld_ | CRITICAL | LD_PRELOAD Library Injection | Sets LD_PRELOAD to inject a shared library into processes, hijacking function calls | |
log_ | CRITICAL | Log File Deletion or Truncation | Deletes, truncates, or overwrites system log files to cover tracks | |
macos_ | CRITICAL | macOS System Integrity Protection (SIP) Disabled Via csrutil | A task runs csrutil disable (or writes an NVRAM csr-active-config value with SIP flags cleared) on a macOS host. SIP is Apple’s rootless/system-volume-protection layer - disabling it is the documented pre-requisite for every macOS kernel-extension rootkit (XCSSET, Shlayer, LightSpy, the 2024 BlueNoroff RustDoor variant) because it removes the com.apple.rootless entitlement enforcement that prevents modification of /System, /usr, /sbin, /var/db, signed kexts, and the SIP-protected portion of /Library. csrutil disable requires booting into recoveryOS; automating it via Ansible across a fleet is always a red-team or threat-actor pattern - no legitimate MDM posture requires it. | |
nsenter_ | CRITICAL | nsenter Container Escape | Uses nsenter to enter host namespaces from a container, enabling full host access | |
package_ | CRITICAL | Package GPG Verification Disabled | Disables GPG signature verification for package installs, allowing unsigned/tampered packages | |
pam_ | CRITICAL | PAM Module Manipulation | Modifies PAM authentication modules, potentially installing backdoor authentication | |
print_ | CRITICAL | Print Spooler Service Enabled/Running On Domain Controller (PrintNightmare Pivot) | A task starts/enables the Spooler service on a host tagged as a Domain Controller (role hints: ActiveDirectory, AD-Domain-Services, DomainController, dc01, NTDS). The Print Spooler service on a DC is the exact vector for PrintNightmare (CVE-2021-34527) and its 2023-2024 bypasses (CVE-2023-21678, CVE-2024-20683) which give unauthenticated domain-admin-equivalent via a standard user session. Microsoft’s own hardening guidance AND CIS L1 for Windows DCs require Print Spooler to be DISABLED on DCs unconditionally - there is no print-serving role on a DC. | |
proc_ | CRITICAL | SysRq Trigger Access | Accesses /proc/sysrq-trigger, which can crash or reboot the host from a container | |
process_ | CRITICAL | Process Memory Access | Accesses process memory or uses debugging tools to extract credentials or inject code | |
rabbitmq_ | CRITICAL | RabbitMQ Default guest/guest User Enabled For Remote Connections | A task renders rabbitmq.conf / advanced.config with loopback_users = none, loopback_users.guest = false, or explicitly preserves the guest user with its default password (guest) while ALSO enabling remote listeners. RabbitMQ ships with a guest user (password guest) restricted to loopback-only; removing the loopback restriction with the default password is direct unauthenticated admin access to the broker (read/write every queue, install plugins, shell out via the rabbitmq_management HTTP API, access backing Mnesia DB). The 2024 CloudPassage survey found this exact config in 12% of exposed RabbitMQ instances on Shodan. | |
rogue_ | CRITICAL | CA Certificate Installation | Installs a CA certificate into the system trust store, enabling MITM attacks on TLS | |
rsyslog_ | CRITICAL | rsyslog / systemd-journald Stopped Or Masked (Log Destruction) | A task stops, disables, or systemctl masks rsyslog, syslog-ng, systemd-journald, or auditd, or sets Storage=none in /etc/systemd/journald.conf. Masking the logging subsystem is the canonical post-exploit anti-forensic move (MITRE T1562.001) - used by every modern Linux ransomware / miner / APT to blind incident-response before the destructive-action stage. There is no legitimate configuration-management reason to mask these services. | |
smbv1_ | CRITICAL | SMBv1 Protocol Re-Enabled Via DISM / PowerShell (EternalBlue Attack Surface) | A task runs Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol (or -FeatureName SMB1Protocol-Client/-Server), dism.exe /online /Enable-Feature /FeatureName:SMB1Protocol, Set-SmbServerConfiguration -EnableSMB1Protocol $true, or the registry path HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1=1. SMBv1 is the protocol exploited by EternalBlue / WannaCry / NotPetya (2017) and remains actively exploited by the 2024 Akira ransomware affiliate for east-west lateral movement on under-patched fleets. Microsoft removed SMB1 from default installs in Windows 10 1709+ / Server 2019+ - re-enabling it is unambiguously a regression with no legitimate modern use-case except legacy scanner/copier appliances (which themselves should be isolated). | |
sys_ | CRITICAL | SYS_PTRACE Capability Abuse | Adds SYS_PTRACE capability to a container or checks capabilities, enabling process injection for escape | |
winrm_ | CRITICAL | WinRM Service AllowUnencrypted=true (Credential Exposure Over HTTP) | A task runs winrm set winrm/config/service @{AllowUnencrypted="true"}, Set-Item WSMan:\localhost\Service\AllowUnencrypted $true, or writes registry HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service\auth* with AllowUnencrypted=1. This lets WinRM accept unauthenticated HTTP (port 5985) traffic without TLS, exposing NTLM hashes, credentials, and session keys to any on-path attacker. The existing winrm_unencrypted_transport rule catches the Ansible side (ansible_winrm_transport: basic + HTTP) - this one catches the SERVER-side WinRM config that permits such clients. The 2024 Volt Typhoon kill-chain explicitly enables AllowUnencrypted on compromised edge devices before harvesting creds via WinRM. | |
aide_ | HIGH | AIDE File-Integrity Database Disabled, Removed, or Not Initialised | A task stops/disables/masks the aidecheck.timer or aide.service, removes /var/lib/aide/aide.db.gz, or calls aide --update without a subsequent --check. AIDE (Advanced Intrusion Detection Environment) is the standard file-integrity baseline on RHEL-family and Debian-family hosts; disabling it or wiping the baseline is how post-exploitation playbooks hide filesystem changes (new SUID binaries, modified /etc/passwd, planted cronjobs) from the next audit. | |
aide_ | HIGH | File-Integrity Baseline Destroyed - AIDE / Tripwire / Samhain DB Removed Or Reinitialised Without Archive | A task rms /var/lib/aide/aide.db*, /var/lib/tripwire/*.twd, /var/lib/samhain/samhain_file, or runs aide --init / tripwire --init / samhain -t init WITHOUT first copying the previous DB to an out-of-band archive. The file-integrity baseline IS the after-the-fact forensic evidence of what changed on disk since last scan; destroying it (or reinitialising without preserving the prior baseline) creates an anti-forensic gap that is the hallmark of post-exploit cleanup, especially in ransomware playbooks and in Mustang Panda / Volt Typhoon Linux intrusions (2024). | |
amicontained_ | HIGH | Amicontained Container Introspection | Runs amicontained to enumerate container runtime, capabilities, and escape paths | |
anacron_ | HIGH | Anacron Persistence | Writes to anacrontab or anacron spool to schedule persistent command execution | |
at_ | HIGH | at/batch Job for Delayed Execution | Schedules commands for later execution using at/batch, which can evade real-time detection | |
at_ | HIGH | Scheduled Execution via at/batch | Schedules deferred command execution, potentially hiding malicious activity | |
aws_ | HIGH | AWS CloudTrail Event Selector Filters Out Write Events (Blind Trail) | A task creates/updates a CloudTrail with ReadWriteType: ReadOnly (or IncludeManagementEvents: false, or an advanced-event-selector block that explicitly excludes readOnly=false events). The resulting trail logs only metadata-read API calls and is completely blind to CreateUser, AttachRolePolicy, PutBucketPolicy, DeleteTrail, StopLogging - i.e. every privilege-change and tamper action an attacker cares about. The existing aws_cloudtrail_writeonly_or_trail_deleted rule catches the trail-deletion and writeonly-flipped cases; this one catches the filter-to-readonly variant used when attackers want the trail to appear ‘still on’ to compliance dashboards while hiding their mutations. | |
aws_ | HIGH | AWS CloudTrail with Log File Validation Disabled (enable_log_file_validation: false) | An amazon.aws.cloudtrail / community.aws.cloudtrail task creates/updates a trail with enable_log_file_validation: false (or omits it - AWS default is false). Without log-file-validation, an attacker who gains s3:PutObject + s3:DeleteObject on the trail bucket (via role compromise or misconfigured bucket policy) can silently modify or delete individual CloudTrail log files to cover their tracks, and downstream consumers have no way to detect the tampering. CIS AWS Benchmark 3.2 explicitly requires validation enabled. | |
aws_ | HIGH | AWS EKS Cluster Created Without Control-Plane Logging (api/audit/authenticator) | A community.aws.eks_cluster task creates an EKS cluster without logging: {cluster_logging: [{types: ['api','audit','authenticator','controllerManager','scheduler'], enabled: true}]} (or omits the logging: block entirely - the AWS default for all five log types is DISABLED). Without the audit stream, there is no way to reconstruct kubectl requests to the API server - so detecting credential compromise, privilege escalation via RBAC, or exec/attach into pods is impossible. Incident-response runbooks for the 2023 tj-actions/changed-files compromise and the 2024 UNC5221 EKS campaign both explicitly depended on the audit log. | |
aws_ | HIGH | IAM User Programmatic Access Key Created Via Playbook (Long-Lived Credential Anti-Pattern) | A task uses community.aws.iam_access_key / amazon.aws.iam_access_key_info / aws iam create-access-key to create or rotate a PROGRAMMATIC access key on an IAM user (not a role). Programmatic keys are long-lived, shareable, and the #1 source of leaked AWS credentials (Trufflehog scans of GitHub alone find >100k/year). Modern AWS best-practice (as of 2023-2024) is explicit: use IAM Identity Center + OIDC federation + IAM Roles for ALL programmatic access; human users should NEVER have access keys. The rule is tuned to catch the Ansible pattern: using a playbook to mint an AKIA... key that then gets embedded in a CI config or another playbook. | |
azure_ | HIGH | Azure Defender / Microsoft Defender For Cloud Plan Downgraded To Free Tier | A task runs az security pricing create --name <VirtualMachines|SqlServers|KeyVaults|StorageAccounts|Containers|AppServices|Arm|Dns> --tier Free OR Set-AzSecurityPricing -Name <plan> -PricingTier Free, OR the azurerm_security_center_subscription_pricing resource sets tier = "Free". The Free tier retains only the AppSec posture overview - it DISABLES all threat detections (malicious-IP flag, suspicious-RDP-brute-force alerts, impossible-travel, JIT-VM-access, file-integrity-monitoring, adaptive-app-control). Budget-constrained orgs sometimes flip this, but in compromise scenarios it is the canonical step to blind Microsoft’s threat-intel before privilege escalation. Defender Plans are the Azure-native EDR; removing them is the Azure equivalent of Disable-WindowsDefender. | |
azure_ | HIGH | Azure Diagnostic Setting Deleted Or Resource Never Attached To Log-Analytics | A task deletes Microsoft.Insights/diagnosticSettings via az monitor diagnostic-settings delete, Remove-AzDiagnosticSetting, or azurerm_monitor_diagnostic_setting with state: absent on a KeyVault, Storage Account, Azure AD, or network resource. Azure resources do NOT log to Log Analytics by default - the diagnostic-setting is the explicit opt-in. Removing one silences all subsequent audit events for that resource without any visible resource state change. 2024 Storm-0501 / Midnight Blizzard intrusion reports specifically call out Remove-AzDiagnosticSetting on KeyVault as their pre-exfiltration step. Distinct from the existing az_monitor_disable rule which catches az monitor log-profiles delete (subscription-wide) - this catches the per-resource variant that flies under compliance-dashboard radars. | |
azure_ | HIGH | Azure Management Lock Removed At Subscription Or Resource-Group Scope | A task calls Remove-AzResourceLock, az lock delete, azurerm_management_lock with state: absent, or sets --lock-type None at subscription or resource-group scope. Management Locks (CanNotDelete / ReadOnly) are the Azure equivalent of AWS SCPs for preventing accidental or malicious resource deletion. Removing a subscription-level lock is the Azure pre-stage step in 2024-reported BEC-to-cloud-ransomware chains (Storm-0501 documented by Microsoft). | |
bsd_ | HIGH | BSD pf.conf Block-All Baseline Removed Or pfctl -F All Issued | A task on a FreeBSD/OpenBSD/macOS-server host runs pfctl -F all, pfctl -d (disable packet filter entirely), or writes a /etc/pf.conf without a block all / block in all baseline. pf’s block-all-then-pass model is what makes pf secure-by-default - removing the block baseline and only having pass rules means every port without a matching pass rule is open. Seen in 2024 macOS-server compromise reports from the Mac Admins community where attackers disabled pf to pivot laterally. | |
chattr_ | HIGH | chattr Used to Clear Immutable / Append-Only Flag on Security-Critical File | A task invokes chattr -i / chattr -a (or the module-form equivalents ansible.posix.file attributes: '-i') against paths like /etc/passwd, /etc/shadow, /etc/sudoers, /etc/ssh/sshd_config, /var/log/audit/audit.log, or entries under /etc/audit/rules.d/. Administrators set the immutable (i) or append-only (a) attribute specifically so these files cannot be rewritten or truncated - even by root. Clearing those flags is a near-unambiguous prelude to credential theft (editing shadow), privilege escalation (editing sudoers), or log tampering (truncating audit.log). | |
credential_ | HIGH | Credential Dotfile Created | Creates credential files (.netrc, .pgpass, .my.cnf, .boto) which store plaintext secrets | |
database_ | HIGH | Database CLI with Inline Credentials | Runs database CLI commands with credentials visible in the command line | |
dns_ | HIGH | DNS Enumeration Tool | Runs DNS enumeration or subdomain brute-force tools for reconnaissance | |
dns_ | HIGH | Potential DNS Exfiltration | Uses DNS queries with encoded data, a common data exfiltration technique | |
dns_ | HIGH | Primary System Resolver Pointed At Public DoH Endpoint (DNS-SIEM Blind-Spot) | A task renders /etc/systemd/resolved.conf, /etc/resolv.conf, /etc/NetworkManager/NetworkManager.conf, Windows Set-DnsClientDohServerAddress, or a browser/enterprise policy that sets the PRIMARY resolver to a public DoH endpoint (1.1.1.1/dns-query, dns.google/dns-query, dns.quad9.net/dns-query, https://doh.opendns.com/dns-query) without the enterprise DNS-resolver in front. DoH encrypts the DNS query end-to-end to the public resolver, which blinds every SIEM / DLP that relied on passive-DNS logs to detect C2, DGA domains, and data-exfil over DNS. In 2024 this was the #1 evasion technique reported by MITRE D3FEND for new intrusions bypassing NDR products. | |
dns_ | HIGH | DNS Zone Transfer Attempt | Attempts a DNS zone transfer (AXFR/IXFR) to enumerate all DNS records in a domain | |
dpkg_ | HIGH | APT/dpkg Hook Persistence | Installs APT hooks or dpkg triggers that execute commands during package operations | |
ebpf_ | HIGH | eBPF Program Loading | Loads eBPF programs which can intercept syscalls, network traffic, and bypass security controls | |
esxi_ | HIGH | VMware ESXi ‘ESXi Shell’ (TSM) service enabled or set to start-on-boot | A task enables the ESXi ‘ESXi Shell’ (TSM - Technical Support Mode, DCUI local shell) service or sets its Policy to on (auto-start). ESXi Shell is a root-level BusyBox shell directly on the hypervisor and is the primary post-compromise pivot for 2023-2025 ESXi-targeting ransomware families (ESXiArgs, Akira, BlackBasta, LockBit-ESXi, HelloKitty/Phobos) - they enable TSM, push ransomware binaries (encrypt, vmfsencrypt), stop VMs, and bulk-encrypt .vmdk/.vswp. CIS VMware ESXi 8.0 Benchmark (2024) requires TSM and SSH both set to off by default. Matches community.vmware.vmware_host_service_manager / vmware_host_config_manager with service_name: TSM + state: present/enabled, esxcli system settings advanced set -o /UserVars/SuppressShellWarning, and direct /etc/init.d/tsm start. | |
esxi_ | HIGH | VMware ESXi remote syslog (vmsyslogd) disabled or no remote destination configured | A task disables the ESXi syslog daemon (vmsyslogd) OR sets Syslog.global.logHost to empty / localhost OR removes the remote log destination - preventing forwarding of hostd, vpxa, vmkernel, shell.log, and auth.log to a central SIEM. This is both a CIS ESXi 8.0 Benchmark 3.1 failure and a standard anti-forensics move in every published ESXi ransomware IR timeline (Mandiant M-Trends 2024, Unit 42 ESXiArgs reports). Without remote syslog, a compromised host’s logs are wiped by the ransomware encryptor seconds before file encryption starts, leaving zero forensic artefacts. | |
falco_ | HIGH | Falco runtime-security agent stopped, masked, or uninstalled | A task stops, disables, masks, or uninstalls Falco (falco, falco-bpf, falco-modern-bpf, falcoctl) - the canonical runtime-security / behavioural-detection agent for Linux hosts, Kubernetes nodes, and OpenShift. Falco generates the critical Write below etc, Terminal shell in container, Disallowed K8s API call, Read sensitive file untrusted alerts that feed most modern SOC detection pipelines. 2024-2025 ransomware and state-actor IR reports (Mandiant, CrowdStrike Falcon Overwatch) consistently show adversaries disabling Falco as one of the first post-exploitation actions. Also matches deletion of the Falco rules directory and uninstallation of the Falco Helm chart from the falco namespace. | |
fapolicyd_ | HIGH | RHEL fapolicyd File-Access Policy Daemon Disabled or Set Permissive | A task stops/disables/masks the fapolicyd service, or edits /etc/fapolicyd/fapolicyd.conf to set permissive = 1. fapolicyd is RHEL’s application-allowlist - it blocks execution of any binary not in the trust DB (rpmdb + /etc/fapolicyd/rules.d/). Disabling it removes the last-line defence against droppers that bypass SELinux (e.g. interpreted cryptominers launched via python3 -c or bash -c) and is a hallmark of post-exploitation staging. | |
firewalld_ | HIGH | firewalld Flushed, Stopped, or Set to Trusted Zone | A task flushes every firewalld rule (firewall-cmd --reload after --permanent --remove), stops/disables the firewalld service, or moves the default zone to trusted (which accepts every packet). On RHEL 8/9 fleets this is the functional equivalent of iptables -F and is almost always either a post-exploitation evasion step or an operational foot-gun that silently exposes every bound service. The ansible.posix.firewalld module form (state: absent + zone: trusted) is equally dangerous and is how several Red-Hat-family ransomware campaigns in 2024-2025 opened C2 egress. | |
gcp_ | HIGH | GCP Audit Config Exempts Members From DATA_READ / ADMIN_READ Logging | A task renders an iam_audit_config resource (Terraform / gcloud / google.cloud.gcp_iam_audit_config) with exempted_members: populated for the DATA_READ or ADMIN_READ log-type. Any principal in the exempted list will NOT generate Cloud Audit Logs for that log-type - effectively invisible to the SIEM when they read data or inspect admin metadata. The 2024 Mandiant / Google Cloud incident-response findings show this is the canonical GCP pre-attack step for insider-threat actors: exempt themselves, then exfiltrate. Distinct from wholesale log-sink disablement; this is the narrow per-identity exemption that looks like a benign config. | |
gcp_ | HIGH | GCP Security Command Center Mute-Config Covers All Or High-Severity Findings | A task runs gcloud scc muteconfigs create (or google.cloud.gcp_securitycenter_mute_config) with a filter string that is empty, *, category:*, severity="HIGH" OR severity="CRITICAL", or contains resource.project_id=* AND (...) with no narrowing condition. SCC mute-configs are the GCP equivalent of GuardDuty suppression; broad mute-configs silence every future High/Critical finding across the organisation and are the #1 anti-forensic move in GCP cloud-ransomware playbooks (TeamTNT, SSH-Snake 2024). | |
gcp_ | HIGH | GCP VPC Service Controls Perimeter Weakened (Dry-Run Or Bridge) | A task creates or updates a accesscontextmanager.googleapis.com/ServicePerimeter with perimeterType: PERIMETER_TYPE_BRIDGE (which permits data egress between bridged perimeters) OR uses dryRun/spec only without an enforced status - meaning violations are logged but NOT blocked. VPC-SC is GCP’s core data-exfiltration-prevention boundary; weakening it is the GCP analogue of 2024-reported AWS-Org-SCP-removal attacks by hands-on-keyboard actors. | |
history_ | HIGH | Shell History Or System Log Redirected To /dev/null Or Wiped | A task runs > /dev/null, cat /dev/null >, truncate -s 0, or rm -f targeting ~/.bash_history, ~/.zsh_history, /var/log/auth.log, /var/log/secure, /var/log/syslog, /var/log/audit/audit.log, or /var/log/wtmp. Legitimate log-rotation uses logrotate with copytruncate + a rotation policy, never ad-hoc rm or > /dev/null - this pattern is the defining indicator of T1070.003 Indicator Removal: Clear Command History / T1070.002 Clear Linux or Mac System Logs. | |
hypervisor_ | HIGH | Hypervisor (Proxmox/ESXi/libvirt) SSH With PermitRootLogin yes + Weak Ciphers | A playbook renders /etc/ssh/sshd_config (or an ESXi-style /etc/ssh/sshd_config) on a host that’s tagged as Proxmox/libvirt/ESXi/KVM AND has both PermitRootLogin yes AND a weak Ciphers / MACs / KexAlgorithms block (e.g. Ciphers aes128-cbc,3des-cbc or includes hmac-md5, hmac-sha1, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1). Hypervisors are the highest-value management targets - every guest VM is one virsh define --validate=no away from full compromise. | |
init_ | HIGH | Init Script Creation | Creates SysV init scripts or rc.local entries for persistence | |
iptables_ | HIGH | iptables-save / nft list ruleset Redirected To /dev/null Or /tmp (Audit-Trail Evasion) | A task runs iptables-save > /dev/null / nft list ruleset > /dev/null / iptables-save > /tmp/* - redirecting the firewall-audit output to a throwaway location, typically to satisfy a compliance-scan check that a firewall dump ‘happens’ without actually saving it to /etc/iptables/rules.v4 or an auditable location. This defeats post-incident forensics (no record of what rules were active) and is used by threat actors to pre-emptively wipe the audit trail before flushing rules. | |
kafka_ | HIGH | Kafka security.inter.broker.protocol=PLAINTEXT (Cleartext Cluster Replication) | A task renders server.properties with security.inter.broker.protocol=PLAINTEXT or listener.security.protocol.map containing INTERNAL:PLAINTEXT for the inter-broker listener. Kafka brokers continuously replicate partition data to each other; plaintext inter-broker means every record (and thus every message in every topic) crosses the wire unencrypted during replication. For multi-AZ / multi-region clusters this is an inter-datacenter cleartext fan-out - whoever owns a single L2/L3 hop captures every production topic. Confluent’s 2024 hardening docs list this as a P0 finding. Existing Kafka TLS rules catch client-facing SSL but not the inter-broker listener specifically. | |
kvm_ | HIGH | libvirt / KVM Daemon Listening On TCP Without TLS (Unauthenticated Hypervisor Control) | A task renders /etc/libvirt/libvirtd.conf or systemd-override with listen_tcp = 1 + auth_tcp = "none" / auth_tcp = "sasl" without listen_tls = 1, or sets LIBVIRTD_ARGS="--listen" + /etc/sysconfig/libvirtd with TLS disabled, OR connects via virsh -c qemu+tcp://host/system / qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock + auth_unix_rw="none". libvirt’s TCP transport (port 16509) is the remote-management API - without TLS and with auth_tcp=none, any network-reachable client can list, create, destroy, and exfiltrate (via disk-snapshot + SCP) every VM on the hypervisor. 2024 OVH / Proxmox forum reports show multiple commodity-malware campaigns auto-scanning 16509/tcp for this config. Distinct from ESXi shell rules (different product); this is the Linux/KVM/Proxmox/oVirt exposure path. | |
laps_ | HIGH | LAPS Password Attribute Read | Reads the ms-Mcs-AdmPwd, msLAPS-Password, or msLAPS-EncryptedPassword attribute from an AD computer object (Get-LAPSADPassword, Get-ADComputer -Properties ms-Mcs-AdmPwd, ldap_search filtering that attribute). LAPS stores per-machine local administrator passwords; a playbook reading them in bulk is a credential-harvest primitive. | |
ld_ | HIGH | LD_LIBRARY_PATH Manipulation | Modifies the library search path, potentially loading malicious shared libraries | |
ldap_ | HIGH | LDAP Signing / Channel Binding Disabled Via Registry (NTLM Relay Enabler) | A task writes HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity = 1 (signing OPTIONAL instead of REQUIRED=2) OR LdapEnforceChannelBinding = 0 (disabled) OR HKLM:\...\LDAP\LdapClientIntegrity=0. Both settings are the exact knobs Microsoft required hardening of in the March 2020 LDAP-signing advisory (ADV190023, turned on by default 2023 H2). Without them, an attacker on-path can perform NTLM-relay + LDAPS-downgrade attacks (ntlmrelayx --target ldaps://dc...) to escalate to Domain Admin - the primary pivot used by 2024 Volt Typhoon, Storm-0501, and most ransomware operators after initial foothold. | |
leapp_ | HIGH | RHEL leapp Upgrade With RPM Signature Verification Disabled | A task invokes leapp preupgrade / leapp upgrade with --no-rpm-verify or sets LEAPP_NO_RPM_CHECK=1 / LEAPP_UNSUPPORTED=1. leapp is the supported in-place major-version upgrade tool for RHEL 7 -> 8 -> 9 -> 10; disabling RPM signature verification during an OS upgrade means the new OS can be installed from tampered or unsigned packages - a high-impact supply-chain window on a machine that is about to become the new golden image. | |
linux_ | HIGH | CAP_BPF / CAP_PERFMON / CAP_SYS_ADMIN granted to a container, pod, or systemd unit | A task adds CAP_BPF, CAP_PERFMON, or CAP_SYS_ADMIN to a Docker / Podman / containerd / Kubernetes pod securityContext.capabilities.add or to a systemd AmbientCapabilities / CapabilityBoundingSet. These caps (or the older catch-all CAP_SYS_ADMIN) give a workload the ability to load unprivileged eBPF programs, hook kprobes/uprobes, and read kernel memory - an ideal LPE / credential-dumping / syscall-tampering primitive. 2024 research (TracerFS, BadBPF, Project Zero eBPF verifier bypasses CVE-2024-26589, CVE-2024-40967) repeatedly demonstrated kernel-privilege escalation from these caps. Also catches the deprecated unconfined AppArmor profile used to bypass the same restrictions. | |
macos_ | HIGH | macOS Gatekeeper Disabled Via spctl –master-disable | A task runs spctl --master-disable, spctl --global-disable, or writes GKAutoRearm = false / AppleSecurity policy overrides that turn off Gatekeeper. Gatekeeper is the Apple notarization-verification layer that blocks execution of any binary not signed by a Developer-ID-certified cert AND notarized by Apple’s ticketing service. Disabling it is the step every macOS adware/trojan installer script takes before dropping an unsigned payload - and the 2024 Cuckoo Stealer / Atomic macOS Stealer / Banshee campaigns all include spctl --master-disable as their second-stage line. | |
macos_ | HIGH | macOS LaunchDaemon Plist Dropped With RunAtLoad + KeepAlive Persistence | A task writes a .plist into /Library/LaunchDaemons/ or /Library/LaunchAgents/ (root-level persistence) OR ~/Library/LaunchAgents/ (per-user) with the combination RunAtLoad=true and KeepAlive=true AND a ProgramArguments / Program pointing at /tmp, /var/tmp, /Users/Shared, /private/tmp, or /Library/Application Support/<non-standard-vendor>. This is the exact T1543.004 persistence primitive used by XCSSET, Shlayer, Banshee, LightSpy, and the 2024 BlueNoroff RustDoor / KANDYKORN campaigns - the LaunchDaemon is re-spawned forever by launchd(8) and survives reboots and user logout. | |
macos_ | HIGH | macOS TCC Privacy Database Mutated Or Reset (Consent Bypass) | A task calls tccutil reset <service> / tccutil reset All OR directly mutates /Library/Application Support/com.apple.TCC/TCC.db or ~/Library/Application Support/com.apple.TCC/TCC.db via sqlite3 / cp. TCC is Apple’s Transparency-Consent-and-Control framework that gates access to Screen Recording, Full Disk Access, Camera, Microphone, Accessibility, and Location Services. Mutating TCC.db directly is the canonical macOS privacy-bypass primitive exploited by CVE-2020-9771, CVE-2022-32800, CVE-2023-40424, and by every stealer family targeting macOS in 2023-2024 (Atomic, RealSt, Cuckoo) to grant themselves Full Disk Access without triggering a user prompt. | |
modules_ | HIGH | Kernel Module Auto-Load Persistence | Writes to modules-load.d to automatically load kernel modules at boot | |
nats_ | HIGH | NATS Server Authorization Disabled Or System Account Default (Unauthenticated Pub/Sub) | A task renders a NATS server.conf without an authorization {} block AND with a listen: 0.0.0.0:4222 (or any non-loopback address), OR explicitly sets no_auth_user: to grant a principal $SYS account-level access. NATS defaults to NO AUTH on fresh installs - deploying a NATS cluster to a non-loopback address without configuring authorization exposes the entire pub/sub bus to any TCP client that can reach 4222/tcp (monitoring port 8222 too). The $SYS account has cluster-admin privileges and should never be granted to a regular client. The 2024 Synadia hardening guide lists authorization-disabled as the #1 NATS misconfiguration they observe in production audits. | |
network_ | HIGH | Network Packet Capture | Captures network traffic, potentially intercepting credentials and sensitive data | |
network_ | HIGH | Network Port Scanning | Runs network port scanning tools, which is a reconnaissance technique | |
networkmanager_ | HIGH | NetworkManager Dispatcher Persistence | Writes scripts to NetworkManager dispatcher.d, executing code on network events | |
ntp_ | HIGH | chrony / ntpd Configured With Untrusted Upstream And No NTS/Symmetric-Key Authentication | A task renders /etc/chrony.conf or /etc/ntp.conf with a public pool/server directive (e.g. pool 0.pool.ntp.org iburst) that lacks nts, key, or autokey authentication, AND makestep 1.0 -1 is set (step any offset, at any time). Unauthenticated NTP is vulnerable to upstream spoofing attacks (Khronos / Chronos research) that step the clock arbitrarily backwards, causing certificate expiry bypass, Kerberos ticket replay (AS-REP window widening), and HSTS / HPKP pin expiry. | |
otel_ | HIGH | OpenTelemetry Collector OTLP receiver bound to 0.0.0.0 / :: (all interfaces) | A task configures an OpenTelemetry Collector (otelcol, otelcol-contrib, adot-collector, splunk-otel-collector, datadog-agent otlp_config, grafana-agent) with an OTLP gRPC (4317) or HTTP (4318) receiver bound to 0.0.0.0 / :: / unspecified instead of an explicit internal IP or a Kubernetes ClusterIP service. OTLP receivers accept unauthenticated trace/metric/log submissions by default - a wide-open collector is a trivial data-sink for spoofed telemetry, a DoS target, and (when paired with file-exporter or debug-exporter) a data-exfiltration oracle. CIS OpenTelemetry Benchmark (2024) and OTel Collector security guidance both require receivers on loopback or a dedicated internal interface, with mTLS or bearer-token auth if cross-host. | |
password_ | HIGH | Account Password Expiry Disabled | A task disables password aging on a Linux account: chage -M -1, chage -M 99999, chage -E -1, passwd -x -1, passwd -x 99999, usermod -e '', or usermod -e 1. Removing expiry on a privileged or service account defeats periodic-rotation controls and is a common persistence move after credential theft. | |
powershell_ | HIGH | Set-ExecutionPolicy Bypass/Unrestricted At LocalMachine Or User Scope (Persistent Policy Weakening) | A task runs Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope LocalMachine / -Scope CurrentUser / -Scope Process (persistent scope), OR writes the ExecutionPolicy registry key at HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell to Bypass/Unrestricted. Distinct from the one-off powershell.exe -ep Bypass invocation (which is scoped to a single process and used legitimately by installers) - this is the PERSISTENT policy change that makes the host permanently run unsigned scripts, even from remote locations. The 2024 Lazarus North Korea campaign and Earth Baku persistently set LocalMachine to Bypass before dropping their stagers. | |
proxy_ | HIGH | Proxy Credentials in Environment | Sets proxy environment variables with embedded username:password credentials | |
redfish_ | HIGH | Redfish BMC API Access | Accesses server BMC via Redfish REST API for hardware-level management | |
rhsm_ | HIGH | Red Hat Subscription Manager Token or Activation Key in Plaintext | A task registers a system with subscription-manager register, rhsm_repository, community.general.redhat_subscription, or rhc connect and passes an activation key, password, or organisation token as a plaintext string - not a Vaulted variable. RHSM activation keys authorise full subscription consumption and can enable a lateral pivot into other Red Hat-managed assets (Insights, Satellite); leaking one into role source, a log, or a CI console echoes it to anyone with read access. | |
ssh_ | HIGH | SSH Authorized Keys Modification | Writes to authorized_keys files, potentially adding persistent SSH backdoor access | |
ssh_ | HIGH | SSH Configuration Manipulation | Modifies SSH server or client configuration with weakening settings | |
ssh_ | HIGH | SSH Tunnel or Port Forwarding | Creates SSH tunnels or reverse port forwards, bypassing network controls | |
swap_ | HIGH | Swap/Memory Dump Credential Harvesting | Reads swap partitions or memory dumps to extract credentials from process memory | |
systemd_ | HIGH | systemd-run Transient Timer | Creates a transient systemd timer using systemd-run, bypassing unit file review | |
systemd_ | HIGH | Systemd Timer Unit Creation | Creates a systemd timer unit for scheduled task execution, which can be used for persistence | |
tetragon_ | HIGH | Tetragon (Cilium) eBPF runtime-security agent stopped, masked, or uninstalled | A task stops, disables, masks, or uninstalls Cilium Tetragon (tetragon, tetragon-operator) - the Cilium project’s eBPF runtime-security and process-lineage observability agent commonly deployed alongside Cilium networking for zero-trust enforcement and MITRE ATT&CK-aligned policy enforcement. Tetragon is the primary source of process_exec, process_exit, sys_write, tcp_connect, and file_write signals in many Cilium-based clusters; disabling it blinds detection engineering. Also matches deletion of the cilium or kube-system/tetragon DaemonSet and removal of TracingPolicy CRDs used to enforce kill-on-syscall rules. | |
udev_ | HIGH | udev Rules Persistence | Creates udev rules with RUN directives to execute commands when hardware events occur | |
untrusted_ | HIGH | Untrusted APT Repository Added | Adds a third-party APT repository, which could serve malicious packages | |
untrusted_ | HIGH | Untrusted YUM Repository Added | Adds a third-party YUM/DNF repository, which could serve malicious packages | |
windows_ | HIGH | RestrictAnonymous / RestrictAnonymousSAM Set To 0 (Anonymous SAM Enumeration) | A task writes HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous = 0 OR RestrictAnonymousSAM = 0 OR EveryoneIncludesAnonymous = 1. With these values, anonymous (unauthenticated) connections can enumerate SAM accounts, shares, and group memberships via SAMR/LSARPC - the primary source for enum4linux / rpcclient / NetExec --users reconnaissance that precedes every Windows pentest and real intrusion. Windows 2000+ defaults to 1 (restrict) and Windows 10+ / Server 2016+ defaults to 2 (strict) - rolling back to 0 is unambiguously a regression. | |
xdg_ | HIGH | XDG Autostart Persistence | Writes desktop entries to XDG autostart directories, executing programs at user login | |
ansible_ | MEDIUM | Ansible Galaxy Role from External Source | Installs Ansible Galaxy roles or collections by ad-hoc name on the command line, with no version pin and no requirements file. The hardened pattern is ansible-galaxy install -r requirements.yml (or collection install -r) where the requirements file pins versions / sources / signatures. | |
aws_ | MEDIUM | CloudWatch Log Group Without Retention Policy or KMS Encryption | A community.aws.cloudwatchlogs_log_group task creates a log group with retention: -1 (or retention: absent, which defaults to ‘Never Expire’) and/or kms_key_id: absent. Without retention, log volume grows without bound and costs escalate - but more importantly, indefinite retention means historical credential leaks stay forever discoverable. Without KMS, AWS stores logs under a shared service key, and an incident investigator loses the ability to instantly revoke access to old logs by rotating a CMK. | |
aws_ | MEDIUM | AWS Config Recorder With Global-Resources Recording Disabled | A community.aws.config_recorder task sets recording_group.include_global_resource_types: false OR enumerates resource_types: explicitly but omits IAM + CloudFront + Route53 + STS + Shield (the five global-scoped AWS resource families). AWS Config in that region loses visibility into every IAM permission change - the #1 signal for detecting compromised-credential abuse, role-chain pivoting, and SCP bypass attempts. | |
aws_ | MEDIUM | AWS RDS Instance/Cluster with backup_retention_period < 7 Days (Recovery Exposure) | An amazon.aws.rds_instance / community.aws.rds_cluster task sets backup_retention_period: to 0 (automated backups disabled entirely) or a value below 7 days. A 0-day retention prevents point-in-time-recovery (PITR) altogether - a ransomware event or accidental DROP TABLE is unrecoverable. A 1-6 day retention window means if an attacker poisons data and the compromise isn’t noticed for > retention (common for slow-moving fraud / data tampering), the only clean snapshots have already expired. PCI-DSS 10.5.5, HIPAA 164.308(a)(7)(ii)(A), and CIS AWS 2.3.2 mandate ≥7 days. | |
aws_ | MEDIUM | AWS RDS Instance / Aurora Cluster Without Deletion Protection (deletion_protection: false) | An amazon.aws.rds_instance / community.aws.rds_cluster task creates/updates an RDS DB instance or Aurora cluster with deletion_protection: false (or omits the flag - AWS default is false). A compromised IAM principal (or a misfired delete-db-instance CLI call during an incident-response drill) can permanently destroy the database in seconds; automated snapshots are also deleted unless final_db_snapshot_identifier: is passed at delete-time, which Ansible playbooks rarely do. For production RDS, deletion-protection is a last-line-of-defense against both ransomware (T1485) and insider-threat data-destruction. CIS AWS Benchmark 2.3.3. | |
azure_ | MEDIUM | Azure PostgreSQL connection_throttling Parameter Disabled | An azure.azcollection.azure_rm_postgresqlconfiguration / azure.azcollection.azure_rm_postgresqlflexibleserverconfiguration task sets connection_throttling to off / false / 0. When disabled, the server does not rate-limit failed-login attempts, enabling on-line password-guessing / credential-stuffing against PostgreSQL user accounts. With connection_throttling: on (the secure default), Azure tracks failed authentications and throttles the offending source IP, which significantly reduces brute-force success probability and generates Defender-for-Cloud alerts on pattern detection. | |
azure_ | MEDIUM | Azure PostgreSQL/MySQL Server Logging Parameters Disabled | An azure.azcollection.azure_rm_postgresqlconfiguration / azure.azcollection.azure_rm_mysqlconfiguration / azure.azcollection.azure_rm_postgresqlflexibleserverconfiguration task sets log_checkpoints, log_connections, log_disconnections, or log_duration to off, OFF, false, or 0. These server parameters produce the only authoritative trail of WHO connected, WHEN they connected, HOW LONG statements ran, and WHEN checkpoints flushed - essential for forensic investigation of SQL-injection exfiltration, stolen-credential replay, and unauthorised schema changes. Azure Defender for SQL and Microsoft Sentinel depend on these flags being on. | |
esxi_ | MEDIUM | VMware ESXi NTP daemon disabled or set to manual (policy=off) | A task disables the ESXi NTP service (ntpd) or sets its policy to off, or configures it without peers. ESXi hosts require synchronized time for vSphere HA, vMotion, Kerberos auth to vCenter SSO, certificate validation, log correlation, and - critically for IR - accurate forensic timeline reconstruction after a ransomware incident. ESXi-targeting crews (Akira, BlackBasta) routinely disable ntpd as an anti-forensics step. CIS VMware ESXi 8.0 Benchmark 2.7 requires NTP service = on with ntpd.Policy=on pointing at ≥ 3 authenticated stratum-2 sources. Also matches the newer chrony daemon on ESXi 8.0u2+ with the same misconfiguration. | |
gcp_ | MEDIUM | GCP Cloud Storage Bucket Without Access Logging (logging:/logBucket: unset) | A google.cloud.gcp_storage_bucket task creates a bucket without a logging: block (sub-keys log_bucket: and log_object_prefix:). GCS-side access logs (who-read-what, who-wrote-what, from which IP) are not emitted to a sink bucket. Forensic investigation of a data-exfil incident has no direct evidence trail at the storage layer - you’d have to reconstruct from VPC-Flow + Cloud Audit Logs, which typically miss object-level authenticated GET/HEAD operations from external identities. | |
git_ | MEDIUM | Git Repository Cloned in Playbook | Clones a git repository from within a playbook, pulling potentially untrusted code | |
krbtgt_ | MEDIUM | Domain krbtgt Password Reset | Resets the password of the krbtgt account (the KDC service account whose hash signs every Kerberos ticket). Resetting krbtgt is a legitimate domain-recovery action (golden-ticket remediation), but it MUST be done twice with a wait interval and coordinated with the Tier-0 team - running it from routine automation is either a mistake that breaks Kerberos or an attacker laundering a compromise recovery. | |
ssl_ | MEDIUM | SSL Certificate Generated in Playbook | Generates self-signed or custom SSL certificates from a playbook | |
systemd_ | MEDIUM | systemd-resolved DNSSEC Set To no (DNS Spoofing Enabler) | A task renders /etc/systemd/resolved.conf (or a /etc/systemd/resolved.conf.d/*.conf drop-in) with DNSSEC=no OR DNSOverTLS=no AND no fallback pinning. systemd-resolved’s DNSSEC validation is what defeats 2024-era DNS cache-poisoning variants (SADDNS, Kashpureff-style), BGP-hijack DNS tampering, and rogue-DHCP / rogue-WiFi DNS redirection. Distro default is DNSSEC=allow-downgrade which is acceptable; explicit =no is a regression used by attackers installing a Dns= override pointing at a malicious resolver. | |
systemd_ | MEDIUM | Suspicious systemd Service Unit Created | A task creates a systemd unit that looks like an ad-hoc persistence mechanism rather than a managed configuration-management deployment. Pure managed deployments (/etc/systemd/system/nginx.service, kubelet.service, docker.service) are expected and are NOT flagged. This rule fires only when the unit has a SUSPICIOUS shape: the ExecStart= target lives in a writable/ephemeral path (/tmp/, /var/tmp/, /dev/shm/, ~/, /home/.../), OR the unit points to a just-downloaded binary whose path contains download/installer/update, OR the unit name looks randomised (hex-only basename). These are the shapes reported in IR write-ups for Kinsing, SysUpdate, APT28/Diplomatic Orbiter, and MITRE T1543.002 (Systemd Service) - NOT the foo.service that ops teams manage every day. | |
aws_ | LOW | AWS Auto Scaling Group Attached to Load Balancer but Using EC2 Health Check | An amazon.aws.autoscaling_group task references load_balancers: or target_group_arns: but sets health_check_type: EC2 (the AWS default) or omits health_check_type: entirely. EC2 health checks only consider whether the EC2 instance is running at the hypervisor level - they cannot detect an application-layer failure (process crash, port no longer listening, 500-error storm, deadlocked event-loop). A ransomware payload that disables the app but leaves the VM running will keep the unhealthy instance in rotation, serving attacker content OR dropping traffic, while CloudWatch alarms stay green. | |
aws_ | LOW | amazon.aws.ec2_instance With ebs_optimized: false (Degraded I/O + Noisy-Neighbor Susceptibility) | An amazon.aws.ec2_instance task sets ebs_optimized: false (or omits it on an instance family where it’s not default-on, such as pre-2018 c4/m4 types with custom network stacks). EBS-optimization dedicates a network pipe for EBS traffic; without it, EBS I/O and VPC traffic contend for the same ENI bandwidth, making the instance susceptible to side-channel timing observation from noisy-neighbor tenants on the same Nitro slot (per AWS re:Inforce 2023 session SEC304). More importantly for security - not just perf - EBS-optimized instances are a prerequisite for many AWS Backup fast-restore SLAs, so disabling this key also weakens your RTO commitments. | |
aws_ | LOW | AWS Lambda Function Without X-Ray Tracing (tracing_config.mode != Active) | A community.aws.lambda / amazon.aws.lambda task deploys a function without tracing_config: {mode: Active} (AWS default is PassThrough, which means no traces unless an upstream caller already sampled - effectively off for most event-source-driven workloads like S3-events, SQS, DynamoDB-Streams). Without X-Ray segments, forensic investigation of supply-chain-injected or living-off-the-cloud Lambda backdoors has no call-graph: you can’t see which AWS APIs the function invoked, which downstream services it pivoted into, or how long exfiltration ran. | |
nohup_ | LOW | Background Process via nohup / disown / setsid (Use systemd Instead) | A task uses nohup ... &, disown, setsid, screen -dmS, or tmux new-session -d to spawn a long-running background process. This is NOT a boot-persistent backdoor on its own (the process still dies on reboot - real persistence needs an init/systemd/cron entry), but it’s a deployment anti-pattern: the process escapes Ansible’s supervision, has no restart policy, no journald integration, no resource limits. If the process dies (OOM, segfault), nothing restarts it and the failure is silent. Operationally legitimate for quick smoke tests and data-plane warmups, but should never be the production deploy strategy for a service. |