├── README.md
├── LICENSE
└── runtime-rules-changelog
    └── changelog.md


/README.md:
--------------------------------------------------------------------------------
 1 | # tm-v1-containersecurity-rules
 2 | 
 3 | ## Project Description
 4 | 
 5 | This repository serves as a changelog for releases of Trend Vision One™️ Container Security Runtime Security rules.
 6 | 
 7 | ## License
 8 | 
 9 | This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details.
10 | 
11 | ## About
12 | 
13 | ### Authors
14 | 
15 | Trend Vision One is a product designed and developed by the company [Trend Micro](https://www.trendmicro.com).
16 | 
17 | <a href="https://www.trendmicro.com" alt="Trend Micro"><img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/core/images/logos/tm-logo-red-white-t.svg" width="230" /></a>


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 Trend Micro Incorporated
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.


--------------------------------------------------------------------------------
/runtime-rules-changelog/changelog.md:
--------------------------------------------------------------------------------
  1 | # Trend Vision One™️ Container Security
  2 | # Runtime Security Rules Changelog
  3 | 
  4 | ## 2025-09-10
  5 | 
  6 | ### Added
  7 | - No new rules added.
  8 | 
  9 | ### Changed
 10 | - **Rule:** (T1649) Add system certificates  
 11 |   **Change:** Simplified rule condition.
 12 | 
 13 | - **Rule:** (T1496)HugePages changed in container  
 14 |   **Change:** Fixed rule condition.
 15 | 
 16 | - **Rule:** (T1564.001)Create Hidden Files or Directories  
 17 |   **Change:** Major rule rework to create more actionable detections.
 18 | 
 19 | - **Rule:** (T1070.004)Dangerous deletion detected in container  
 20 |   **Change:** Simplified rule logic.
 21 | 
 22 | - **Rule:** (T1496)Detect miner termination in container  
 23 |   **Change:** Enhanced detection condition to extend coverage.
 24 | 
 25 | - **Rule:** (T1574.006)Dynamic linker changed  
 26 |   **Change:** Enhanced detection logic for more targeted alerts.
 27 | 
 28 | - **Rule:** (T1552.005)Contact EC2 Instance Metadata Service From Container  
 29 |   **Change:** Enhanced detection logic for more targeted alerts.
 30 | 
 31 | - **Rule:** (T1613)Specific discovery tool executed in container  
 32 |   **Change:** Updated list of tools detected by the rule.
 33 | 
 34 | - **Rule:** (T1059.004)Offensive tool executed in container  
 35 |   **Change:** Updated list of tools detected by the rule.
 36 | 
 37 | - **Rule:** (T1222.002)File attributes changed in container  
 38 |   **Change:** Enhanced detection condition to extend coverage.
 39 | 
 40 | - **Rule:** (T1055.009)Inject File to Process Memory Virtual Space  
 41 |   **Change:** Fixed rule condition.
 42 | 
 43 | - **Rule:** (T1505)Launch Package Management Process in Container  
 44 |   **Change:** Simplified rule condition.
 45 | 
 46 | - **Rule:** (T1610)Launch Privileged Container  
 47 |   **Change:** Improved condition to better detect privileged containers.
 48 | 
 49 | - **Rule:** (T1548.001)Set Setuid or Setgid bit  
 50 |   **Change:** Enhanced detection logic for more targeted alerts.
 51 | 
 52 | - **Rule:** (T1611)Switch Linux namespace  
 53 |   **Change:** Enhanced detection condition to exclude known legitimate activity.
 54 | 
 55 | - **Rule:** (T1611)Namespace change using unshare in container  
 56 |   **Change:** Enhanced detection condition to exclude known legitimate activity.
 57 | 
 58 | - **Rule:** (T1562)Write to Selinux Config  
 59 |   **Change:** Improved performance and refined detection logic for more targeted alerts.
 60 | 
 61 | - **Rule:** (T1562)Write to System Control  
 62 |   **Change:** Improved performance and refined detection logic for more targeted alerts.
 63 | 
 64 | ### Removed
 65 | - **Rule:** (T1613)Amicontained download detected in container
 66 | - **Rule:** (T1613)BOtB download detected in container
 67 | - **Rule:** (T1562.004)Iptables Modification
 68 | - **Rule:** (T1071)Possible IRC communication in container
 69 | - **Rule:** (T1613)Peirates tool detected in container
 70 | - **Rule:** (T1059.006)Python urllib Import Command Execution
 71 | 
 72 | 
 73 | ## 2025-07-09
 74 | 
 75 | ### Added
 76 | - No new rules added.
 77 | 
 78 | ### Changed
 79 | - **Rule:** (T1222.002)File attributes changed in container  
 80 |   **Change:** Improved detection condition to better target relevant file attribute modifications.
 81 | 
 82 | - **Rule:** (T1059)Redirect STDOUT/STDIN to Network Connection in Container  
 83 |   **Change:** Improved the performance and excluded known legitimate activity.
 84 | 
 85 | - **Rule:** (T1021.004)Lateral Movement using SSH  
 86 |   **Change:** Improved performance and refined detection logic for more targeted alerts.
 87 | 
 88 | - **Rule:** (T1611)Switch Linux namespace  
 89 |   **Change:** Enhanced detection condition to exclude known legitimate activity.
 90 | 
 91 | - **Rule:** (T1059)System procs network activity  
 92 |   **Change:** Improved conditions to exclude known legitimate activity.
 93 | 
 94 | ### Removed
 95 | - No rules removed.
 96 | 
 97 | 
 98 | ## 2025-05-28
 99 | 
100 | ### Added
101 | - No new rules added.
102 | 
103 | ### Changed
104 | - **Rule:** (T1070.002)Clear Log Activities  
105 |   **Change:** Improved the condition to exclude known legitimate activity detected by the rule.
106 | 
107 | - **Rule:** Vulnerable liblzma loaded into sshd  
108 |   **Change:** Improved the condition to better detect the library name.
109 |   - Rule name updated to (T1133)Vulnerable liblzma loaded into sshd.
110 |   - Rule description updated.
111 | 
112 | ### Removed
113 | - No rules removed.
114 | 
115 | 
116 | ## 2025-04-14
117 | 
118 | ### Added
119 | - No new rules added.
120 | 
121 | ### Changed
122 | - **Rule:** (T1552.005) Contact EC2 Instance Metadata Service From Container  
123 |   **Change:** Improve the condition to exclude known legitimate activity detected by the rule.
124 | 
125 | - **Rule:** (T1609) Docker or Kubernetes client executed in container  
126 |   **Change:** Improve the condition to exclude known legitimate activity detected by the rule.
127 | 
128 | - **Rule:** (T1562.004) Iptables Modification  
129 |   **Change:** Improve the condition to exclude known legitimate activity detected by the rule.
130 | 
131 | - **Rule:** (T1055.008) PTRACE attached to process  
132 |   **Change:** Improve the condition to exclude known legitimate activity detected by the rule.
133 | 
134 | - **Rule:** (T1083) Read environment variable from /proc files  
135 |   **Change:** Improve the condition to exclude known legitimate activity detected by the rule.
136 | 
137 | ### Removed
138 | - No rules removed.
139 | 
140 | 
141 | ## 2025-04-07
142 | 
143 | ### Added
144 | - No new rules added.
145 | 
146 | ### Changed
147 | - **Rule:** (T1070.002)Clear Log Activities  
148 |   **Change:** Update condition to be more specific.
149 | 
150 | - **Rule:** (T1564.001)Create Hidden Files or Directories  
151 |   **Change:** Improve the condition to exclude known legitimate activity detected by the rule.
152 | 
153 | - **Rule:** (T1609)Docker or kubernetes client executed in container  
154 |   **Change:** Update condition to be more specific.
155 | 
156 | - **Rule:** (T1105)Launch Ingress Remote File Copy Tools in Container  
157 |   **Change:** Update condition to be more specific.
158 | 
159 | - **Rule:** (T1611)Switch Linux namespace  
160 |   **Change:** Improve the condition to exclude known legitimate activity detected by the rule.
161 | 
162 | ### Removed
163 | - No rules removed.


--------------------------------------------------------------------------------