The 23 Correlations: What a Full-Stack Security Agent Can See

A firmware integrity event fires (MSR write, SPI access, ACPI anomaly), followed by privilege escalation at the kernel level, followed by a kernel module load. This is the classic firmware-resident rootkit installation path. The attacker modifies firmware to survive reboots, escalates to ring 0, and loads a kernel module to hide their presence.

MSR write to a critical register (LSTAR, SMRR, or FEATURE_CONTROL) followed by process injection or privilege escalation, followed by log file tampering. The attacker redirects the syscall entry point via LSTAR to gain kernel execution, then injects into a running process, then cleans up logs to cover their tracks. Each stage individually could have an innocent explanation. Together within 10 minutes, they do not.

An EFI variable integrity failure or ACPI anomaly fires, followed by a major attack (ransomware, rootkit, or reverse shell) within 48 hours. The long window reflects the fact that firmware-level compromise may sit dormant before the attacker activates their payload. The firmware anomaly alone might be dismissed as a BIOS update. When it precedes an actual attack, it retroactively becomes critical evidence of pre-compromise.

Port scan from an IP, followed by SSH bruteforce or credential stuffing from the same IP, followed by data exfiltration or outbound anomaly from the same IP. This is the textbook attack lifecycle: recon, access, exfil. Each stage escalates. The entity pivot is the source IP, and the 30-minute window is tight enough to reduce false correlations while covering automated attack chains.

Outbound connect() to an external IP followed by dup2() redirecting file descriptors 0, 1, or 2 to that socket. Same PID must perform both. This is the definitive reverse shell detection at the syscall level, impossible to evade with command-line obfuscation. The 10-second window is intentionally tight because the connect-to-dup2 sequence completes in milliseconds.

A sensitive file read (credentials, keys, configuration files) followed by an outbound connect to an external IP from the same process. The 60-second window accounts for the time between reading the file and establishing the network connection. Entity pivot is PID. This catches "read-then-send" patterns regardless of the exfiltration method (curl, wget, netcat, or custom binaries).

io_uring submission ring activity followed by an outbound network connection from the same process. io_uring bypasses traditional syscall monitoring because I/O operations happen through shared memory rings instead of syscalls. Attackers use io_uring to read files and write to sockets without triggering tracepoints. Inner Warden monitors io_uring_submit and io_uring_create specifically to catch this evasion technique.

Container drift or escape detected (overlayfs upper-layer write, namespace breakout), followed by command execution, followed by privilege escalation via commit_creds. The attacker breaks out of a container, runs commands on the host, and escalates to root. Entity pivot transitions from container ID to PID lineage as the attacker crosses the boundary.

memfd_create (creates an anonymous file in memory) followed by mprotect (changes memory protection to executable) followed by outbound connect. The attacker creates an in-memory file, makes it executable, and connects to a C2 server. Nothing touches disk. No file to scan. No hash to match. Only the syscall sequence reveals the attack.

Credential harvesting (reading /etc/shadow, SSH keys, AWS credentials) followed by lateral movement or SSH key injection to another host. The attacker steals credentials from one machine and uses them to move to the next. Same PID or user entity pivot. This catches the pivoting phase of an attack before the attacker establishes persistence on the new host.

Crontab or systemd unit creation followed by SSH key injection or new user creation. Attackers who install multiple persistence mechanisms are establishing deep access. A single crontab might be legitimate administration. But a crontab and a new SSH key and a new user account within an hour? That is an attacker making sure they can get back in.

Web scan activity (directory enumeration, vulnerability probing) followed by a file write to a web-accessible directory, followed by web shell detection. The attacker probes the web application for weaknesses, exploits one to upload a PHP or JSP shell, and then uses that shell for command execution. Entity pivot is the source IP across all three stages.

Command execution or outbound download followed by crypto mining activity (high CPU in cgroup, known miner process names, stratum protocol connections). Cryptojacking is the most common outcome of automated server compromise. The attacker downloads the miner, runs it, and consumes your CPU. The two-stage chain catches this faster than waiting for CPU alerts alone.

An attacker interacts with the SSH or HTTP honeypot, then the same IP appears in real authentication logs or network events. The credentials or reconnaissance gathered from the honeypot were used against production systems. This is one of the most actionable correlations: the honeypot revealed attacker intent, and now that intent is being executed on real infrastructure.

A High or Critical incident fires, and within 5 minutes the event rate drops by 80% or more. The attacker is killing logging. This is a special rule handled by the baseline engine rather than the stage-matching engine. It detects the absence of events, which is something no pattern-matching system can do. The silence itself becomes evidence.

Three or more different Low-severity detectors fire for the same IP within 10 minutes. Each individual event is minor: a failed login, a port probe, a suspicious user-agent. But multiple different detectors triggering for the same entity suggests a multi-vector probe that warrants attention. This rule elevates the combined signal to High severity.

Privilege escalation, reverse shell, or SSH bruteforce followed by log file tampering (truncation, deletion, or modification of auth.log, syslog, or audit logs). Attackers clean up after themselves. This rule catches the cleanup phase and links it back to the initial compromise, providing the full picture even when the attacker deletes the evidence of the first stage.

An unauthorized eBPF program loads (detected by the LSM bpf hook), followed by privilege escalation or process injection. The attacker uses eBPF itself as an attack vector, loading a malicious program that manipulates kernel data structures. This is the VoidLink-style attack where offensive tooling uses the same eBPF capabilities that defensive tools rely on.

RWX memory allocation (writable and executable, a hallmark of shellcode) or anonymous memory mapping followed by an outbound connection. The attacker allocates executable memory, writes shellcode into it, and the shellcode connects to a command-and-control server. PID pivot ensures both events come from the same process. The 2-minute window captures even slow multi-stage loaders.

Docker activity (image pull, container creation) followed by command execution inside the container, followed by outbound network connection. Attackers pull a malicious Docker image that contains their tools, run it, and use it to pivot to other hosts or exfiltrate data. The container provides a clean execution environment that bypasses host-level file integrity monitoring.

Encrypted file writes or ransomware burst activity (many files renamed with new extensions in rapid succession) followed by mass file modifications detected by integrity monitoring. The 60-second window is tight because ransomware acts fast. The 0.9 confidence threshold triggers immediate automated response: kill the process, isolate the host, alert the operator.

A YARA rule matches on a file or process memory, followed by an outbound connect or C2 callback pattern from the same process. The YARA match identifies the malware. The network connection confirms it is active and communicating. Together they provide definitive evidence of a running malware sample, not just a dormant file on disk.

A Sigma detection rule fires (any severity), followed by privilege escalation detected by the commit_creds kprobe. Sigma rules are community-maintained detections for known attack patterns. When a Sigma match is followed by a privilege change in the same process, the combined signal is much stronger than either alone. This bridges the gap between community-sourced intelligence and kernel-level confirmation.