AWS Credentials Searched For Inside A Container
This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/06/28"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "New Integration: Cloud Defend"
6min_stack_version = "8.8.0"
7updated_date = "2023/06/28"
8
9[rule]
10author = ["Elastic"]
11description = "This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment."
12from = "now-6m"
13index = ["logs-cloud_defend*"]
14interval = "5m"
15language = "eql"
16license = "Elastic License v2"
17name = "AWS Credentials Searched For Inside A Container"
18tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
19references = [
20 "https://sysdig.com/blog/threat-detection-aws-cloud-containers/",
21]
22risk_score = 47
23rule_id = "d0b0f3ed-0b37-44bf-adee-e8cb7de92767"
24severity = "medium"
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = """
29process where event.module == "cloud_defend" and
30 event.type == "start" and
31
32/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
33(process.name : ("grep", "egrep", "fgrep", "find", "locate", "mlocate") or process.args : ("grep", "egrep", "fgrep", "find", "locate", "mlocate")) and
34process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*")
35"""
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39
40 [rule.threat.tactic]
41 id = "TA0006"
42 reference = "https://attack.mitre.org/tactics/TA0006/"
43 name = "Credential Access"
44
45 [[rule.threat.technique]]
46 id = "T1552"
47 reference = "https://attack.mitre.org/techniques/T1552/"
48 name = "Unsecured Credentials"
49
50 [[rule.threat.technique.subtechnique]]
51 id = "T1552.001"
52 reference = "https://attack.mitre.org/techniques/T1552/001/"
53 name = "Credentials In Files"
References
Related rules
- Sensitive Files Compression Inside A Container
- Sensitive Keys Or Passwords Searched For Inside A Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container