AWS Credentials Searched For Inside A Container
This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/06/28"
3integration = ["cloud_defend"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a
11container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or
12facilitate a container breakout to the underlying cloud environment.
13"""
14from = "now-6m"
15index = ["logs-cloud_defend*"]
16interval = "5m"
17language = "eql"
18license = "Elastic License v2"
19name = "AWS Credentials Searched For Inside A Container"
20references = ["https://sysdig.com/blog/threat-detection-aws-cloud-containers/"]
21risk_score = 47
22rule_id = "d0b0f3ed-0b37-44bf-adee-e8cb7de92767"
23severity = "medium"
24tags = [
25 "Data Source: Elastic Defend for Containers",
26 "Domain: Container",
27 "OS: Linux",
28 "Use Case: Threat Detection",
29 "Tactic: Credential Access",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35process where event.module == "cloud_defend" and
36 event.type == "start" and
37
38/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
39(process.name : ("grep", "egrep", "fgrep", "find", "locate", "mlocate") or process.args : ("grep", "egrep", "fgrep", "find", "locate", "mlocate")) and
40process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*")
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1552"
48name = "Unsecured Credentials"
49reference = "https://attack.mitre.org/techniques/T1552/"
50[[rule.threat.technique.subtechnique]]
51id = "T1552.001"
52name = "Credentials In Files"
53reference = "https://attack.mitre.org/techniques/T1552/001/"
54
55
56
57[rule.threat.tactic]
58id = "TA0006"
59name = "Credential Access"
60reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
Discover how to implementing effective threat detection for AWS that provides visibility into all of your cloud services and containers.
Read More
Related rules
- Sensitive Files Compression Inside A Container
- Sensitive Keys Or Passwords Searched For Inside A Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container