Cloud Credential Search Detected via Defend for Containers
This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/12"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
6min_stack_version = "9.3.0"
7updated_date = "2026/01/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a
13container. Unauthorized access to these sensitive files could lead to further compromise of the container
14environment or facilitate a container breakout to the underlying cloud environment.
15"""
16from = "now-6m"
17index = ["logs-cloud_defend.process*"]
18interval = "5m"
19language = "eql"
20license = "Elastic License v2"
21name = "Cloud Credential Search Detected via Defend for Containers"
22references = ["https://sysdig.com/blog/threat-detection-aws-cloud-containers/"]
23risk_score = 47
24rule_id = "d0b0f3ed-0b37-44bf-adee-e8cb7de92767"
25severity = "medium"
26tags = [
27 "Data Source: Elastic Defend for Containers",
28 "Domain: Container",
29 "OS: Linux",
30 "Use Case: Threat Detection",
31 "Tactic: Credential Access",
32 "Resources: Investigation Guide",
33]
34timestamp_override = "event.ingested"
35type = "eql"
36query = '''
37process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
38 process.name in ("grep", "egrep", "fgrep", "find", "locate", "mlocate", "cat", "sed", "awk") or
39 (
40 /* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */
41 process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
42 process.args in (
43 "grep", "/bin/grep", "/usr/bin/grep", "/usr/local/bin/grep",
44 "egrep", "/bin/egrep", "/usr/bin/egrep", "/usr/local/bin/egrep",
45 "fgrep", "/bin/fgrep", "/usr/bin/fgrep", "/usr/local/bin/fgrep",
46 "find", "/bin/find", "/usr/bin/find", "/usr/local/bin/find",
47 "locate", "/bin/locate", "/usr/bin/locate", "/usr/local/bin/locate",
48 "mlocate", "/bin/mlocate", "/usr/bin/mlocate", "/usr/local/bin/mlocate",
49 "cat", "/bin/cat", "/usr/bin/cat", "/usr/local/bin/cat",
50 "sed", "/bin/sed", "/usr/bin/sed", "/usr/local/bin/sed",
51 "awk", "/bin/awk", "/usr/bin/awk", "/usr/local/bin/awk"
52 ) and
53 /* default exclusion list to not FP on default multi-process commands */
54 not process.args in (
55 "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which",
56 "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
57 "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
58 "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
59 )
60 )
61)
62and
63process.args like~ (
64 /* AWS Credentials */
65 "*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*",
66 "*access_key*", "*.aws/credentials*",
67
68 /* Azure Credentials */
69 "*AZURE_CLIENT_ID*", "*AZURE_TENANT_ID*", "*AZURE_CLIENT_SECRET*", "*AZURE_FEDERATED_TOKEN_FILE*",
70 "*IDENTITY_ENDPOINT*", "*IDENTITY_HEADER*", "*MSI_ENDPOINT*", "*MSI_SECRET*",
71 "*/.azure/*", "*/var/run/secrets/azure/*",
72
73 /* GCP Credentials */
74 "*/.config/gcloud/*", "*application_default_credentials.json*",
75 "*type: service_account*", "*client_email*", "*private_key_id*", "*private_key*",
76 "*/var/run/secrets/google/*", "*GOOGLE_APPLICATION_CREDENTIALS*"
77) and process.interactive == true and container.id like "*"
78'''
79
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82
83[[rule.threat.technique]]
84id = "T1552"
85name = "Unsecured Credentials"
86reference = "https://attack.mitre.org/techniques/T1552/"
87
88[[rule.threat.technique.subtechnique]]
89id = "T1552.001"
90name = "Credentials In Files"
91reference = "https://attack.mitre.org/techniques/T1552/001/"
92
93[rule.threat.tactic]
94id = "TA0006"
95name = "Credential Access"
96reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
Discover how to implementing effective threat detection for AWS that provides visibility into all of your cloud services and containers.
Read More
Related rules
- Sensitive File Compression Detected via Defend for Containers
- Sensitive Keys Or Passwords Search Detected via Defend for Containers
- Container Management Utility Execution Detected via Defend for Containers
- DebugFS Execution Detected via Defend for Containers
- Dynamic Linker Modification Detected via Defend for Containers