Sensitive Files Compression Inside A Container

calendar May 22, 2024 · Data Source: Elastic Defend for Containers Domain: Container OS: Linux Use Case: Threat Detection Tactic: Collection Tactic: Credential Access  ·
Share on: linkedin copy

Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations inside a container.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/05/12"
  3integration = ["cloud_defend"]
  4maturity = "production"
  5updated_date = "2024/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials
 11and system configurations inside a container.
 12"""
 13from = "now-6m"
 14index = ["logs-cloud_defend*"]
 15interval = "5m"
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Sensitive Files Compression Inside A Container"
 19risk_score = 47
 20rule_id = "475b42f0-61fb-4ef0-8a85-597458bfb0a1"
 21severity = "medium"
 22tags = [
 23    "Data Source: Elastic Defend for Containers",
 24    "Domain: Container",
 25    "OS: Linux",
 26    "Use Case: Threat Detection",
 27    "Tactic: Collection",
 28    "Tactic: Credential Access",
 29]
 30timestamp_override = "event.ingested"
 31type = "eql"
 32
 33query = '''
 34process where container.id: "*" and event.type== "start" and 
 35
 36/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/  
 37(process.name: ("zip", "tar", "gzip", "hdiutil", "7z") or process.args: ("zip", "tar", "gzip", "hdiutil", "7z"))
 38and process.args: ( 
 39"/root/.ssh/id_rsa", 
 40"/root/.ssh/id_rsa.pub", 
 41"/root/.ssh/id_ed25519", 
 42"/root/.ssh/id_ed25519.pub", 
 43"/root/.ssh/authorized_keys", 
 44"/root/.ssh/authorized_keys2", 
 45"/root/.ssh/known_hosts", 
 46"/root/.bash_history", 
 47"/etc/hosts", 
 48"/home/*/.ssh/id_rsa", 
 49"/home/*/.ssh/id_rsa.pub", 
 50"/home/*/.ssh/id_ed25519",
 51"/home/*/.ssh/id_ed25519.pub",
 52"/home/*/.ssh/authorized_keys",
 53"/home/*/.ssh/authorized_keys2",
 54"/home/*/.ssh/known_hosts",
 55"/home/*/.bash_history",
 56"/root/.aws/credentials",
 57"/root/.aws/config",
 58"/home/*/.aws/credentials",
 59"/home/*/.aws/config",
 60"/root/.docker/config.json",
 61"/home/*/.docker/config.json",
 62"/etc/group",
 63"/etc/passwd",
 64"/etc/shadow",
 65"/etc/gshadow")
 66'''
 67
 68
 69[[rule.threat]]
 70framework = "MITRE ATT&CK"
 71[[rule.threat.technique]]
 72id = "T1552"
 73name = "Unsecured Credentials"
 74reference = "https://attack.mitre.org/techniques/T1552/"
 75[[rule.threat.technique.subtechnique]]
 76id = "T1552.001"
 77name = "Credentials In Files"
 78reference = "https://attack.mitre.org/techniques/T1552/001/"
 79
 80
 81
 82[rule.threat.tactic]
 83id = "TA0006"
 84name = "Credential Access"
 85reference = "https://attack.mitre.org/tactics/TA0006/"
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88[[rule.threat.technique]]
 89id = "T1560"
 90name = "Archive Collected Data"
 91reference = "https://attack.mitre.org/techniques/T1560/"
 92[[rule.threat.technique.subtechnique]]
 93id = "T1560.001"
 94name = "Archive via Utility"
 95reference = "https://attack.mitre.org/techniques/T1560/001/"
 96
 97
 98
 99[rule.threat.tactic]
100id = "TA0009"
101name = "Collection"
102reference = "https://attack.mitre.org/tactics/TA0009/"

Related rules

to-top