Sensitive Files Compression Inside A Container
Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations inside a container.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/12"
3integration = ["cloud_defend"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials
11and system configurations inside a container.
12"""
13from = "now-6m"
14index = ["logs-cloud_defend*"]
15interval = "5m"
16language = "eql"
17license = "Elastic License v2"
18name = "Sensitive Files Compression Inside A Container"
19risk_score = 47
20rule_id = "475b42f0-61fb-4ef0-8a85-597458bfb0a1"
21severity = "medium"
22tags = [
23 "Data Source: Elastic Defend for Containers",
24 "Domain: Container",
25 "OS: Linux",
26 "Use Case: Threat Detection",
27 "Tactic: Collection",
28 "Tactic: Credential Access",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34process where container.id: "*" and event.type== "start" and
35
36/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
37(process.name: ("zip", "tar", "gzip", "hdiutil", "7z") or process.args: ("zip", "tar", "gzip", "hdiutil", "7z"))
38and process.args: (
39"/root/.ssh/id_rsa",
40"/root/.ssh/id_rsa.pub",
41"/root/.ssh/id_ed25519",
42"/root/.ssh/id_ed25519.pub",
43"/root/.ssh/authorized_keys",
44"/root/.ssh/authorized_keys2",
45"/root/.ssh/known_hosts",
46"/root/.bash_history",
47"/etc/hosts",
48"/home/*/.ssh/id_rsa",
49"/home/*/.ssh/id_rsa.pub",
50"/home/*/.ssh/id_ed25519",
51"/home/*/.ssh/id_ed25519.pub",
52"/home/*/.ssh/authorized_keys",
53"/home/*/.ssh/authorized_keys2",
54"/home/*/.ssh/known_hosts",
55"/home/*/.bash_history",
56"/root/.aws/credentials",
57"/root/.aws/config",
58"/home/*/.aws/credentials",
59"/home/*/.aws/config",
60"/root/.docker/config.json",
61"/home/*/.docker/config.json",
62"/etc/group",
63"/etc/passwd",
64"/etc/shadow",
65"/etc/gshadow")
66'''
67
68
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1552"
73name = "Unsecured Credentials"
74reference = "https://attack.mitre.org/techniques/T1552/"
75[[rule.threat.technique.subtechnique]]
76id = "T1552.001"
77name = "Credentials In Files"
78reference = "https://attack.mitre.org/techniques/T1552/001/"
79
80
81
82[rule.threat.tactic]
83id = "TA0006"
84name = "Credential Access"
85reference = "https://attack.mitre.org/tactics/TA0006/"
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88[[rule.threat.technique]]
89id = "T1560"
90name = "Archive Collected Data"
91reference = "https://attack.mitre.org/techniques/T1560/"
92[[rule.threat.technique.subtechnique]]
93id = "T1560.001"
94name = "Archive via Utility"
95reference = "https://attack.mitre.org/techniques/T1560/001/"
96
97
98
99[rule.threat.tactic]
100id = "TA0009"
101name = "Collection"
102reference = "https://attack.mitre.org/tactics/TA0009/"
Related rules
- AWS Credentials Searched For Inside A Container
- Sensitive Keys Or Passwords Searched For Inside A Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container