Sensitive Files Compression Inside A Container
Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations inside a container.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/12"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "New Integration: Cloud Defend"
6min_stack_version = "8.8.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials
13and system configurations inside a container.
14"""
15from = "now-6m"
16index = ["logs-cloud_defend*"]
17interval = "5m"
18language = "eql"
19license = "Elastic License v2"
20name = "Sensitive Files Compression Inside A Container"
21risk_score = 47
22rule_id = "475b42f0-61fb-4ef0-8a85-597458bfb0a1"
23severity = "medium"
24tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29process where container.id: "*" and event.type== "start" and
30
31/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
32(process.name: ("zip", "tar", "gzip", "hdiutil", "7z") or process.args: ("zip", "tar", "gzip", "hdiutil", "7z"))
33and process.args: (
34"/root/.ssh/id_rsa",
35"/root/.ssh/id_rsa.pub",
36"/root/.ssh/id_ed25519",
37"/root/.ssh/id_ed25519.pub",
38"/root/.ssh/authorized_keys",
39"/root/.ssh/authorized_keys2",
40"/root/.ssh/known_hosts",
41"/root/.bash_history",
42"/etc/hosts",
43"/home/*/.ssh/id_rsa",
44"/home/*/.ssh/id_rsa.pub",
45"/home/*/.ssh/id_ed25519",
46"/home/*/.ssh/id_ed25519.pub",
47"/home/*/.ssh/authorized_keys",
48"/home/*/.ssh/authorized_keys2",
49"/home/*/.ssh/known_hosts",
50"/home/*/.bash_history",
51"/root/.aws/credentials",
52"/root/.aws/config",
53"/home/*/.aws/credentials",
54"/home/*/.aws/config",
55"/root/.docker/config.json",
56"/home/*/.docker/config.json",
57"/etc/group",
58"/etc/passwd",
59"/etc/shadow",
60"/etc/gshadow")
61'''
62
63
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1552"
68name = "Unsecured Credentials"
69reference = "https://attack.mitre.org/techniques/T1552/"
70[[rule.threat.technique.subtechnique]]
71id = "T1552.001"
72name = "Credentials In Files"
73reference = "https://attack.mitre.org/techniques/T1552/001/"
74
75
76
77[rule.threat.tactic]
78id = "TA0006"
79name = "Credential Access"
80reference = "https://attack.mitre.org/tactics/TA0006/"
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1560"
85name = "Archive Collected Data"
86reference = "https://attack.mitre.org/techniques/T1560/"
87[[rule.threat.technique.subtechnique]]
88id = "T1560.001"
89name = "Archive via Utility"
90reference = "https://attack.mitre.org/techniques/T1560/001/"
91
92
93
94[rule.threat.tactic]
95id = "TA0009"
96name = "Collection"
97reference = "https://attack.mitre.org/tactics/TA0009/"
Related rules
- Sensitive Keys Or Passwords Searched For Inside A Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container
- Netcat Listener Established Inside A Container