Sensitive Keys Or Passwords Searched For Inside A Container
This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/12"
3integration = ["cloud_defend"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords
11inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container
12environment or facilitate a container breakout to the underlying host machine.
13"""
14from = "now-6m"
15index = ["logs-cloud_defend*"]
16interval = "5m"
17language = "eql"
18license = "Elastic License v2"
19name = "Sensitive Keys Or Passwords Searched For Inside A Container"
20references = ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"]
21risk_score = 47
22rule_id = "9661ed8b-001c-40dc-a777-0983b7b0c91a"
23severity = "medium"
24tags = [
25 "Data Source: Elastic Defend for Containers",
26 "Domain: Container",
27 "OS: Linux",
28 "Use Case: Threat Detection",
29 "Tactic: Credential Access",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35process where container.id: "*" and event.type== "start" and
36((
37/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
38 (process.name in ("grep", "egrep", "fgrep") or process.args in ("grep", "egrep", "fgrep"))
39 and process.args : ("*BEGIN PRIVATE*", "*BEGIN OPENSSH PRIVATE*", "*BEGIN RSA PRIVATE*",
40"*BEGIN DSA PRIVATE*", "*BEGIN EC PRIVATE*", "*pass*", "*ssh*", "*user*")
41)
42or
43(
44/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
45 (process.name in ("find", "locate", "mlocate") or process.args in ("find", "locate", "mlocate"))
46 and process.args : ("*id_rsa*", "*id_dsa*")
47))
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1552"
55name = "Unsecured Credentials"
56reference = "https://attack.mitre.org/techniques/T1552/"
57[[rule.threat.technique.subtechnique]]
58id = "T1552.001"
59name = "Credentials In Files"
60reference = "https://attack.mitre.org/techniques/T1552/001/"
61
62
63
64[rule.threat.tactic]
65id = "TA0006"
66name = "Credential Access"
67reference = "https://attack.mitre.org/tactics/TA0006/"
References
Related rules
- AWS Credentials Searched For Inside A Container
- Sensitive Files Compression Inside A Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container