Sensitive Keys Or Passwords Searched For Inside A Container
This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/12"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "New Integration: Cloud Defend"
6min_stack_version = "8.8.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = "This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine."
12from = "now-6m"
13index = ["logs-cloud_defend*"]
14interval = "5m"
15language = "eql"
16license = "Elastic License v2"
17name = "Sensitive Keys Or Passwords Searched For Inside A Container"
18tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
19references = [
20 "https://sysdig.com/blog/cve-2021-25741-kubelet-falco/",
21]
22risk_score = 47
23rule_id = "9661ed8b-001c-40dc-a777-0983b7b0c91a"
24severity = "medium"
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = """
29process where container.id: "*" and event.type== "start" and
30((
31/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
32 (process.name in ("grep", "egrep", "fgrep") or process.args in ("grep", "egrep", "fgrep"))
33 and process.args : ("*BEGIN PRIVATE*", "*BEGIN OPENSSH PRIVATE*", "*BEGIN RSA PRIVATE*",
34"*BEGIN DSA PRIVATE*", "*BEGIN EC PRIVATE*", "*pass*", "*ssh*", "*user*")
35)
36or
37(
38/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
39 (process.name in ("find", "locate", "mlocate") or process.args in ("find", "locate", "mlocate"))
40 and process.args : ("*id_rsa*", "*id_dsa*")
41))
42"""
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46
47 [rule.threat.tactic]
48 id = "TA0006"
49 reference = "https://attack.mitre.org/tactics/TA0006/"
50 name = "Credential Access"
51
52 [[rule.threat.technique]]
53 id = "T1552"
54 reference = "https://attack.mitre.org/techniques/T1552/"
55 name = "Unsecured Credentials"
56
57 [[rule.threat.technique.subtechnique]]
58 id = "T1552.001"
59 reference = "https://attack.mitre.org/techniques/T1552/001/"
60 name = "Credentials In Files"
References
Related rules
- Sensitive Files Compression Inside A Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container
- Netcat Listener Established Inside A Container