Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers

  1[metadata]
  2creation_date = "2026/03/05"
  3integration = ["cloud_defend"]
  4maturity = "production"
  5min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
  6min_stack_version = "9.3.0"
  7updated_date = "2026/03/05"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects the creation, execution, and deletion of files inside a container, a common
 13technique used by attackers to evade detection.
 14"""
 15from = "now-6m"
 16index = ["logs-cloud_defend.process*", "logs-cloud_defend.file*"]
 17interval = "5m"
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers"
 21note = """## Triage and analysis
 22
 23> **Disclaimer**:
 24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 25
 26### Investigating Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers
 27
 28This detection flags a rapid sequence inside a container where a file is written to a common transient or user-writable location, executed, then deleted shortly after—an evasion pattern meant to minimize on-disk artifacts and frustrate forensic review. Attackers often use a shell to pull a payload with common transfer utilities into `/tmp` or shared memory, run it immediately for credential theft or lateral movement, and then remove it to blend back into normal container churn.
 29
 30### Possible investigation steps
 31
 32- Pivot on the container to review the full process tree and preceding commands around the sequence to determine how the payload was introduced (interactive shell, entrypoint, cron, CI job, or exploited service) and what else executed nearby in time.  
 33- Retrieve the file content if still present or recover it from container runtime logs/snapshots/registry layers, then compute hashes and run static/dynamic analysis to identify malware family, network indicators, and persistence or credential-access behavior.  
 34- Review outbound network connections from the container during the same window to identify download sources, callback infrastructure, and any subsequent lateral movement attempts to internal services.  
 35- Check whether the container or pod is running with elevated privileges (host mounts, privileged mode, sensitive service account tokens, or access to Docker/CRI sockets) to assess host-escape risk and scope potential impact beyond the container.  
 36- Validate legitimacy by correlating with recent deploys/build steps and expected package/install activity, and if suspicious, isolate the workload and rotate any exposed secrets or tokens used by the container.
 37
 38### False positive analysis
 39
 40- A container entrypoint or bootstrap script downloads a small helper or configuration artifact into `/tmp` (or similar), executes it via a shell to perform initialization checks or configuration, and then deletes it immediately to keep the runtime filesystem clean.  
 41- A build/test step running inside a container fetches transient binaries or linkable objects (e.g., via `curl`/`wget`/`scp` or `ld`) into writable paths like `/tmp` or `/opt`, executes them as part of compilation or validation, and removes them as part of routine cleanup.
 42
 43### Response and remediation
 44
 45- Quarantine the affected pod or container by isolating it from the network and scaling it to zero or killing the container while preserving a copy of the writable layer and runtime logs for forensic analysis.  
 46- Identify and block the download and command-and-control endpoints used by the transfer utility (for example the `curl`/`wget` URL or `scp` destination) at egress controls, then search for the same indicator across other workloads and nodes to find additional compromised containers.  
 47- Eradicate by rebuilding and redeploying the workload from a known-good image and clean source, removing any unauthorized startup scripts or injected binaries in paths like `/tmp`, `/dev/shm`, `/var/tmp`, `/root`, or `/opt`.  
 48- Rotate and revoke any credentials the container could access such as Kubernetes service account tokens, API keys, registry credentials, and mounted secrets, and invalidate sessions if the executed payload could have harvested them.  
 49- Escalate to incident response immediately if the workload was privileged, had hostPath mounts or container runtime socket access, touched `/proc/*/fd/*`, or showed signs of data access or lateral movement to internal services.  
 50- Harden by enforcing least privilege and runtime controls such as read-only root filesystems, no shell or download tools in production images, restricted egress allowlists, and admission policies that block privileged pods and sensitive host mounts.
 51"""
 52references = [
 53    "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware",
 54]
 55risk_score = 73
 56rule_id = "1dc56174-5d02-4ca4-af92-e391f096fb21"
 57severity = "high"
 58tags = [
 59    "Data Source: Elastic Defend for Containers",
 60    "Domain: Container",
 61    "OS: Linux",
 62    "Use Case: Threat Detection",
 63    "Tactic: Defense Evasion",
 64    "Tactic: Execution",
 65    "Resources: Investigation Guide",
 66]
 67timestamp_override = "event.ingested"
 68type = "eql"
 69query = '''
 70sequence by container.id, user.id with maxspan=10s
 71  [file where event.action == "creation" and (
 72     process.name in ("curl", "wget", "fetch", "ftp", "sftp", "scp", "rsync", "ld") or
 73     (
 74       process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
 75       process.args in (
 76         "curl", "/bin/curl", "/usr/bin/curl", "/usr/local/bin/curl",
 77         "wget", "/bin/wget", "/usr/bin/wget", "/usr/local/bin/wget",
 78         "fetch", "/bin/fetch", "/usr/bin/fetch", "/usr/local/bin/fetch",
 79         "ftp", "/bin/ftp", "/usr/bin/ftp", "/usr/local/bin/ftp",
 80         "sftp", "/bin/sftp", "/usr/bin/sftp", "/usr/local/bin/sftp",
 81         "scp", "/bin/scp", "/usr/bin/scp", "/usr/local/bin/scp",
 82         "rsync", "/bin/rsync", "/usr/bin/rsync", "/usr/local/bin/rsync",
 83         "ld", "/bin/ld", "/usr/bin/ld", "/usr/local/bin/ld"
 84       ) and
 85       /* default exclusion list to not FP on default multi-process commands */
 86       not process.args in (
 87         "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which",
 88         "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
 89         "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
 90         "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
 91       )
 92     )
 93   ) and file.path like (
 94     "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*",
 95     "/proc/*/fd/*", "/home/*/*", "/root/*", "/opt/*"
 96   )
 97  ] by file.name
 98  [process where event.type == "start" and event.action == "exec" and
 99   process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox")
100  ] by process.name
101  [file where event.action == "deletion" and file.path like (
102     "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*",
103     "/proc/*/fd/*", "/home/*/*", "/root/*", "/opt/*"
104    ) and not process.name in ("rm", "ld", "conftest", "link", "gcc", "getarch", "ld")
105  ] by file.name
106'''
107
108[[rule.threat]]
109framework = "MITRE ATT&CK"
110
111[[rule.threat.technique]]
112id = "T1070"
113name = "Indicator Removal"
114reference = "https://attack.mitre.org/techniques/T1070/"
115
116[[rule.threat.technique.subtechnique]]
117id = "T1070.004"
118name = "File Deletion"
119reference = "https://attack.mitre.org/techniques/T1070/004/"
120
121[rule.threat.tactic]
122id = "TA0005"
123name = "Defense Evasion"
124reference = "https://attack.mitre.org/tactics/TA0005/"
125
126[[rule.threat]]
127framework = "MITRE ATT&CK"
128
129[[rule.threat.technique]]
130id = "T1059"
131name = "Command and Scripting Interpreter"
132reference = "https://attack.mitre.org/techniques/T1059/"
133
134[[rule.threat.technique.subtechnique]]
135id = "T1059.004"
136name = "Unix Shell"
137reference = "https://attack.mitre.org/techniques/T1059/004/"
138
139[[rule.threat.technique]]
140id = "T1204"
141name = "User Execution"
142reference = "https://attack.mitre.org/techniques/T1204/"
143
144[[rule.threat.technique.subtechnique]]
145id = "T1204.002"
146name = "Malicious File"
147reference = "https://attack.mitre.org/techniques/T1204/002/"
148
149[rule.threat.tactic]
150id = "TA0002"
151name = "Execution"
152reference = "https://attack.mitre.org/tactics/TA0002/"