Suspicious Interactive Process Execution Detected via Defend for Containers

  1[metadata]
  2creation_date = "2026/02/06"
  3integration = ["cloud_defend"]
  4maturity = "production"
  5min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
  6min_stack_version = "9.3.0"
  7updated_date = "2026/02/06"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects the execution of an interactive process from a suspicious directory inside a container.
 13The suspicious directories are /tmp, /dev/shm, /var/tmp, /run, /var/run, /mnt, /media, and /boot.
 14Adversaries may use these directories to execute malicious code or exfiltrate data.
 15"""
 16from = "now-6m"
 17index = ["logs-cloud_defend.process*"]
 18interval = "5m"
 19language = "eql"
 20license = "Elastic License v2"
 21name = "Suspicious Interactive Process Execution Detected via Defend for Containers"
 22note = """## Triage and analysis
 23
 24> **Disclaimer**:
 25> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 26
 27### Investigating Suspicious Interactive Process Execution Detected via Defend for Containers
 28
 29This alert flags an interactive program launched inside a container from transient or low-trust locations such as tmpfs-backed or runtime directories, common staging points for hands-on misuse, data theft, or persistence that avoids the image filesystem. A frequent pattern is an attacker gaining a shell via kubectl exec, fetching a static reverse shell or tunneling tool into /dev/shm or /tmp, and running it interactively to pivot or siphon data. Such behavior signals live operator control and attempts to evade forensics and policy controls.
 30
 31### Possible investigation steps
 32
 33- Pivot to Kubernetes API server audit logs to find pod/exec or attach events around the alert and map them to the initiating user, source IP, and service account.
 34- Determine if the binary or script was introduced post-deploy by listing transient directories in the container and comparing artifacts against the image layers or build manifest.
 35- Review process lineage and TTY/PTY session details to confirm an interactive shell and identify the parent or invocation method, such as a shell or reverse-shell stager.
 36- Capture live network activity from the container to spot external callbacks, tunnels, or exfil destinations, and isolate the pod if suspicious connections are present.
 37- Assess the pod’s service account, RBAC permissions, and security context for elevated privileges or host namespace access to gauge impact and prioritize containment.
 38
 39### False positive analysis
 40
 41- An engineer performing authorized troubleshooting opens an interactive shell and runs a known diagnostic binary staged in /tmp or /dev/shm to avoid altering the image, leading to an interactive exec from a transient path.
 42- A mounted volume under /mnt or /media holds legitimate utilities, and an authorized user starts one interactively for maintenance or configuration, triggering the rule despite expected operations.
 43
 44### Response and remediation
 45
 46- Immediately contain by applying a deny-all egress NetworkPolicy to the affected pod, killing the interactive process whose executable resides under /tmp, /dev/shm, /var/tmp, /run, /var/run, /mnt, /media, or /boot, and blocking further kubectl exec/attach to it.
 47- Eradicate by terminating and redeploying the pod from a trusted image, scanning and cleaning any mounted volumes under /mnt or /media, and removing staged binaries or scripts found in transient paths like /tmp, /var/tmp, /run, and /var/run.
 48- Recover by rotating credentials the pod could access (service account token, mounted secrets, API keys), validating application behavior post-redeploy, and restoring network access only to approved destinations.
 49- Escalate to incident response immediately if you observe a shell or tunneling tool launched from /tmp or /dev/shm, evidence of exfiltration via outbound connections, privileged or hostPID/hostNetwork settings, or writes touching /boot.
 50- Harden by disabling kubectl exec for production workloads, enforcing readOnlyRootFilesystem with seccomp and AppArmor, mounting /tmp and /dev/shm with noexec,nodev,nosuid, and using admission policy to allowlist executable paths and deny interactive TTYs."""
 51risk_score = 73
 52rule_id = "279e272a-91d9-4780-878c-bfcac76e6e31"
 53severity = "high"
 54tags = [
 55    "Data Source: Elastic Defend for Containers",
 56    "Domain: Container",
 57    "OS: Linux",
 58    "Use Case: Threat Detection",
 59    "Tactic: Defense Evasion",
 60    "Tactic: Execution",
 61    "Resources: Investigation Guide",
 62]
 63timestamp_override = "event.ingested"
 64type = "eql"
 65query = '''
 66process where event.type == "start" and event.action == "exec" and process.interactive == true and
 67process.executable like (
 68  "/tmp/*", "/dev/shm/*", "/var/tmp/*", "/run/*", "/var/run/*", "/mnt/*", "/media/*", "/boot/*"
 69) and container.id like "?*"
 70'''
 71
 72[[rule.threat]]
 73framework = "MITRE ATT&CK"
 74
 75[rule.threat.tactic]
 76name = "Defense Evasion"
 77id = "TA0005"
 78reference = "https://attack.mitre.org/tactics/TA0005/"
 79
 80[[rule.threat.technique]]
 81name = "Reflective Code Loading"
 82id = "T1620"
 83reference = "https://attack.mitre.org/techniques/T1620/"
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87
 88[rule.threat.tactic]
 89name = "Execution"
 90id = "TA0002"
 91reference = "https://attack.mitre.org/tactics/TA0002/"
 92
 93[[rule.threat.technique]]
 94id = "T1059"
 95name = "Command and Scripting Interpreter"
 96reference = "https://attack.mitre.org/techniques/T1059/"
 97
 98[[rule.threat.technique.subtechnique]]
 99id = "T1059.004"
100name = "Unix Shell"
101reference = "https://attack.mitre.org/techniques/T1059/004/"
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105
106[rule.threat.tactic]
107name = "Command and Control"
108id = "TA0011"
109reference = "https://attack.mitre.org/tactics/TA0011/"
110
111[[rule.threat.technique]]
112name = "Application Layer Protocol"
113id = "T1071"
114reference = "https://attack.mitre.org/techniques/T1071/"