Suspicious Network Tool Launched Inside A Container
This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/04/26"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "New Integration: Cloud Defend"
6min_stack_version = "8.8.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = "This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container."
12false_positives = ["""
13 There is a potential for false positives if the container is used for legitimate tasks that require the use of network utilities, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.
14 """]
15from = "now-6m"
16index = ["logs-cloud_defend*"]
17interval = "5m"
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious Network Tool Launched Inside A Container"
21tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Command and Control", "Tactic: Reconnaissance"]
22risk_score = 47
23rule_id = "1a289854-5b78-49fe-9440-8a8096b1ab50"
24severity = "medium"
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = """
29process where container.id: "*" and event.type== "start" and
30(
31(process.name: ("nc", "ncat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat", "zmap", "masscan", "zgrab")) or
32/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
33(process.args: ("nc", "ncat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat", "zmap", "masscan", "zgrab"))
34)
35"""
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39
40 [rule.threat.tactic]
41 id = "TA0007"
42 reference = "https://attack.mitre.org/tactics/TA0007/"
43 name = "Discovery"
44
45 [[rule.threat.technique]]
46 id = "T1046"
47 reference = "https://attack.mitre.org/techniques/T1046/"
48 name = "Network Service Discovery"
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52
53 [rule.threat.tactic]
54 id = "TA0011"
55 reference = "https://attack.mitre.org/tactics/TA0011/"
56 name = "Command and Control"
57
58 [[rule.threat.technique]]
59 id = "T1105"
60 reference = "https://attack.mitre.org/techniques/T1105/"
61 name = "Ingress Tool Transfer"
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65
66 [rule.threat.tactic]
67 id = "TA0043"
68 reference = "https://attack.mitre.org/tactics/TA0043/"
69 name = "Reconnaissance"
70
71 [[rule.threat.technique]]
72 id = "T1595"
73 reference = "https://attack.mitre.org/techniques/T1595/"
74 name = "Active Scanning"
Related rules
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container
- Netcat Listener Established Inside A Container
- SSH Authorized Keys File Modified Inside a Container