Suspicious Network Tool Launched Inside A Container
This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/04/26"
3integration = ["cloud_defend"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig,
11tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring,
12or exploitation, and should be monitored closely within a container.
13"""
14false_positives = [
15 """
16 There is a potential for false positives if the container is used for legitimate tasks that require the use of
17 network utilities, such as network troubleshooting, testing or system monitoring. It is important to investigate any
18 alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate
19 container activity.
20 """,
21]
22from = "now-6m"
23index = ["logs-cloud_defend*"]
24interval = "5m"
25language = "eql"
26license = "Elastic License v2"
27name = "Suspicious Network Tool Launched Inside A Container"
28risk_score = 47
29rule_id = "1a289854-5b78-49fe-9440-8a8096b1ab50"
30severity = "medium"
31tags = [
32 "Data Source: Elastic Defend for Containers",
33 "Domain: Container",
34 "OS: Linux",
35 "Use Case: Threat Detection",
36 "Tactic: Discovery",
37 "Tactic: Command and Control",
38 "Tactic: Reconnaissance",
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44process where container.id: "*" and event.type== "start" and
45(
46(process.name: ("nc", "ncat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat", "zmap", "masscan", "zgrab")) or
47/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
48(process.args: ("nc", "ncat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat", "zmap", "masscan", "zgrab"))
49)
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1046"
57name = "Network Service Discovery"
58reference = "https://attack.mitre.org/techniques/T1046/"
59
60
61[rule.threat.tactic]
62id = "TA0007"
63name = "Discovery"
64reference = "https://attack.mitre.org/tactics/TA0007/"
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1105"
69name = "Ingress Tool Transfer"
70reference = "https://attack.mitre.org/techniques/T1105/"
71
72
73[rule.threat.tactic]
74id = "TA0011"
75name = "Command and Control"
76reference = "https://attack.mitre.org/tactics/TA0011/"
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79[[rule.threat.technique]]
80id = "T1595"
81name = "Active Scanning"
82reference = "https://attack.mitre.org/techniques/T1595/"
83
84
85[rule.threat.tactic]
86id = "TA0043"
87name = "Reconnaissance"
88reference = "https://attack.mitre.org/tactics/TA0043/"
Related rules
- AWS Credentials Searched For Inside A Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container
- Netcat Listener Established Inside A Container