Container Management Utility Execution Detected via Defend for Containers

  1[metadata]
  2creation_date = "2023/04/26"
  3integration = ["cloud_defend"]
  4maturity = "production"
  5min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
  6min_stack_version = "9.3.0"
  7updated_date = "2026/01/15"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects when a container management binary is run from inside a container. These binaries are critical
 13components of many containerized environments, and their presence and execution in unauthorized containers could
 14indicate compromise or a misconfiguration.
 15"""
 16false_positives = [
 17    """
 18    There is a potential for false positives if the container is used for legitimate administrative tasks that require
 19    the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is
 20    important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity
 21    or part of legitimate container activity.
 22    """,
 23]
 24from = "now-6m"
 25index = ["logs-cloud_defend.process*"]
 26interval = "5m"
 27language = "eql"
 28license = "Elastic Licence v2"
 29name = "Container Management Utility Execution Detected via Defend for Containers"
 30note = """## Setup
 31
 32## Triage and analysis
 33
 34> **Disclaimer**:
 35> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 36
 37### Investigating Container Management Utility Execution Detected via Defend for Containers
 38
 39Container management utilities like Docker and Kubernetes are essential for orchestrating and managing containerized applications. They facilitate tasks such as deployment, scaling, and networking. However, adversaries can exploit these tools to execute unauthorized commands within containers, potentially leading to system compromise. The detection rule identifies suspicious execution of these utilities within containers, signaling possible misuse or misconfiguration, by monitoring specific process activities and event types.
 40
 41### Possible investigation steps
 42
 43- Review the specific container ID where the suspicious process was executed to determine its purpose and origin.
 44- Examine the process name and command line arguments to understand the context of the execution and identify any anomalies or unauthorized commands.
 45- Check the user and permissions associated with the process to assess if it aligns with expected roles and access levels for container management tasks.
 46- Investigate the container's creation and deployment history to identify any recent changes or deployments that could explain the presence of the management utility.
 47- Analyze network activity associated with the container to detect any unusual connections or data transfers that might indicate malicious activity.
 48- Correlate the event with other security alerts or logs to identify patterns or related incidents that could provide additional context or evidence of compromise.
 49
 50### False positive analysis
 51
 52- Routine maintenance tasks within containers can trigger the rule. Exclude known maintenance scripts or processes by adding them to an allowlist if they frequently execute container management utilities.
 53- Development and testing environments often run container management commands for legitimate purposes. Consider excluding these environments from monitoring or adjust the rule to focus on production environments only.
 54- Automated deployment tools may execute container management commands as part of their workflow. Identify these tools and create exceptions for their activities to prevent false positives.
 55- System updates or patches might involve running container management utilities. Monitor update schedules and temporarily adjust the rule to avoid unnecessary alerts during these periods.
 56- Legitimate administrative actions by authorized personnel can trigger the rule. Implement user-based exceptions for known administrators to reduce false positives while maintaining security oversight.
 57
 58### Response and remediation
 59
 60- Immediately isolate the affected container to prevent further unauthorized access or execution of commands. This can be done by stopping the container or disconnecting it from the network.
 61- Review the container's configuration and access controls to identify any misconfigurations or unauthorized access permissions that may have allowed the execution of container management utilities.
 62- Conduct a thorough analysis of the container's logs and process activities to determine the extent of the compromise and identify any additional malicious activities or lateral movement attempts.
 63- Remove any unauthorized or suspicious binaries and scripts from the container to prevent further exploitation.
 64- Patch and update the container image and underlying host system to address any known vulnerabilities that may have been exploited.
 65- Implement stricter access controls and monitoring on container management utilities to ensure they are only accessible by authorized users and processes.
 66- Escalate the incident to the security operations team for further investigation and to assess the need for broader security measures across the container environment."""
 67risk_score = 21
 68rule_id = "6c6bb7ea-0636-44ca-b541-201478ef6b50"
 69severity = "low"
 70tags = [
 71    "Data Source: Elastic Defend for Containers",
 72    "Domain: Container",
 73    "OS: Linux",
 74    "Use Case: Threat Detection",
 75    "Tactic: Execution",
 76    "Resources: Investigation Guide",
 77]
 78timestamp_override = "event.ingested"
 79type = "eql"
 80query = '''
 81process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
 82  process.name in ("dockerd", "kubelet", "kube-proxy", "kubectl", "containerd", "systemd", "crictl") or
 83  (
 84    /* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */
 85    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
 86    process.args in (
 87      "dockerd", "/bin/dockerd", "/usr/bin/dockerd", "/usr/local/bin/dockerd",
 88      "kubelet", "/bin/kubelet", "/usr/bin/kubelet", "/usr/local/bin/kubelet",
 89      "kube-proxy", "/bin/kube-proxy", "/usr/bin/kube-proxy", "/usr/local/bin/kube-proxy",
 90      "kubectl", "/bin/kubectl", "/usr/bin/kubectl", "/usr/local/bin/kubectl",
 91      "containerd", "/bin/containerd", "/usr/bin/containerd", "/usr/local/bin/containerd",
 92      "systemd", "/bin/systemd", "/usr/bin/systemd", "/usr/local/bin/systemd",
 93      "crictl", "/bin/crictl", "/usr/bin/crictl", "/usr/local/bin/crictl"
 94    ) and 
 95    /* default exclusion list to not FP on default multi-process commands */
 96    not process.args in (
 97      "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which",
 98      "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
 99      "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
100      "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
101    )
102  )
103) and
104process.interactive == true and container.id like "*" and
105not (
106  process.parent.executable in ("/sbin/init", "/usr/bin/dockerd", "/usr/bin/runc", "/usr/bin/containerd-shim-runc-v2") or
107  process.working_directory == "/aws" or
108  (process.parent.args == "init" and process.parent.args == "runc") or
109  (process.parent.name == "busybox" and process.name == "kubectl")
110)
111'''
112
113[[rule.threat]]
114framework = "MITRE ATT&CK"
115
116[[rule.threat.technique]]
117id = "T1609"
118name = "Container Administration Command"
119reference = "https://attack.mitre.org/techniques/T1609/"
120
121[rule.threat.tactic]
122id = "TA0002"
123name = "Execution"
124reference = "https://attack.mitre.org/tactics/TA0002/"