Container Management Utility Run Inside A Container
This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/04/26"
3integration = ["cloud_defend"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects when a container management binary is run from inside a container. These binaries are critical
11components of many containerized environments, and their presence and execution in unauthorized containers could
12indicate compromise or a misconfiguration.
13"""
14false_positives = [
15 """
16 There is a potential for false positives if the container is used for legitimate administrative tasks that require
17 the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is
18 important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity
19 or part of legitimate container activity.
20 """,
21]
22from = "now-6m"
23index = ["logs-cloud_defend*"]
24interval = "5m"
25language = "eql"
26license = "Elastic Licence v2"
27name = "Container Management Utility Run Inside A Container"
28risk_score = 21
29rule_id = "6c6bb7ea-0636-44ca-b541-201478ef6b50"
30severity = "low"
31tags = [
32 "Data Source: Elastic Defend for Containers",
33 "Domain: Container",
34 "OS: Linux",
35 "Use Case: Threat Detection",
36 "Tactic: Execution",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42process where container.id: "*" and event.type== "start"
43 and process.name: ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl")
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1609"
51name = "Container Administration Command"
52reference = "https://attack.mitre.org/techniques/T1609/"
53
54
55[rule.threat.tactic]
56id = "TA0002"
57name = "Execution"
58reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container
- Netcat Listener Established Inside A Container
- Suspicious Interactive Shell Spawned From Inside A Container
- AWS Credentials Searched For Inside A Container