File Made Executable via Chmod Inside A Container
This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/04/26"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "New Integration: Cloud Defend"
6min_stack_version = "8.8.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = "This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container."
12from = "now-6m"
13index = ["logs-cloud_defend*"]
14interval = "5m"
15language = "eql"
16license = "Elastic License v2"
17name = "File Made Executable via Chmod Inside A Container"
18risk_score = 47
19rule_id = "ec604672-bed9-43e1-8871-cf591c052550"
20severity = "medium"
21tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion"]
22timestamp_override = "event.ingested"
23type = "eql"
24
25query = """
26file where container.id: "*" and event.type in ("change", "creation") and
27
28/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
29(process.name : "chmod" or process.args : "chmod") and
30process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x"
31"""
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35
36 [rule.threat.tactic]
37 id = "TA0002"
38 reference = "https://attack.mitre.org/tactics/TA0002/"
39 name = "Execution"
40
41 [[rule.threat.technique]]
42 id = "T1059"
43 reference = "https://attack.mitre.org/techniques/T1059/"
44 name = "Command and Scripting Interpreter"
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47
48 [rule.threat.tactic]
49 id = "TA0005"
50 reference = "https://attack.mitre.org/tactics/TA0005/"
51 name = "Defense Evasion"
52
53 [[rule.threat.technique]]
54 id = "T1222"
55 reference = "https://attack.mitre.org/techniques/T1222/"
56 name = "File and Directory Permissions Modification"
57
58 [[rule.threat.technique.subtechnique]]
59 id = "T1222.002"
60 reference = "https://attack.mitre.org/techniques/T1222/002/"
61 name = "Linux and Mac File and Directory Permissions Modification"
62
Related rules
- Container Management Utility Run Inside A Container
- Interactive Exec Command Launched Against A Running Container
- Netcat Listener Established Inside A Container
- Suspicious Interactive Shell Spawned From Inside A Container
- SSH Authorized Keys File Modified Inside a Container