Interactive Exec Command Launched Against A Running Container
This rule detects interactive 'exec' events launched against a container using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container's shell. A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/12"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "New Integration: Cloud Defend"
6min_stack_version = "8.8.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects interactive 'exec' events launched against a container using the 'exec' command. Using the 'exec'
13command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container.
14This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container's shell.
15A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout.
16"""
17false_positives = [
18 """
19 An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from
20 Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands
21 inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ...
22 ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec
23 cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell
24 connected to the terminal: kubectl exec -i -t cassandra -- sh
25 """,
26]
27from = "now-6m"
28index = ["logs-cloud_defend*"]
29interval = "5m"
30language = "eql"
31license = "Elastic License v2"
32name = "Interactive Exec Command Launched Against A Running Container"
33references = [
34 "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/",
35 "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/",
36]
37risk_score = 73
38rule_id = "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1"
39severity = "high"
40tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
41timestamp_override = "event.ingested"
42type = "eql"
43
44query = '''
45process where container.id : "*" and event.type== "start" and
46
47/* use of kubectl exec to enter a container */
48process.entry_leader.entry_meta.type : "container" and
49
50/* process is the inital process run in a container */
51process.entry_leader.same_as_process== true and
52
53/* interactive process */
54process.interactive == true
55'''
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60
61 [rule.threat.tactic]
62 id = "TA0002"
63 reference = "https://attack.mitre.org/tactics/TA0002/"
64 name = "Execution"
65
66 [[rule.threat.technique]]
67 id = "T1059"
68 reference = "https://attack.mitre.org/techniques/T1059/"
69 name = "Command and Scripting Interpreter"
70
71 [[rule.threat.technique.subtechnique]]
72 id = "T1059.004"
73 reference = "https://attack.mitre.org/techniques/T1059/004/"
74 name = "Unix Shell"
75
76 [[rule.threat.technique]]
77 id = "T1609"
78 name = "Container Administration Command"
79 reference = "https://attack.mitre.org/techniques/T1609/"
References
Related rules
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Netcat Listener Established Inside A Container
- Suspicious Interactive Shell Spawned From Inside A Container
- SSH Authorized Keys File Modified Inside a Container