Suspicious Interactive Shell Spawned From Inside A Container
This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/04/26"
3integration = ["cloud_defend"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential
11container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host.
12"""
13false_positives = [
14 """
15 Legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container
16 resulting in false positives.
17 """,
18]
19from = "now-6m"
20index = ["logs-cloud_defend*"]
21interval = "5m"
22language = "eql"
23license = "Elastic License v2"
24name = "Suspicious Interactive Shell Spawned From Inside A Container"
25risk_score = 73
26rule_id = "8d3d0794-c776-476b-8674-ee2e685f6470"
27severity = "high"
28tags = [
29 "Data Source: Elastic Defend for Containers",
30 "Domain: Container",
31 "OS: Linux",
32 "Use Case: Threat Detection",
33 "Tactic: Execution",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39process where container.id: "*" and
40event.type== "start" and
41
42/*D4C consolidates closely spawned event.actions, this excludes end actions to only capture ongoing processes*/
43event.action in ("fork", "exec") and event.action != "end"
44 and process.entry_leader.same_as_process== false and
45(
46(process.executable: "*/*sh" and process.args: ("-i", "-it")) or
47process.args: "*/*sh"
48)
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1059"
56name = "Command and Scripting Interpreter"
57reference = "https://attack.mitre.org/techniques/T1059/"
58[[rule.threat.technique.subtechnique]]
59id = "T1059.004"
60name = "Unix Shell"
61reference = "https://attack.mitre.org/techniques/T1059/004/"
62
63
64
65[rule.threat.tactic]
66id = "TA0002"
67name = "Execution"
68reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container
- Netcat Listener Established Inside A Container
- AWS Credentials Searched For Inside A Container