SSH Connection Established Inside A Running Container
This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside a container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use it to gain initial access or establish persistence within a compromised environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/12"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "New Integration: Cloud Defend"
6min_stack_version = "8.8.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside
13a container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use
14it to gain initial access or establish persistence within a compromised environment.
15"""
16false_positives = ["""
17 SSH usage may be legitimate depending on the environment.
18 Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior.
19 """
20]
21from = "now-6m"
22index = ["logs-cloud_defend*"]
23interval = "5m"
24language = "eql"
25license = "Elastic License v2"
26name = "SSH Connection Established Inside A Running Container"
27references = [
28 "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/",
29]
30risk_score = 73
31rule_id = "f5488ac1-099e-4008-a6cb-fb638a0f0828"
32severity = "high"
33tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement"]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38process where container.id: "*" and event.type == "start" and
39
40/* use of sshd to enter a container*/
41process.entry_leader.entry_meta.type: "sshd" and
42
43/* process is the initial process run in a container or start of a new session*/
44(process.entry_leader.same_as_process== true or process.session_leader.same_as_process== true) and
45
46/* interactive process*/
47process.interactive== true
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1133"
55name = "External Remote Services"
56reference = "https://attack.mitre.org/techniques/T1133/"
57
58[rule.threat.tactic]
59id = "TA0001"
60name = "Initial Access"
61reference = "https://attack.mitre.org/tactics/TA0001/"
62
63
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1021"
68name = "Remote Services"
69reference = "https://attack.mitre.org/techniques/T1021/"
70[[rule.threat.technique.subtechnique]]
71id = "T1021.004"
72name = "SSH"
73reference = "https://attack.mitre.org/techniques/T1021/004/"
74
75[rule.threat.tactic]
76id = "TA0008"
77name = "Lateral Movement"
78reference = "https://attack.mitre.org/tactics/TA0008/"
References
Related rules
- SSH Authorized Keys File Modified Inside a Container
- SSH Process Launched From Inside A Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container