SSH Connection Established Inside A Running Container
This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside a container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use it to gain initial access or establish persistence within a compromised environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/12"
3integration = ["cloud_defend"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside a
11container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use it
12to gain initial access or establish persistence within a compromised environment.
13"""
14false_positives = [
15 """
16 SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed
17 to distinguish between authorized and potentially malicious behavior.
18 """,
19]
20from = "now-6m"
21index = ["logs-cloud_defend*"]
22interval = "5m"
23language = "eql"
24license = "Elastic License v2"
25name = "SSH Connection Established Inside A Running Container"
26references = [
27 "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/",
28]
29risk_score = 73
30rule_id = "f5488ac1-099e-4008-a6cb-fb638a0f0828"
31severity = "high"
32tags = [
33 "Data Source: Elastic Defend for Containers",
34 "Domain: Container",
35 "OS: Linux",
36 "Use Case: Threat Detection",
37 "Tactic: Initial Access",
38 "Tactic: Lateral Movement",
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44process where container.id: "*" and event.type == "start" and
45
46/* use of sshd to enter a container*/
47process.entry_leader.entry_meta.type: "sshd" and
48
49/* process is the initial process run in a container or start of a new session*/
50(process.entry_leader.same_as_process== true or process.session_leader.same_as_process== true) and
51
52/* interactive process*/
53process.interactive== true
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1133"
61name = "External Remote Services"
62reference = "https://attack.mitre.org/techniques/T1133/"
63
64
65[rule.threat.tactic]
66id = "TA0001"
67name = "Initial Access"
68reference = "https://attack.mitre.org/tactics/TA0001/"
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1021"
73name = "Remote Services"
74reference = "https://attack.mitre.org/techniques/T1021/"
75[[rule.threat.technique.subtechnique]]
76id = "T1021.004"
77name = "SSH"
78reference = "https://attack.mitre.org/techniques/T1021/004/"
79
80
81
82[rule.threat.tactic]
83id = "TA0008"
84name = "Lateral Movement"
85reference = "https://attack.mitre.org/tactics/TA0008/"
References
-
SSH server running inside container Info ID: MS-TA9010 Tactic: Execution MITRE technique: SSH server that is running inside a container may be used by attackers. If attackers gain valid credentials...
Read More
Related rules
- SSH Authorized Keys File Modified Inside a Container
- SSH Process Launched From Inside A Container
- AWS Credentials Searched For Inside A Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container