SSH Process Launched From Inside A Container
This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/12"
3integration = ["cloud_defend"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and
11server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With
12valid credentials an attacker may move laterally to other containers or to the underlying host through container
13breakout. They may also use valid SSH credentials as a persistence mechanism.
14"""
15false_positives = [
16 """
17 SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed
18 to distinguish between authorized and potentially malicious behavior.
19 """,
20]
21from = "now-6m"
22index = ["logs-cloud_defend*"]
23interval = "5m"
24language = "eql"
25license = "Elastic License v2"
26name = "SSH Process Launched From Inside A Container"
27references = [
28 "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/",
29 "https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/",
30]
31risk_score = 73
32rule_id = "03a514d9-500e-443e-b6a9-72718c548f6c"
33severity = "high"
34tags = [
35 "Data Source: Elastic Defend for Containers",
36 "Domain: Container",
37 "OS: Linux",
38 "Use Case: Threat Detection",
39 "Tactic: Lateral Movement",
40 "Tactic: Persistence",
41]
42timestamp_override = "event.ingested"
43type = "eql"
44
45query = '''
46process where container.id: "*" and event.type== "start" and
47event.action in ("fork", "exec") and event.action != "end" and
48process.name: ("sshd", "ssh", "autossh")
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1021"
56name = "Remote Services"
57reference = "https://attack.mitre.org/techniques/T1021/"
58[[rule.threat.technique.subtechnique]]
59id = "T1021.004"
60name = "SSH"
61reference = "https://attack.mitre.org/techniques/T1021/004/"
62
63
64
65[rule.threat.tactic]
66id = "TA0008"
67name = "Lateral Movement"
68reference = "https://attack.mitre.org/tactics/TA0008/"
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1133"
73name = "External Remote Services"
74reference = "https://attack.mitre.org/techniques/T1133/"
75
76
77[rule.threat.tactic]
78id = "TA0003"
79name = "Persistence"
80reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- SSH Authorized Keys File Modified Inside a Container
- SSH Connection Established Inside A Running Container
- AWS Credentials Searched For Inside A Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container