SSH Process Launched From Inside A Container
This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/12"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "New Integration: Cloud Defend"
6min_stack_version = "8.8.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process.
13SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to
14other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism.
15"""
16false_positives = ["""
17 SSH usage may be legitimate depending on the environment.
18 Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior.
19 """
20]
21from = "now-6m"
22index = ["logs-cloud_defend*"]
23interval = "5m"
24language = "eql"
25license = "Elastic License v2"
26name = "SSH Process Launched From Inside A Container"
27references = [
28 "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/",
29 "https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/",
30]
31risk_score = 73
32rule_id = "03a514d9-500e-443e-b6a9-72718c548f6c"
33severity = "high"
34tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39process where container.id: "*" and event.type== "start" and
40event.action in ("fork", "exec") and event.action != "end" and
41process.name: ("sshd", "ssh", "autossh")
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1021"
49name = "Remote Services"
50reference = "https://attack.mitre.org/techniques/T1021/"
51[[rule.threat.technique.subtechnique]]
52id = "T1021.004"
53name = "SSH"
54reference = "https://attack.mitre.org/techniques/T1021/004/"
55
56[rule.threat.tactic]
57id = "TA0008"
58name = "Lateral Movement"
59reference = "https://attack.mitre.org/tactics/TA0008/"
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1133"
65name = "External Remote Services"
66reference = "https://attack.mitre.org/techniques/T1133/"
67
68[rule.threat.tactic]
69id = "TA0003"
70name = "Persistence"
71reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- SSH Authorized Keys File Modified Inside a Container
- SSH Connection Established Inside A Running Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container