Suspicious Network Tool Launched Inside A Container

  1[metadata]
  2creation_date = "2025/03/12"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/03/12"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig,
 11tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring,
 12or exploitation, and should be monitored closely within a container.
 13"""
 14false_positives = [
 15    """
 16    There is a potential for false positives if the container is used for legitimate tasks that require the use of
 17    network utilities, such as network troubleshooting, testing or system monitoring. It is important to investigate any
 18    alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate
 19    container activity.
 20    """,
 21]
 22from = "now-9m"
 23index = ["logs-endpoint.events.process*"]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Suspicious Network Tool Launched Inside A Container"
 27references = ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"]
 28risk_score = 21
 29rule_id = "7290be75-2e10-49ec-b387-d4ed55b920ff"
 30setup = """## Setup
 31
 32This rule requires data coming in from Elastic Defend.
 33
 34### Elastic Defend Integration Setup
 35Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 36
 37#### Prerequisite Requirements:
 38- Fleet is required for Elastic Defend.
 39- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 40
 41#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 42- Go to the Kibana home page and click "Add integrations".
 43- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 44- Click "Add Elastic Defend".
 45- Configure the integration name and optionally add a description.
 46- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 47- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 48- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 49- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 50
 51For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 52- Click "Save and Continue".
 53- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 54For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 55"""
 56severity = "low"
 57tags = [
 58    "Domain: Container",
 59    "OS: Linux",
 60    "Use Case: Threat Detection",
 61    "Tactic: Discovery",
 62    "Tactic: Command and Control",
 63    "Tactic: Reconnaissance",
 64    "Data Source: Elastic Defend",
 65    "Resources: Investigation Guide",
 66]
 67timestamp_override = "event.ingested"
 68type = "eql"
 69query = '''
 70process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 71process.entry_leader.entry_meta.type == "container" and process.name in (
 72  "nc.traditional", "nc", "ncat", "netcat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet",
 73  "mitmproxy", "socat", "zmap", "masscan", "zgrab"
 74)
 75'''
 76note = """## Triage and analysis
 77
 78> **Disclaimer**:
 79> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 80
 81### Investigating Suspicious Network Tool Launched Inside A Container
 82
 83Containers are lightweight, portable units that encapsulate applications and their dependencies, often used to ensure consistent environments across development and production. Adversaries exploit network tools within containers for reconnaissance or lateral movement, leveraging utilities like `nc` or `nmap` to map networks or intercept traffic. The detection rule identifies these tools' execution by monitoring process starts and arguments, flagging potential misuse for further investigation.
 84
 85### Possible investigation steps
 86
 87- Examine the process arguments to understand the specific command or options used, which may provide insight into the intent of the tool's execution.
 88- Check the container's creation and modification timestamps to determine if the container was recently deployed or altered, which could indicate suspicious activity.
 89- Investigate the user or service account associated with the process start event to assess if it aligns with expected behavior or if it might be compromised.
 90- Analyze network logs and traffic patterns from the container to identify any unusual outbound connections or data exfiltration attempts.
 91- Correlate the alert with other security events or logs from the same container or host to identify potential lateral movement or further malicious activity.
 92
 93### False positive analysis
 94
 95- Development and testing environments often use network tools for legitimate purposes such as debugging or network configuration. To manage this, create exceptions for containers identified as part of these environments by tagging them appropriately and excluding them from the rule.
 96- Automated scripts or orchestration tools may trigger network utilities for routine checks or maintenance tasks. Identify these scripts and whitelist their associated container IDs or process names to prevent false alerts.
 97- Some monitoring solutions deploy containers with built-in network tools for performance analysis. Verify the legitimacy of these containers and exclude them from the rule by using specific labels or container IDs.
 98- Containers used for educational or training purposes might intentionally run network tools. Ensure these containers are marked and excluded from detection by setting up rules based on their unique identifiers or labels.
 99
100### Response and remediation
101
102- Immediately isolate the affected container to prevent further network reconnaissance or lateral movement. This can be done by restricting its network access or stopping the container entirely.
103- Conduct a thorough review of the container's logs and process history to identify any unauthorized access or data exfiltration attempts. Focus on the execution of the flagged network utilities.
104- Remove any unauthorized or suspicious network tools from the container to prevent further misuse. Ensure that only necessary and approved utilities are present.
105- Patch and update the container image to address any vulnerabilities that may have been exploited. Rebuild and redeploy the container using the updated image.
106- Implement network segmentation to limit the container's access to sensitive resources and reduce the potential impact of similar threats in the future.
107- Enhance monitoring and alerting for the execution of network utilities within containers, ensuring that any future occurrences are detected promptly.
108- Escalate the incident to the security operations team for further investigation and to determine if additional systems or containers have been compromised."""
109
110[[rule.threat]]
111framework = "MITRE ATT&CK"
112
113[[rule.threat.technique]]
114id = "T1046"
115name = "Network Service Discovery"
116reference = "https://attack.mitre.org/techniques/T1046/"
117
118[rule.threat.tactic]
119id = "TA0007"
120name = "Discovery"
121reference = "https://attack.mitre.org/tactics/TA0007/"
122
123[[rule.threat]]
124framework = "MITRE ATT&CK"
125
126[[rule.threat.technique]]
127id = "T1105"
128name = "Ingress Tool Transfer"
129reference = "https://attack.mitre.org/techniques/T1105/"
130
131[rule.threat.tactic]
132id = "TA0011"
133name = "Command and Control"
134reference = "https://attack.mitre.org/tactics/TA0011/"
135
136[[rule.threat]]
137framework = "MITRE ATT&CK"
138
139[[rule.threat.technique]]
140id = "T1595"
141name = "Active Scanning"
142reference = "https://attack.mitre.org/techniques/T1595/"
143
144[rule.threat.tactic]
145id = "TA0043"
146name = "Reconnaissance"
147reference = "https://attack.mitre.org/tactics/TA0043/"