Container Management Utility Run Inside A Container

  1[metadata]
  2creation_date = "2025/03/12"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/03/12"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects when a container management binary is run from inside a container. These binaries are critical
 11components of many containerized environments, and their presence and execution in unauthorized containers could
 12indicate compromise or a misconfiguration.
 13"""
 14false_positives = [
 15    """
 16    There is a potential for false positives if the container is used for legitimate administrative tasks that require
 17    the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is
 18    important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity
 19    or part of legitimate container activity.
 20    """,
 21]
 22from = "now-9m"
 23index = ["logs-endpoint.events.process*"]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Container Management Utility Run Inside A Container"
 27risk_score = 21
 28rule_id = "4b74d3b0-416e-4099-b432-677e1cd098cc"
 29setup = """## Setup
 30
 31This rule requires data coming in from Elastic Defend.
 32
 33### Elastic Defend Integration Setup
 34Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 35
 36#### Prerequisite Requirements:
 37- Fleet is required for Elastic Defend.
 38- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 39
 40#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 41- Go to the Kibana home page and click "Add integrations".
 42- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 43- Click "Add Elastic Defend".
 44- Configure the integration name and optionally add a description.
 45- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 46- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 47- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 48- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 49
 50For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 51- Click "Save and Continue".
 52- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 53For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 54"""
 55severity = "low"
 56tags = [
 57    "Domain: Container",
 58    "OS: Linux",
 59    "Use Case: Threat Detection",
 60    "Tactic: Execution",
 61    "Data Source: Elastic Defend",
 62    "Resources: Investigation Guide",
 63]
 64timestamp_override = "event.ingested"
 65type = "eql"
 66query = '''
 67process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 68process.entry_leader.entry_meta.type == "container" and
 69process.name in ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl")
 70'''
 71note = """## Triage and analysis
 72
 73> **Disclaimer**:
 74> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 75
 76### Investigating Container Management Utility Run Inside A Container
 77
 78Container management utilities like Docker and Kubectl are essential for orchestrating and managing containerized applications. They facilitate tasks such as deployment, scaling, and networking. However, adversaries can exploit these tools to execute unauthorized commands within containers, potentially leading to system compromise. The detection rule identifies suspicious execution of these utilities within containers, signaling possible misuse or misconfiguration, by monitoring specific process activities and event types.
 79
 80### Possible investigation steps
 81
 82- Examine the process name and command line arguments to understand the context of the execution and identify any anomalies or unauthorized commands.
 83- Check the user and permissions associated with the process to assess if it aligns with expected roles and access levels for container management tasks.
 84- Investigate the container's creation and deployment history to identify any recent changes or deployments that could explain the presence of the management utility.
 85- Analyze network activity associated with the container to detect any unusual connections or data transfers that might indicate malicious activity.
 86- Correlate the event with other security alerts or logs to identify patterns or related incidents that could provide additional context or evidence of compromise.
 87
 88### False positive analysis
 89
 90- Routine maintenance tasks within containers can trigger the rule. Exclude known maintenance scripts or processes by adding them to an allowlist if they frequently execute container management utilities.
 91- Development and testing environments often run container management commands for legitimate purposes. Consider excluding these environments from monitoring or adjust the rule to focus on production environments only.
 92- Automated deployment tools may execute container management commands as part of their workflow. Identify these tools and create exceptions for their activities to prevent false positives.
 93- System updates or patches might involve running container management utilities. Monitor update schedules and temporarily adjust the rule to avoid unnecessary alerts during these periods.
 94- Legitimate administrative actions by authorized personnel can trigger the rule. Implement user-based exceptions for known administrators to reduce false positives while maintaining security oversight.
 95
 96### Response and remediation
 97
 98- Immediately isolate the affected container to prevent further unauthorized access or execution of commands. This can be done by stopping the container or disconnecting it from the network.
 99- Review the container's configuration and access controls to identify any misconfigurations or unauthorized access permissions that may have allowed the execution of container management utilities.
100- Conduct a thorough analysis of the container's logs and process activities to determine the extent of the compromise and identify any additional malicious activities or lateral movement attempts.
101- Remove any unauthorized or suspicious binaries and scripts from the container to prevent further exploitation.
102- Patch and update the container image and underlying host system to address any known vulnerabilities that may have been exploited.
103- Implement stricter access controls and monitoring on container management utilities to ensure they are only accessible by authorized users and processes.
104- Escalate the incident to the security operations team for further investigation and to assess the need for broader security measures across the container environment."""
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108
109[[rule.threat.technique]]
110id = "T1609"
111name = "Container Administration Command"
112reference = "https://attack.mitre.org/techniques/T1609/"
113
114[rule.threat.tactic]
115id = "TA0002"
116name = "Execution"
117reference = "https://attack.mitre.org/tactics/TA0002/"