Egress Connection from Entrypoint in Container

  1[metadata]
  2creation_date = "2024/07/10"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule identifies a sequence of events where a process named `entrypoint.sh` is started in a container, followed by a
 11network connection attempt. This sequence indicates a potential egress connection from an entrypoint in a container. An
 12entrypoint is a command or script specified in the Dockerfile and executed when the container starts. Attackers can use
 13this technique to establish a foothold in the environment, escape from a container to the host, or establish persistence.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Egress Connection from Entrypoint in Container"
 20risk_score = 47
 21rule_id = "c75d0c86-38d6-4821-98a1-465cff8ff4c8"
 22severity = "medium"
 23tags = [
 24    "Domain: Endpoint",
 25    "Domain: Container",
 26    "OS: Linux",
 27    "Use Case: Threat Detection",
 28    "Tactic: Execution",
 29    "Data Source: Elastic Defend",
 30    "Resources: Investigation Guide",
 31]
 32timestamp_override = "event.ingested"
 33type = "eql"
 34query = '''
 35sequence by host.id with maxspan=3s
 36  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 37   process.entry_leader.entry_meta.type == "container" and process.name == "entrypoint.sh"] by process.entity_id
 38  [network where event.type == "start" and event.action == "connection_attempted" and not (
 39     destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
 40       destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
 41       "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
 42       "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
 43       "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
 44       "FF00::/8", "172.31.0.0/16"
 45       )
 46    )] by process.parent.entity_id
 47'''
 48note = """## Triage and analysis
 49
 50> **Disclaimer**:
 51> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 52
 53### Investigating Egress Connection from Entrypoint in Container
 54
 55Containers, often used for deploying applications, start with an entrypoint script that initializes the environment. Adversaries may exploit this by embedding malicious commands to initiate unauthorized network connections, potentially breaching security boundaries. The detection rule monitors for processes named `entrypoint.sh` followed by suspicious network activity, flagging attempts to connect to external IPs, thus identifying potential threats.
 56
 57### Possible investigation steps
 58
 59- Review the process details for the `entrypoint.sh` script execution, focusing on the `process.entity_id` and `host.id` to understand the context of the container where the script was executed.
 60- Examine the network connection attempt details, particularly the `destination.ip`, to determine if the IP address is known to be malicious or associated with suspicious activity.
 61- Check the container's Dockerfile or image configuration to verify if the `entrypoint.sh` script is expected and whether it contains any unauthorized modifications or additions.
 62- Investigate the parent process of the network connection attempt using `process.parent.entity_id` to identify if there are any other suspicious processes or activities linked to the same parent.
 63- Correlate the event with other logs or alerts from the same `host.id` to identify any additional indicators of compromise or related suspicious activities within the same timeframe.
 64
 65### False positive analysis
 66
 67- Legitimate application updates or installations may trigger the rule if they involve network connections from the entrypoint script. To handle this, identify and whitelist specific applications or update processes that are known to perform such actions.
 68- Automated configuration management tools might execute scripts that initiate network connections as part of their normal operations. Exclude these tools by specifying their process names or parent entity IDs in the rule exceptions.
 69- Containers designed to perform network diagnostics or monitoring could naturally attempt connections to external IPs. Review and exclude these containers by their image names or specific entrypoint scripts.
 70- Development or testing environments often run scripts that connect to external services for integration testing. Consider excluding these environments by tagging them appropriately and adjusting the rule to ignore these tags.
 71- Scheduled maintenance scripts that run periodically and require network access might be flagged. Document these scripts and create exceptions based on their execution schedule or specific network destinations.
 72
 73### Response and remediation
 74
 75- Immediately isolate the affected container to prevent further unauthorized network connections. This can be done by stopping the container or disconnecting it from the network.
 76- Conduct a thorough review of the `entrypoint.sh` script within the container to identify and remove any malicious commands or scripts that may have been injected.
 77- Analyze the network traffic logs to identify any external IP addresses that the container attempted to connect to. Block these IPs at the firewall level to prevent future connections.
 78- Check for any signs of lateral movement or attempts to escape the container to the host system. If detected, escalate to the security team for a comprehensive investigation.
 79- Restore the container from a known good backup if available, ensuring that the restored version is free from any malicious modifications.
 80- Implement additional monitoring on the affected host and container environment to detect any similar suspicious activities in the future.
 81- Report the incident to the appropriate internal security team or incident response team for further analysis and to update threat intelligence databases."""
 82
 83[[rule.threat]]
 84framework = "MITRE ATT&CK"
 85
 86[[rule.threat.technique]]
 87id = "T1059"
 88name = "Command and Scripting Interpreter"
 89reference = "https://attack.mitre.org/techniques/T1059/"
 90
 91[[rule.threat.technique.subtechnique]]
 92id = "T1059.004"
 93name = "Unix Shell"
 94reference = "https://attack.mitre.org/techniques/T1059/004/"
 95
 96[rule.threat.tactic]
 97id = "TA0002"
 98name = "Execution"
 99reference = "https://attack.mitre.org/tactics/TA0002/"
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103
104[[rule.threat.technique]]
105id = "T1611"
106name = "Escape to Host"
107reference = "https://attack.mitre.org/techniques/T1611/"
108
109[rule.threat.tactic]
110id = "TA0004"
111name = "Privilege Escalation"
112reference = "https://attack.mitre.org/tactics/TA0004/"