This rule detects the download of files from inside a container. The files are downloaded using the "curl" or "wget" command-line tools. Adversaries may use these tools to download files from the internet to gain access to sensitive data or communicate with C2 servers.

Read More

This rule detects attempts from within a Linux container to create or modify files commonly used for persistence on native Linux systems, including cron jobs, systemd units, sudoers files, and shell profile configurations. While many of these mechanisms do not provide reliable persistence in typical containerized workloads, such modifications are unusual and may indicate persistence attempts, privilege abuse, or preparation for container escape, especially when performed outside normal image build or package management processes.

Read More

This rule detects when a payload is downloaded and piped to a shell inside a running container. This could indicate a threat actor downloaded a payload and executed it using a shell without the payload being stored on the filesystem.

Read More

This rule detects the execution of the echo/printf command to write data to potential persistence files, decode base64/32/16 and hex content or establish connections to a potential C2. The echo/printf commands are used to display a line of text or write data to a file. Threat actors may abuse the echo/printf commands to write data to files or file descriptors that are executed (by other processes or services) to establish persistence or escalate privileges.

Read More

This rule detects the execution of an interactive process from a suspicious directory inside a container. The suspicious directories are /tmp, /dev/shm, /var/tmp, /run, /var/run, /mnt, /media, and /boot. Adversaries may use these directories to execute malicious code or exfiltrate data.

Read More

This rule detects the use of tunneling and/or port forwarding tools inside a container. This could indicate a threat actor is using these tools to communicate with a C2 server, is attempting to exfiltrate data from the container, or is attempting to pivot within the container network.

Read More

This rule detects the access of the Kubelet certificate file inside a container. The Kubelet certificate file is used to authenticate the container to the Kubernetes API server, and may be used by an adversary to gain access to the Kubernetes API server or other resources within the cluster. These files are a common target for adversaries to gain access to the cluster. There is a current limitation in the defend for containers file sensor that prevents file open events from being logged for file open events without write intent.

Read More

This rule detects potential direct Kubelet access via process arguments. An adversary may need to access the Kubelet API to gain access to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate or execute commands on the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within the cluster.

Read More

This rule detects the execution of kubeletctl inside a container. Kubeletctl is a command-line tool that can be used to interact with the Kubelet API directly. It allows easy access to this API, making the often undocumented Kubelet API more accessible. It is often used to enumerate the Kubelet API or other resources inside the container, and may indicate an attempt to move laterally within the pod.

Read More

This rule detects the interactive execution of potential defense evasion techniques via encoded payloads inside a container. Attackers may use base64 encoding/decoding to obfuscate data, such as command and control traffic or payloads, to evade detection by host- or network-based security controls.

Read More

This rule detects when an interactive process creates a file inside of a running container, followed by its execution. This could indicate a potential container breakout attempt, an attacker's attempt to gain unauthorized access to the underlying host, or to evade detection by security controls.

Read More

This rule detects the execution of the "id", "whoami", "capsh", "getcap", and "lsns" commands inside a container. These commands are used to enumerate the privilege boundary of the container, which can be used by an adversary to gain information about the container and the services running inside it.

Read More

This rule detects the use of built-in utilities to discover running pods on a Kubernetes cluster. The utilities used are du, nice, find, locate, and ls. These utilities are commonly used to discover running pods on a Kubernetes cluster. The "/var/lib/kubelet/pods" directory is the default location for Kubelet pod information.

Read More

This rule detects the reading of the service account namespace file inside a container. The service account namespace file is used to identify the namespace of the container in which it is running, and may be used by an adversary to get a better understanding of the container and the services running inside it.

Read More

This rule detects the reading of the service account token or certificate inside a container. The service account token or certificate is used to authenticate the container to the Kubernetes API server, and may be used by an adversary to gain access to the Kubernetes API server or other resources within the cluster. These files are a common target for adversaries to gain access to the cluster.

Read More

This rule detects the deletion of shell command-line history files inside a container. The shell command-line history files are used to store the command-line history for the shell. Adversaries may delete these files to cover their tracks or evade detection.

Read More

This rule detects when an interactive process executes a suspicious interpreter command inside a container. These commands are commonly used by attackers to execute malicious code or exfiltrate data.

Read More

This rule detects when an interactive process creates a file inside of a system binary location, inside of a running container. The system binary locations are /etc, /root, /bin, /usr/bin, /usr/local/bin, and /entrypoint. Adversaries may use these locations to create files that can be used to execute commands on the underlying host, or to evade detection by security controls.

Read More

This rule detects the installation of tools inside a container. An adversary may need to install additional software to enumerate the container, its environment, and move laterally within the environment.

Read More

This rule detects the exploitation of a web server through the execution of a suspicious process by common web server user accounts. Attackers may upload a web shell to a web server to maintain access to the system.

Read More

This rule detects potential Docker socket enumeration activity by monitoring processes that attempt to interact with the Docker socket file (/var/run/docker.sock). Docker socket enumeration is a common technique used by attackers to interact with the Docker daemon and perform various operations, such as creating, starting, stopping, and removing containers. Attackers may abuse Docker socket enumeration to gain unauthorized access to the host system, escalate privileges, or move laterally within the environment.

Read More

The kubeconfig file is a critical component in Kubernetes environments, containing configuration details for accessing and managing Kubernetes clusters. Attackers may attempt to get access to, create or modify kubeconfig files to gain unauthorized initial access to Kubernetes clusters or move laterally within the cluster.

Read More

The kubeconfig file is a critical component in Kubernetes environments, containing configuration details for accessing and managing Kubernetes clusters. Attackers may attempt to get access to, create, or modify kubeconfig files to gain unauthorized initial access to Kubernetes clusters or move laterally within the cluster. This rule detects process discovery executions that involve kubeconfig files, particularly those executed from common shell environments or world-writeable directories.

Read More

This rule detects the execution of the "kubectl apply" command with a URL argument. This command is often used to apply configurations or deploy resources in a Kubernetes cluster. Attackers may use this command to deploy malicious pods or modify existing ones, potentially leading to unauthorized access or data exfiltration.

Read More

This rule detects potential kubectl network configuration modification activity by monitoring for process events where the kubectl command is executed with arguments that suggest an attempt to modify network configurations in Kubernetes. This could indicate an adversary trying to manipulate network settings for malicious purposes, such as establishing unauthorized access or exfiltrating data.

Read More

This rule detects the use of the "kubectl auth --can-i" command, which is used to check permissions in Kubernetes clusters. Attackers may use this command to enumerate permissions and discover potential misconfigurations in the cluster, allowing them to gain unauthorized access or escalate privileges.

Read More

This rule monitors for the execution of curl or wget commands that directly access Kubernetes API endpoints, which may indicate an attempt to interact with Kubernetes resources in a potentially unauthorized manner. This technique is often used by adversaries to gather information about the Kubernetes environment, such as secrets, config maps, and other sensitive data, without using the official Kubernetes client tools such as "kubectl".

Read More

This rule detects the creation or modification of sensitive Kubernetes configuration files on Linux systems. These files include Kubernetes manifests, PKI files, and configuration files that are critical for the operation of Kubernetes clusters. Monitoring these files helps identify potential unauthorized changes or misconfigurations that could lead to security vulnerabilities in Kubernetes environments. Attackers may attempt to modify these files to gain persistence or to deploy malicious containers within the Kubernetes cluster.

Read More

This rule detects potential impersonation attempts via the "kubectl" command in Linux environments. It identifies process events where "kubectl" is executed with arguments that suggest an attempt to impersonate another user or group, such as using "--kubeconfig", "--token", "--as", or "--as-group". This could indicate an adversary trying to gain unauthorized access or escalate privileges within a Kubernetes cluster. If this rule is triggered, in conjunction with rules related to secret access or kubeconfig file discovery, it may indicate a potential impersonation attempt.

Read More

This rule detects potential kubectl masquerading activity by monitoring for process events where the process name is not "kubectl" but the command line arguments include kubectl-related commands. This could indicate an adversary attempting to masquerade as legitimate kubectl activity to evade detection. This rule covers evasion gaps introduced by renaming the kubectl binary, or placing it in an unusual directory.

Read More

This rule detects the enumeration of the cluster by the "jq" command inside a container. The "jq" command is used to parse JSON data, and may be used by an adversary to gain information about the cluster and the services running inside it. This behavior is uncommon for interactive shells within a container, and is commonly leveraged by attackers to help parse cluster information in a more readable format, or set the output as environment variables.

Read More

This rule detects the use of the "curl" command-line tool with SOCKS proxy options. Attackers may use "curl" to establish a SOCKS proxy connection to bypass network restrictions and exfiltrate data or communicate with C2 servers.

Read More

This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the execution of direct interactive Kubernetes API requests. An adversary may need to execute direct interactive Kubernetes API requests to gain access to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within the cluster. Note that this rule may not trigger if the authorization token of the request is expanded within the process argument list, as the length of the "process.args" field may lead to the field being ignored.

Read More

This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the execution of direct interactive Kubernetes API requests via unusual utilities. An adversary may need to execute direct interactive Kubernetes API requests to gain access to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within the cluster.

Read More

This rule detects the execution of direct interactive Kubernetes API requests inside a container. An adversary may need to execute direct interactive Kubernetes API requests to gain access to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within the cluster. Note that this rule may not trigger if the token is expanded within the process argument list, as the length of the "process.args" field may lead to the field being ignored.

Read More

This rule detects the execution of DNS enumeration tools inside a container. DNS enumeration tools are used to enumerate the DNS servers and domains of the container, which can be used by an adversary to gain information about the network configuration of the container and the services running inside it.

Read More

This rule detects the execution of the "env" or "printenv" commands inside a container. The "env" command is used to display all the environment variables for the current shell, and the "printenv" command is used to print the values of environment variables. These commands are used to enumerate the environment variables of the container, which can be used by an adversary to gain information about the container and the services running inside it.

Read More

This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the execution of forbidden interactive Kubernetes API requests. An adversary may need to execute interactive Kubernetes API requests to gain access to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within the cluster. Attackers may attempt to access resources that are forbidden by the authorization policy. Note that this rule may not trigger if the authorization token of the request is expanded within the process argument list, as the length of the "process.args" field may lead to the field being ignored.

Read More

This rule leverages a combination of Defend for Containers and Kubernetes audit logs to detect the access to the service account token or certificate followed by the execution of a direct interactive Kubernetes API request. An adversary may need to access the service account token or certificate to gain access to the Kubernetes API server or other resources within the cluster. These requests are often used to enumerate the Kubernetes API server or other resources within the cluster, and may indicate an attempt to move laterally within the cluster.

Read More

This rule detects the enumeration of tools by the "which" command inside a container. The "which" command is used to list what tools are installed on a system, and may be used by an adversary to gain information about the container and the services running inside it.

Read More

This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment.

Read More

This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration.

Read More

Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to immediately begin triaging and investigating these alerts.

Read More

This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine.

Read More

This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and has been used to evade detection of malicious processes in container environments.

Read More

This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container.

Read More

This rule detects interactive 'exec' events launched against a container using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container's shell. A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout.

Read More

This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host.

Read More

This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a device or file system accessible to the system, and then to connect its root directory to a specified mount point on the local file system. When launched inside a privileged container--a container deployed with all the capabilities of the host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine. Any usage of mount inside a running privileged container should be further investigated.

Read More

This rule detects an established netcat file transfer or listener running inside a container. Netcat is a utility used for reading and writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for persistence, exfiltrating data or file transfer.

Read More

This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take advantage of this feature, which could be used for further privilege escalation and container escapes to the host machine.

Read More

This rule detects modification of the CGroup release_agent file from inside a privileged container. The release_agent is a script that is executed at the termination of any process on that CGroup and is invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a CGroup directory and modify the release_agent which could be used for further privilege escalation and container escapes to the host machine.

Read More

Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations inside a container.

Read More

This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine.

Read More

This rule detects the creation or modification of an authorized_keys file inside a container. The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated.

Read More

This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container.

Read More

This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside a container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use it to gain initial access or establish persistence within a compromised environment.

Read More

This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism.

Read More