From 39cdb3887f2d0016ed58218ac4342fbc1b160e80 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 9 Mar 2026 17:03:39 +0100 Subject: [PATCH] [New/Tuning] TeamPCP Simulation - New & Tuned Rules (#5812) * [New/Tuning] TeamPCP Simulation - New & Tuned Rules * ++ * ++ * Added IGs * Update event action conditions in TOML rule Refactor process event conditions for clarity. * Add cloud-related file access patterns to rules * Update persistence_suspicious_webserver_child_process_execution.toml * Update rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update defense_evasion_file_creation_execution_deletion_cradle.toml * Update defense_evasion_file_creation_execution_deletion_cradle.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- ...tes_api_activity_by_unusual_utilities.toml | 7 +- ..._decoded_payload_piped_to_interpreter.toml | 174 +++++++++++++++ ...le_creation_execution_deletion_cradle.toml | 152 +++++++++++++ ...potential_evasion_via_encoded_payload.toml | 5 +- ...payload_downloaded_and_piped_to_shell.toml | 35 ++- ...ecutable_via_chmod_inside_a_container.toml | 12 +- ...ractive_interpreter_command_execution.toml | 5 +- .../execution_tool_installation.toml | 5 +- .../cloud_defend/impact_process_killing.toml | 109 ++++++++++ ...e_suspicious_echo_or_printf_execution.toml | 5 +- ...ous_webserver_child_process_execution.toml | 202 +++++++++++++++--- ...e_workload_modification_by_user_agent.toml | 116 ++++++++++ 12 files changed, 778 insertions(+), 49 deletions(-) create mode 100644 rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml create mode 100644 rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml create mode 100644 rules/integrations/cloud_defend/impact_process_killing.toml create mode 100644 rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml diff --git a/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml b/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml index 97226df1b..652be9cb0 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/05" [rule] author = ["Elastic"] @@ -107,7 +107,10 @@ sequence with maxspan=1s ) ) or /* General exclusions for utilities that are not typically used for Kubernetes API requests */ - process.name in ("sleep", "head", "tail") + process.name in ( + "sleep", "head", "tail", "apk", "apt", "apt-get", "dnf", "microdnf", "yum", "zypper", "tdnf", + "pacman", "rpm", "dpkg" + ) )] by orchestrator.resource.name [any where event.dataset == "kubernetes.audit_logs" and diff --git a/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml b/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml new file mode 100644 index 000000000..a3e3f9776 --- /dev/null +++ b/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml @@ -0,0 +1,174 @@ +[metadata] +creation_date = "2026/03/05" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/03/05" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the execution of a base64 decoded payload to an interpreter inside a container. Attackers +may use this technique to execute malicious code, while attempting to evade detection. +""" +from = "now-6m" +index = ["logs-cloud_defend.process*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Decoded Payload Piped to Interpreter Detected via Defend for Containers" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Decoded Payload Piped to Interpreter Detected via Defend for Containers + +This detection flags a container process that decodes an obfuscated payload (commonly base64 or similar) and immediately feeds the output into an interpreter, a high-signal pattern for fileless execution and defense evasion. Attackers use it to deliver short-lived scripts without writing them to disk, reducing forensic artifacts and bypassing simple content controls. A common pattern is echoing an encoded blob, decoding it, and piping it into `sh`/`bash` or `python` to run a downloader or backdoor inline. + +### Possible investigation steps + +- Correlate the paired exec events to reconstruct the full pipeline and determine whether it originated from an interactive exec session, the container entrypoint, or an orchestrated task. +- Extract the encoded blob from the command invocation or captured stdin, decode it in an isolated environment, and assess the decoded script for downloader/backdoor logic, persistence attempts, or secret access. +- Pivot from the interpreter execution to spawned children and concurrent outbound connections to identify second-stage payload retrieval, command-and-control, or lateral movement activity. +- Validate workload legitimacy by reviewing the container’s image tag/digest and the owning pod/deployment, namespace, and service account, and compare against recent changes or redeploys for compromise indicators. +- Look for post-execution artifacts in writable layers and mounted volumes (new scripts/binaries, modified init files, scheduled tasks), and if suspicious preserve evidence and rotate potentially exposed credentials. + +### False positive analysis + +- Containerized init/entrypoint or CI job logic decodes embedded base64 configuration or a small helper script at runtime (e.g., `base64 -d | sh` or `python -c ...b64decode...`) to avoid shipping plaintext in the image and to support templating across environments. +- An operator troubleshooting a container uses an interactive exec session to paste an encoded one-liner that decodes and pipes into a shell or interpreter to quickly run diagnostics or apply a transient fix without creating files in the container filesystem. + +### Response and remediation + +- Immediately isolate or stop the affected container/pod and block further `kubectl exec`/interactive sessions into the workload while preserving the full command line, container image digest, and recent stdout/stderr logs for evidence. +- Decode the observed base64/openssl/python/perl/ruby payload in a sandbox to identify its actions, then terminate any spawned interpreter children and remove any dropped binaries/scripts from writable layers and mounted volumes. +- If the decoded script performs outbound retrieval or C2, quarantine the node or restrict egress for the namespace and rotate any secrets, tokens, or cloud credentials accessible to the container’s service account. +- Rebuild and redeploy the workload from a known-good image (pin by digest), revoke the compromised image/tag from the registry, and validate the deployment manifests for unauthorized entrypoint/command changes. +- Escalate to incident response if the payload includes credential access, lateral movement tooling, or creates persistence on the node (e.g., cron/systemd changes, modified kubelet paths), or if multiple containers show similar decode-to-interpreter pipelines. +- Harden by enforcing admission controls to deny privileged containers and runtime `exec`, require read-only root filesystems and least-privilege service accounts, and add detections/blocks for decode-to-interpreter patterns and unexpected interpreters in production images. +""" +references = [ + "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", +] +risk_score = 73 +rule_id = "0fb83aa0-3d17-41e9-b09c-56397bf7a7d9" +severity = "high" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +sequence by process.parent.entity_id, container.id with maxspan=3s + [process where event.type == "start" and event.action == "exec" and container.id like "?*" and ( + ( + ( + process.name in ("base64", "basez", "base64plain", "base64url", "base64mime", "base64pem", "basenc", "base32", "base16") or + ( + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and + process.args in ("base64", "basez", "base64plain", "base64url", "base64mime", "base64pem", "basenc", "base32", "base16") + ) + ) and + process.args like~ "*-*d*" + ) or + ( + process.name == "openssl" and + process.args == "enc" and process.args in ("-d", "-base64", "-a", "-A") + ) or + ( + process.name like "python*" and ( + (process.args == "base64" and process.args in ("-d", "-u", "-t")) or + (process.args == "-c" and process.args like "*base64*" and process.args like~ "*b64decode*") + ) + ) or + ( + process.name like "perl*" and + process.args like~ "*decode_base64*" + ) or + ( + process.name like "ruby*" and + process.args == "-e" and + process.args like~ "*Base64.decode64*" + ) + )] + [process where event.type == "start" and event.action == "exec" and process.name like ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox", + "python*", "perl*", "ruby*", "lua*", "php*" + ) and + process.args like ( + "-bash", "-dash", "-sh", "-tcsh", "-csh", "-zsh", "-ksh", "-fish", "-busybox", + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox", + "/bin/bash", "/bin/dash", "/bin/sh", "/bin/tcsh", "/bin/csh", + "/bin/zsh", "/bin/ksh", "/bin/fish", "/bin/busybox", + "/usr/bin/bash", "/usr/bin/dash", "/usr/bin/sh", "/usr/bin/tcsh", + "/usr/bin/csh", "/usr/bin/zsh", "/usr/bin/ksh", "/usr/bin/fish", + "/usr/bin/busybox", + "*python*", "*perl*", "*ruby*", "*lua*", "*php*", "/dev/fd/*" + ) and + not ( + process.working_directory like ( + "/usr/local/zeek", "/opt/zeek", "/var/lib/docker/overlay2/*/opt/zeek", "/usr/local/zeek_old_install", + "/var/lib/docker/overlay2/*/usr/local/zeek", "/proc/self/fd/*/usr/local/zeek" + ) or + process.args in ( + "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", + "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", + "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", + "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" + ) + )] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat.technique]] + name = "Obfuscated Files or Information" + id = "T1027" + reference = "https://attack.mitre.org/techniques/T1027/" + + [[rule.threat.technique]] + name = "Deobfuscate/Decode Files or Information" + id = "T1140" + reference = "https://attack.mitre.org/techniques/T1140/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat.technique]] + id = "T1059" + name = "Command and Scripting Interpreter" + reference = "https://attack.mitre.org/techniques/T1059/" + + [[rule.threat.technique.subtechnique]] + name = "Unix Shell" + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" + + [[rule.threat.technique]] + name = "User Execution" + id = "T1204" + reference = "https://attack.mitre.org/techniques/T1204/" + + [[rule.threat.technique.subtechnique]] + name = "Malicious File" + id = "T1204.002" + reference = "https://attack.mitre.org/techniques/T1204/002/" diff --git a/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml b/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml new file mode 100644 index 000000000..5da9a158d --- /dev/null +++ b/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml @@ -0,0 +1,152 @@ +[metadata] +creation_date = "2026/03/05" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/03/05" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the creation, execution, and deletion of files inside a container, a common +technique used by attackers to evade detection. +""" +from = "now-6m" +index = ["logs-cloud_defend.process*", "logs-cloud_defend.file*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers + +This detection flags a rapid sequence inside a container where a file is written to a common transient or user-writable location, executed, then deleted shortly after—an evasion pattern meant to minimize on-disk artifacts and frustrate forensic review. Attackers often use a shell to pull a payload with common transfer utilities into `/tmp` or shared memory, run it immediately for credential theft or lateral movement, and then remove it to blend back into normal container churn. + +### Possible investigation steps + +- Pivot on the container to review the full process tree and preceding commands around the sequence to determine how the payload was introduced (interactive shell, entrypoint, cron, CI job, or exploited service) and what else executed nearby in time. +- Retrieve the file content if still present or recover it from container runtime logs/snapshots/registry layers, then compute hashes and run static/dynamic analysis to identify malware family, network indicators, and persistence or credential-access behavior. +- Review outbound network connections from the container during the same window to identify download sources, callback infrastructure, and any subsequent lateral movement attempts to internal services. +- Check whether the container or pod is running with elevated privileges (host mounts, privileged mode, sensitive service account tokens, or access to Docker/CRI sockets) to assess host-escape risk and scope potential impact beyond the container. +- Validate legitimacy by correlating with recent deploys/build steps and expected package/install activity, and if suspicious, isolate the workload and rotate any exposed secrets or tokens used by the container. + +### False positive analysis + +- A container entrypoint or bootstrap script downloads a small helper or configuration artifact into `/tmp` (or similar), executes it via a shell to perform initialization checks or configuration, and then deletes it immediately to keep the runtime filesystem clean. +- A build/test step running inside a container fetches transient binaries or linkable objects (e.g., via `curl`/`wget`/`scp` or `ld`) into writable paths like `/tmp` or `/opt`, executes them as part of compilation or validation, and removes them as part of routine cleanup. + +### Response and remediation + +- Quarantine the affected pod or container by isolating it from the network and scaling it to zero or killing the container while preserving a copy of the writable layer and runtime logs for forensic analysis. +- Identify and block the download and command-and-control endpoints used by the transfer utility (for example the `curl`/`wget` URL or `scp` destination) at egress controls, then search for the same indicator across other workloads and nodes to find additional compromised containers. +- Eradicate by rebuilding and redeploying the workload from a known-good image and clean source, removing any unauthorized startup scripts or injected binaries in paths like `/tmp`, `/dev/shm`, `/var/tmp`, `/root`, or `/opt`. +- Rotate and revoke any credentials the container could access such as Kubernetes service account tokens, API keys, registry credentials, and mounted secrets, and invalidate sessions if the executed payload could have harvested them. +- Escalate to incident response immediately if the workload was privileged, had hostPath mounts or container runtime socket access, touched `/proc/*/fd/*`, or showed signs of data access or lateral movement to internal services. +- Harden by enforcing least privilege and runtime controls such as read-only root filesystems, no shell or download tools in production images, restricted egress allowlists, and admission policies that block privileged pods and sensitive host mounts. +""" +references = [ + "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", +] +risk_score = 73 +rule_id = "1dc56174-5d02-4ca4-af92-e391f096fb21" +severity = "high" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +sequence by container.id, user.id with maxspan=10s + [file where event.action == "creation" and ( + process.name in ("curl", "wget", "fetch", "ftp", "sftp", "scp", "rsync", "ld") or + ( + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and + process.args in ( + "curl", "/bin/curl", "/usr/bin/curl", "/usr/local/bin/curl", + "wget", "/bin/wget", "/usr/bin/wget", "/usr/local/bin/wget", + "fetch", "/bin/fetch", "/usr/bin/fetch", "/usr/local/bin/fetch", + "ftp", "/bin/ftp", "/usr/bin/ftp", "/usr/local/bin/ftp", + "sftp", "/bin/sftp", "/usr/bin/sftp", "/usr/local/bin/sftp", + "scp", "/bin/scp", "/usr/bin/scp", "/usr/local/bin/scp", + "rsync", "/bin/rsync", "/usr/bin/rsync", "/usr/local/bin/rsync", + "ld", "/bin/ld", "/usr/bin/ld", "/usr/local/bin/ld" + ) and + /* default exclusion list to not FP on default multi-process commands */ + not process.args in ( + "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", + "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", + "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", + "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" + ) + ) + ) and file.path like ( + "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", + "/proc/*/fd/*", "/home/*/*", "/root/*", "/opt/*" + ) + ] by file.name + [process where event.type == "start" and event.action == "exec" and + process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") + ] by process.name + [file where event.action == "deletion" and file.path like ( + "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", + "/proc/*/fd/*", "/home/*/*", "/root/*", "/opt/*" + ) and not process.name in ("rm", "ld", "conftest", "link", "gcc", "getarch", "ld") + ] by file.name +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml b/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml index 70450ec93..4168f4a71 100644 --- a/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml +++ b/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/05" [rule] author = ["Elastic"] @@ -48,6 +48,9 @@ This rule flags interactive runs of common encoding/decoding tools and language - Eradicate by deleting and redeploying the pod from a known-good image, removing any malicious files or altered entrypoints/configmaps/secrets discovered during review, and rotating any credentials or tokens that the container could access. - Escalate immediately to IR/Cloud Security if the decoded content triggers execution (piped into sh/bash), pulls remote payloads (curl/wget), or results in outbound connections to unknown hosts, or if similar decode activity is found across multiple namespaces. - Harden by enforcing RBAC to restrict exec/attach, enabling admission controls to block privileged pods and risky host mounts, reducing image toolsets (remove base64/openssl/xxd where feasible), and adding egress controls to limit outbound traffic to approved destinations.""" +references = [ + "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", +] risk_score = 47 rule_id = "227cf26a-88d1-4bcb-bf4c-925e5875abcf" severity = "medium" diff --git a/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml b/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml index ec1436550..929a3fbb9 100644 --- a/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml +++ b/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/05" [rule] author = ["Elastic"] @@ -67,12 +67,33 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -sequence by process.parent.entity_id, container.id with maxspan=5s - [process where event.type == "start" and event.action == "exec" and - process.name in ("curl", "wget") and process.interactive == true] - [process where event.type == "start" and event.action == "exec" and - process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and - process.interactive == true] +sequence by process.parent.entity_id, container.id with maxspan=1s + [process where event.type == "start" and event.action == "exec" and process.name in ("curl", "wget")] + [process where event.action in ("exec", "end") and + /* + If the flow is executed from a parent script, the event action will be "exec". + If the flow is executed manually, the event action will be "end". + */ + process.name like ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox", + "python*", "perl*", "ruby*", "lua*", "php*" + ) and + process.args like ( + "-bash", "-dash", "-sh", "-tcsh", "-csh", "-zsh", "-ksh", "-fish", + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", + "/bin/bash", "/bin/dash", "/bin/sh", "/bin/tcsh", "/bin/csh", + "/bin/zsh", "/bin/ksh", "/bin/fish", + "/usr/bin/bash", "/usr/bin/dash", "/usr/bin/sh", "/usr/bin/tcsh", + "/usr/bin/csh", "/usr/bin/zsh", "/usr/bin/ksh", "/usr/bin/fish", + "-busybox", "busybox", "/bin/busybox", "/usr/bin/busybox", + "*python*", "*perl*", "*ruby*", "*lua*", "*php*", "/dev/fd/*" + ) and + not process.args in ( + "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which", + "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", + "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", + "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" + )] ''' [[rule.threat]] diff --git a/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml index 19124a401..37ebcaa3c 100644 --- a/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/05" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ permissions to make a file executable could indicate malicious activity, as an a or malicious code inside the container. """ from = "now-6m" -index = ["logs-cloud_defend.file*"] +index = ["logs-cloud_defend.file*", "logs-cloud_defend.process*"] interval = "5m" language = "eql" license = "Elastic License v2" @@ -56,6 +56,9 @@ Containers provide isolated environments for running applications, often on Linu - Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign. - Review and update container security policies to prevent unauthorized permission changes, such as implementing stricter access controls and using security tools that enforce policy compliance. - Enhance detection capabilities by configuring alerts for similar suspicious activities, ensuring that any future attempts to modify file permissions within containers are promptly identified and addressed.""" +references = [ + "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", +] risk_score = 21 rule_id = "ec604672-bed9-43e1-8871-cf591c052550" severity = "low" @@ -71,7 +74,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -file where host.os.type == "linux" and event.type in ("change", "creation") and ( +any where event.category in ("file", "process") and event.type in ("change", "creation", "start") and ( process.name == "chmod" or ( /* account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ @@ -86,8 +89,7 @@ file where host.os.type == "linux" and event.type in ("change", "creation") and ) ) ) and process.args in ("4755", "755", "777", "0777", "444", "+x", "a+x") and -process.args like ("/dev/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/mnt/*", "/media/*") and -process.interactive == true and container.id like "*" and not process.args == "-x" +container.id like "?*" and not process.args == "-x" ''' [[rule.threat]] diff --git a/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml b/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml index 16b5c79db..674f35520 100644 --- a/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml +++ b/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/05" [rule] author = ["Elastic"] @@ -48,6 +48,9 @@ This detection flags an interactive session inside a Linux container launching P - Rotate credentials and secrets exposed to the container (service account tokens, API keys, database passwords) and invalidate active sessions if the one-liner performed network calls, decoded payloads, or spawned subprocesses. - Escalate to the incident response team if the inline code includes base64/zlib decoding, establishes a socket connection, downloads a second stage, or any similar activity is observed across multiple pods/namespaces. - Harden against recurrence by restricting `exec/attach` access, enforcing least-privilege pod security (no privileged, no host mounts, read-only root filesystem), and using egress allowlists plus image signing/admission controls to block unauthorized images and interactive debug containers.""" +references = [ + "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", +] risk_score = 47 rule_id = "cd24c340-b778-44bd-ab69-2f739bd70ce1" severity = "medium" diff --git a/rules/integrations/cloud_defend/execution_tool_installation.toml b/rules/integrations/cloud_defend/execution_tool_installation.toml index a7973697f..ad87e6341 100644 --- a/rules/integrations/cloud_defend/execution_tool_installation.toml +++ b/rules/integrations/cloud_defend/execution_tool_installation.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/05" [rule] author = ["Elastic"] @@ -56,6 +56,9 @@ This rule flags interactive package installs inside Linux containers for network - Escalate to incident response if the install included tor/torsocks, openssl used to generate new keys, reverse-shell behavior (e.g., netcat -e or socat TCP:external_ip), or if activity occurred in production without a change request. - Enforce immutability and least privilege by rebuilding images without package managers or shells (distroless), enabling read-only root filesystems, disallowing kubectl exec via RBAC, using admission controls to block privileged pods and hostPath/docker.sock mounts, and tightening egress to only approved destinations. """ +references = [ + "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", +] risk_score = 21 rule_id = "527d23e6-8b67-4a8e-a6bd-5169b90ab2a8" severity = "low" diff --git a/rules/integrations/cloud_defend/impact_process_killing.toml b/rules/integrations/cloud_defend/impact_process_killing.toml new file mode 100644 index 000000000..752e2b8ae --- /dev/null +++ b/rules/integrations/cloud_defend/impact_process_killing.toml @@ -0,0 +1,109 @@ +[metadata] +creation_date = "2026/03/05" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/03/05" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the killing of processes inside a container. An adversary may attempt to find and +kill competing processes to gain control of the container. +""" +false_positives = [ + """ + There is a potential for false positives if the processes are killed for legitimate purposes, + such as debugging or troubleshooting. It is important to investigate any alerts generated by + this rule to determine if they are indicative of malicious activity or part of legitimate + container activity. + """, +] +from = "now-6m" +index = ["logs-cloud_defend.process*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Process Killing Detected via Defend for Containers" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Process Killing Detected via Defend for Containers + +This rule detects execution of Linux process-termination utilities inside a container, indicating attempts to stop services or disable security tooling to seize control of the workload. Attackers commonly enumerate running processes and then use `kill`, `pkill`, or `killall` (often launched via a shell or busybox) to terminate agents, web servers, or competing miner processes and maintain persistence or resource dominance. + +### Possible investigation steps + +- Identify the target processes and signals by pivoting to container process telemetry immediately before and after the kill event to confirm which service or agent stopped and whether it restarted. +- Determine whether the kill was user-initiated administration or malicious impact by correlating the container execution event to the invoking session/command chain and any recent interactive access (exec/attach), CI job, or startup script activity. +- Assess impact and intent by checking for concurrent disruption indicators such as sudden healthcheck failures, pod restarts, service errors, or termination of security/monitoring agents within the same container or namespace. +- Investigate precursor behavior by reviewing recent process and file activity in the container for enumeration, credential access, or tooling drops (e.g., curl/wget downloads, new binaries in writable paths, modified entrypoints). +- Scope and contain by searching for similar kill activity across the cluster and, if suspicious, isolate the workload, capture runtime artifacts (process list, network connections, filesystem diff), and preserve relevant logs for incident response. + +### False positive analysis + +- Legitimate operational workflows can exec into a container and use `kill`/`pkill`/`killall` to restart a hung application process or free resources after troubleshooting, especially during deployments or incident mitigation. +- Container entrypoint scripts or maintenance jobs may invoke shell or busybox wrappers that call `kill` to gracefully stop child processes during shutdown/rotation, leading to detections during normal lifecycle events like restarts and log/process supervision. + +### Response and remediation + +- Quarantine the affected pod/container by removing it from service (scale to zero or cordon/drain the node) and temporarily block further `exec/attach` access while preserving evidence. +- Capture volatile artifacts before termination, including the current process tree, the killed process PID/name and signal used, open network connections, and a filesystem diff for newly dropped binaries or modified entrypoint scripts. +- Eradicate by redeploying the workload from a trusted image, rotating any credentials or tokens accessible to the container (service account, registry, application secrets), and removing any unauthorized binaries or cron/sidecar persistence found. +- Recover service by restoring expected processes and health checks, validating logs/metrics resume normally, and monitoring for repeated `kill`/`pkill`/`killall` executions or unexpected restarts in the same namespace. +- Escalate to incident response if the terminated process was a security/monitoring agent, if multiple containers show coordinated kill activity, or if follow-on behaviors appear such as tool downloads, privilege escalation attempts, or outbound connections to unknown endpoints. +- Harden by enforcing least-privilege (drop `SYS_PTRACE`/debug capabilities, read-only root filesystem), restricting interactive access with RBAC and just-in-time approvals, and adding runtime policies to deny process-termination utilities in production images where not required. +""" +references = [ + "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", +] +risk_score = 21 +rule_id = "85d9c573-ad77-461b-8315-9a02a280b20b" +severity = "low" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where event.type == "start" and event.action == "exec" and container.id like "*?" and +( + process.name in ("kill", "pkill", "killall") or + ( + /* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */ + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and + process.args in ( + "kill", "/bin/kill", "/usr/bin/kill", "/usr/local/bin/kill", + "pkill", "/bin/pkill", "/usr/bin/pkill", "/usr/local/bin/pkill", + "killall", "/bin/killall", "/usr/bin/killall", "/usr/local/bin/killall" + ) and + /* default exclusion list to not FP on default multi-process commands */ + not process.args in ( + "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man", + "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod", + "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown" + ) + ) +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml b/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml index e30b229e2..4e79c7957 100644 --- a/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml +++ b/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/05" [rule] author = ["Elastic"] @@ -71,7 +71,8 @@ type = "eql" query = ''' process where event.type == "start" and event.action == "exec" and process.interactive == true and process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and -process.args in ("-lc", "-c") and process.args like ("*echo *", "*printf *") and process.args like ( +process.args in ("-lc", "-c", "-cl") and process.args like ("*echo *", "*printf *") and +process.args like ( "*/etc/cron*", "*/etc/rc.local*", "*/dev/tcp/*", "*/etc/init.d*", "*/etc/update-motd.d*", "*/etc/ld.so*", "*/etc/sudoers*", "*base64 *", "*base32 *", "*base16 *", "*/etc/profile*", "*/dev/shm/*", "*/etc/ssh*", "*/home/*/.ssh/*", "*/root/.ssh*" , "*~/.ssh/*", "*xxd *", diff --git a/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml b/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml index c2a1b7d6c..eb31c917b 100644 --- a/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml +++ b/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/05" [rule] author = ["Elastic"] @@ -17,15 +17,15 @@ index = ["logs-cloud_defend.process*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Web Server Child Shell Spawn Detected via Defend for Containers" +name = "Web Server Exploitation Detected via Defend for Containers" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Web Server Child Shell Spawn Detected via Defend for Containers +### Investigating Web Server Exploitation Detected via Defend for Containers -This rule flags Linux container activity where a web server (or typical web-service account) spawns an interactive shell to run a command string, a strong indicator of web app exploitation rather than normal request handling. It matters because this pattern commonly marks initial foothold and post-exploitation execution that can lead to persistence and lateral movement from the service container. A typical attacker flow drops a web shell or abuses RCE to launch `sh -c` and pull or run a secondary payload (e.g., reverse shell). +This rule flags Linux container activity where a web server (or typical web-service account) executes a suspicious process, a strong indicator of web app exploitation rather than normal request handling. It matters because this pattern commonly marks initial foothold and post-exploitation execution that can lead to persistence and lateral movement from the service container. A typical attacker flow drops a web shell or abuses RCE to launch `sh -c` and pull or run a secondary payload (e.g., reverse shell). ### Possible investigation steps @@ -48,9 +48,9 @@ This rule flags Linux container activity where a web server (or typical web-serv - Recover by validating application integrity and behavior post-redeploy (no unexpected shell spawns, no abnormal outbound connections, clean health checks) and monitor the previously contacted IPs/domains for further callbacks from other workloads. - Escalate to incident response and platform security immediately if the shell command indicates payload retrieval, reverse shell activity, credential access, or if similar `sh -c` executions are observed across multiple containers/namespaces. - Harden by removing shell binaries from runtime images where feasible, enforcing non-root and read-only filesystems, restricting egress to required destinations only, disabling risky interpreter execution paths in the web app, and adding WAF/RCE protections for the identified vulnerable endpoint.""" -risk_score = 47 +risk_score = 73 rule_id = "497a7091-0ebd-44d7-88c4-367ab4d4d852" -severity = "medium" +severity = "high" tags = [ "Data Source: Elastic Defend for Containers", "Domain: Container", @@ -64,32 +64,174 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( +process where event.type == "start" and event.action == "exec" and process.parent.interactive == false and +container.id like "?*" and ( process.parent.name in ( - "apache", "nginx", "apache2", "httpd", "lighttpd", "caddy", "mongrel_rails", "gunicorn", - "uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "tornado", "hypercorn", - "daphne", "twistd", "yaws", "webfsd", "httpd.worker", "flask", "rails", "mongrel", "php-cgi", - "php-fcgi", "php-cgi.cagefs", "catalina.sh", "hiawatha", "lswsctrl" + "nginx", "apache2", "httpd", "caddy", "mongrel_rails", "uwsgi", "daphne", "httpd.worker", "flask", + "php-cgi", "php-fcgi", "php-cgi.cagefs", "lswsctrl", "varnishd", "uvicorn", "waitress-serve", "starman" ) or - process.parent.name like "php-fpm*" or - user.name in ("apache", "www-data", "httpd", "nginx", "lighttpd", "tomcat", "tomcat8", "tomcat9") or - user.id in ("33", "498", "48") or - (process.parent.name == "java" and process.parent.working_directory like "/u0?/*") or - process.parent.working_directory like "/var/www/*" -) and ( - (process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox")) or - (process.args in ( - "bash", "/bin/bash", "/usr/bin/bash", "/usr/local/bin/bash", - "dash", "/bin/dash", "/usr/bin/dash", "/usr/local/bin/dash", - "sh", "/bin/sh", "/usr/bin/sh", "/usr/local/bin/sh", - "tcsh", "/bin/tcsh", "/usr/bin/tcsh", "/usr/local/bin/tcsh", - "csh", "/bin/csh", "/usr/bin/csh", "/usr/local/bin/csh", - "zsh", "/bin/zsh", "/usr/bin/zsh", "/usr/local/bin/zsh", - "ksh", "/bin/ksh", "/usr/bin/ksh", "/usr/local/bin/ksh", - "fish", "/bin/fish", "/usr/bin/fish", "/usr/local/bin/fish", - "busybox", "/bin/busybox", "/usr/bin/busybox", "/usr/local/bin/busybox" - )) -) and process.args == "-c" and container.id like "?*" + process.parent.name like ("php-fpm*", "gunicorn*", "*.cgi", "*.fcgi") or + (process.parent.name like "ruby*" and process.parent.args like~ ("*puma*", "*rails*", "*passenger*")) or + (process.parent.name like "python*" and process.parent.args like~ ( + "*hypercorn*", "*flask*", "*uvicorn*", "*django*", "*app.py*", "*server.py*", "*wsgi.py*", "*asgi.py*" + )) or + (process.parent.name like "perl*" and process.parent.args like~ "*plackup*") or + (process.parent.name == "node" and process.parent.args like~ ( + "*next start*", "*--port*", "*PORT=*", "*HOST=*", "*0.0.0.0*", "*/dist/*.js*", "*/build/*.js*", "*/server/*.js*", + "*/app/*.js*","*/apps/*/*.js*", "*/index.js*", "*/main.js*", "*/srv/*", "*/opt/*", "*/var/www/*" + ) and + not process.parent.args like ("/opt/cursor-agent/*", "/home/*/*", "/root/*", "/opt/vscode-server/*", "/usr/lib/node_modules/openclaw/dist/index.js") + ) or + (process.parent.name == "java" and process.parent.args like~ ( + /* Tomcat */ + "org.apache.catalina.startup.Bootstrap", "-Dcatalina.base=*", + + /* Jetty */ + "org.eclipse.jetty.start.Main", "-Djetty.home=*", + + /* WildFly / JBoss */ + "org.jboss.modules.Main", "-Djboss.home.dir=*", + + /* WebLogic */ + "weblogic.Server", "-Dweblogic.Name=*", "*weblogic-launcher.jar*", + + /* WebSphere traditional + Liberty */ + "com.ibm.ws.runtime.WsServer", "com.ibm.ws.kernel.boot.cmdline.Bootstrap", + + /* GlassFish */ + "com.sun.enterprise.glassfish.bootstrap.ASMain", + + /* Resin */ + "com.caucho.server.resin.Resin", + + /* Spring Boot */ + "org.springframework.boot.loader.*", + + /* Quarkus */ + "*quarkus-run.jar*", "io.quarkus.runner.GeneratedMain", + + /* Micronaut */ + "io.micronaut.runtime.Micronaut", + + /* Dropwizard */ + "io.dropwizard.cli.ServerCommand", + + /* Play */ + "play.core.server.ProdServerStart", + + /* Helidon */ + "io.helidon.microprofile.server.Main", "io.helidon.webserver*", + + /* Vert.x */ + "io.vertx.core.Launcher", + + /* Keycloak */ + "org.keycloak*", + + /* Apereo CAS */ + "org.apereo.cas*", + + /* Elasticsearch */ + "org.elasticsearch.bootstrap.Elasticsearch", + + /* Atlassian / Gerrit */ + "com.atlassian.jira.startup.Launcher", "*BitbucketServerLauncher*", "com.google.gerrit.pgm.Daemon", + + /* Solr */ + "*-Dsolr.solr.home=*" + ) + ) +) and +process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and +process.args in ("-c", "-cl", "-lc") and ( + process.args like ( + /* Suspicious Paths */ + "* /tmp/* ", "* /var/tmp/* ", "* /dev/shm/*", "* /var/www/*", "* /run/*", "* /var/run/*", + + /* Interpreter Execution */ + "*python* -c*", "*php* -r*", "*perl* -e*", "*ruby* -e*", "*lua* -e*", "*node * -e *", + + /* Encoding / Decoding */ + "*base64 -*d*", "*|*base64 *", "*xxd *", "*openssl*enc * -d *", + + /* Reverse Shells */ + "*netcat *", "* nc *", "*ncat *", "*/dev/tcp*", "*/dev/udp/*", " *socat *", "*openssl*s_client *", "*stty*raw*-echo*", + + /* File Access */ + "*>*/etc/cron*", "*/etc/ssh*", "*/home/*/.ssh/*", "*/root/.ssh*", "*~/.ssh/*", "*/etc/shadow*", "*/etc/passwd*", "*chpasswd*", + + /* AWS Credentials */ + "*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", + "*access_key*", "*.aws/credentials*", "*/.aws/config*", + + /* Azure Credentials */ + "*AZURE_CLIENT_ID*", "*AZURE_TENANT_ID*", "*AZURE_CLIENT_SECRET*", "*AZURE_FEDERATED_TOKEN_FILE*", + "*IDENTITY_ENDPOINT*", "*IDENTITY_HEADER*", "*MSI_ENDPOINT*", "*MSI_SECRET*", "*/.azure/*", + "*/run/secrets/azure/*", + + /* GCP Credentials */ + "*/.config/gcloud/*", "*application_default_credentials.json*", "*type: service_account*", + "*client_email*", "*private_key_id*", "*private_key*", "*/run/secrets/google/*", "*GOOGLE_APPLICATION_CREDENTIALS*", + + /* Misc. Cloud */ + "*/.docker/config.json*", "*/.npmrc*", "*/secrets/kubernetes.io/serviceaccount/*", + + /* Helpers */ + "*nohup*", "*setsid *", "*timeout *sh -c *", "*disown*", "*env *sh *-c*", + + /* Miscellaneous */ + "*echo *", "*chattr *", "*busybox *", "*#!*", "*chmod +x *", "*chmod 777*", + + /* Decompression */ + "*gzip -*d *", "*bzip2 -*d *", "*xz -*d *", "*tar -*x*", + + /* Path Traversal */ + "*../../../*etc/*", "*/.../*", "*../../../*home/*/*", "*../../../*root/*", + + "*|*sh", "*|*python*", "*|*php*", "*|*perl*", "*|*ruby*", "*|*node*", "*|*lua*", "*|*busybox*" + ) or + ( + process.args like ("*wget *", "*curl *") and ( + ( + process.args like~ ("* -o *", "* --output*", "* -o- *") and + process.args regex ".*[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}.*" + ) or + ( + process.args like ("*http://*", "*https://*") and + process.args like ( + "* /tmp/*", "* /var/tmp/*", "* /dev/shm/* ", "* /var/www/*", "* ~/*", + "* /home/*", "* /run/*", "* /var/run/*" + ) + ) + ) + ) +) and +not ( + (process.parent.name == "nginx" and process.args like ("chmod 777 /etc/resty-*", "resty*")) or + (process.parent.name == "apache2" and ( + process.args in ( + "/usr/local/bin/php -r 'echo phpversion();'", + "/usr/local/bin/php -r 'echo phpversion();'", + "/usr/bin/php -r 'echo phpversion();'" + ) or + process.args like """bash -c "( /home/*/apps/richdocumentscode/collabora/Collabora_Online.AppImage*""" + ) + ) or + (process.parent.name like "php-fpm*" and process.args in ( + "/usr/bin/php -r 'echo phpversion();'", + "/usr/bin/php -r 'echo phpversion();'", + "php -r 'print_r(phpversion());'", + "chattr -i -a /usr/local/virtualizor/license2.php" + ) + ) or + (process.parent.name == "php-cgi" and process.args like ( + "nohup php /home/*/public_html/lockindex.php index.php >/dev/null 2>&1 &", + "nohup php /home/*/public_html/wp-content/* >> /dev/null 2>&1 &", + "nohup php /home/*/public_html/wp-includes/* >> /dev/null 2>&1 &", + "nohup php /home/*/public_html/*/wp-content/* >> /dev/null 2>&1 &" + ) + ) +) ''' [[rule.threat]] diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml new file mode 100644 index 000000000..cd55cbf87 --- /dev/null +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml @@ -0,0 +1,116 @@ +[metadata] +creation_date = "2026/03/05" +integration = ["kubernetes"] +maturity = "production" +updated_date = "2026/03/05" + +[rule] +author = ["Elastic"] +description = """ +Detects the creation or modification of several sensitive workloads, such as DaemonSets, Deployments, +or CronJobs, by an unusual user agent, source IP and username, which may indicate privilege escalation +or unauthorized access within the cluster. +""" +index = ["logs-kubernetes.audit_logs-*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Kubernetes Sensitive Workload Modification" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Kubernetes Sensitive Workload Modification + +This rule detects allowed create or patch activity against sensitive Kubernetes workloads (DaemonSets, Deployments, CronJobs) coming from an unusual combination of client, network origin, and user identity, which can signal stolen credentials, privilege escalation, or unauthorized control of cluster execution. Attackers commonly patch an existing Deployment to inject a new container or init container that runs with elevated privileges and pulls a remote payload, then rely on the workload controller to redeploy it across the environment. + +### Possible investigation steps + +- Retrieve the full audit event for the change and compare it to the most recent prior modification of the same workload to identify what was altered (e.g., image, command/args, env/secret refs, volumes, serviceAccount, securityContext, hostPath/hostNetwork, privileged settings). +- Attribute the action to a real identity by tracing the Kubernetes user to its backing cloud/IAM identity or kubeconfig/cert and validate whether the access path (SSO, token, service account, CI/CD runner) and source network location are expected for that operator. +- Determine blast radius by listing other recent creates/patches by the same identity and from the same origin across namespaces, and check for follow-on actions such as creating RBAC bindings, secrets, or additional controllers. +- Inspect the affected workload’s rollout status and pod specs to confirm whether new pods were created, then review container images, pull registries, and runtime behavior for indicators of compromise (unexpected network egress, crypto-mining, credential access, or exec activity). +- Validate the change against an approved deployment workflow by correlating with GitOps/CI commit history and change tickets, and if unapproved, contain by scaling down/rolling back the workload and revoking the credential or token used. + +### False positive analysis + +- A legitimate on-call engineer performs an emergency `kubectl` create/patch to a Deployment/CronJob/DaemonSet from a new workstation, VPN egress IP, or updated kubectl version, producing an unusual user_agent/source IP/username combination despite being authorized. +- A routine automation path changes (e.g., CI runner or service account rotated/migrated to a new node pool or network segment) and continues applying standard workload updates, causing the same create/patch activity to appear anomalous due to the new origin and client identity. + +### Response and remediation + +- Immediately pause impact by scaling the modified Deployment/CronJob to zero or deleting the new DaemonSet and stopping any active rollout while preserving the altered manifest for evidence. +- Roll back the workload to the last known-good version from GitOps/CI or prior ReplicaSet/Job template, then redeploy only after verifying container images, init containers, commands, serviceAccount, and privileged/host settings match the approved baseline. +- Revoke and rotate the credential used for the change (user token/cert or service account token), invalidate related kubeconfigs, and review/remove any newly created RBAC bindings, secrets, or service accounts tied to the same actor. +- Quarantine affected nodes and pods for analysis by cordoning/draining nodes that ran the new pods and collecting pod logs, container filesystem snapshots, and network egress details to identify payloads and persistence. +- Escalate to the incident response/on-call security team immediately if the change introduced privileged containers, hostPath mounts, hostNetwork, new external images/registries, or any unexpected DaemonSet creation across multiple nodes. +- Harden by enforcing admission controls to restrict privileged settings and sensitive namespaces, requiring changes via approved automation identities, and tightening RBAC so only designated deployment controllers can create/patch DaemonSets, Deployments, and CronJobs. +""" +references = [ + "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#overly-permissive-role-based-access-control", + "https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware", +] +risk_score = 21 +rule_id = "78c6559d-47a7-4f30-91fe-7e2e983206c2" +severity = "low" +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +event.dataset:"kubernetes.audit_logs" and user_agent.original:* and +kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and +kubernetes.audit.objectRef.resource:("daemonsets" or "deployments" or "cronjobs") and +kubernetes.audit.verb:("create" or "patch") and +not kubernetes.audit.user.groups:"system:masters" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["user_agent.original", "source.ip", "kubernetes.audit.user.username"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d"