[New Rule] Curl SOCKS Proxy Detected via Defend for Containers (#5596)

* [New Rule] Curl SOCKS Proxy Detected via Defend for Containers

* Added reference

* Update rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update time range for cloud defend rule

* Update rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml

@@ -0,0 +1,59 @@
+[metadata]
+creation_date = "2026/01/22"
+integration = ["cloud_defend"]
+maturity = "production"
+min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
+min_stack_version = "9.3.0"
+updated_date = "2026/01/22"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects the use of the "curl" command-line tool with SOCKS proxy options. Attackers may use "curl" to establish a
+SOCKS proxy connection to bypass network restrictions and exfiltrate data or communicate with C2 servers.
+"""
+false_positives = [
+    """
+    There is a potential for false positives if SOCKS proxies are used for legitimate purposes, such as debugging or
+    troubleshooting, or if the "curl" command-line tool is used to download files from a known benign source. It is
+    important to investigate any alerts generated by this rule to determine if they are indicative of malicious
+    activity or part of legitimate container activity.
+    """,
+]
+from = "now-6m"
+index = ["logs-cloud_defend.process*"]
+interval = "5m"
+language = "eql"
+license = "Elastic License v2"
+name = "Curl SOCKS Proxy Detected via Defend for Containers"
+references = ["https://www.trendmicro.com/en_us/research/25/f/tor-enabled-docker-exploit.html"]
+risk_score = 47
+rule_id = "eb958cb3-dead-42b6-94ff-b9de6721fab2"
+severity = "medium"
+tags = [
+    "Data Source: Elastic Defend for Containers",
+    "Domain: Container",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
+process.name == "curl" and process.args like ("--socks5-hostname", "--proxy", "--preproxy", "socks5*", "-x") and
+process.interactive == true and container.id like "?*"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1572"
+name = "Protocol Tunneling"
+reference = "https://attack.mitre.org/techniques/T1572/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"