diff --git a/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml b/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml new file mode 100644 index 000000000..c2750e840 --- /dev/null +++ b/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2026/01/22" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/01/22" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the use of the "curl" command-line tool with SOCKS proxy options. Attackers may use "curl" to establish a +SOCKS proxy connection to bypass network restrictions and exfiltrate data or communicate with C2 servers. +""" +false_positives = [ + """ + There is a potential for false positives if SOCKS proxies are used for legitimate purposes, such as debugging or + troubleshooting, or if the "curl" command-line tool is used to download files from a known benign source. It is + important to investigate any alerts generated by this rule to determine if they are indicative of malicious + activity or part of legitimate container activity. + """, +] +from = "now-6m" +index = ["logs-cloud_defend.process*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Curl SOCKS Proxy Detected via Defend for Containers" +references = ["https://www.trendmicro.com/en_us/research/25/f/tor-enabled-docker-exploit.html"] +risk_score = 47 +rule_id = "eb958cb3-dead-42b6-94ff-b9de6721fab2" +severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.name == "curl" and process.args like ("--socks5-hostname", "--proxy", "--preproxy", "socks5*", "-x") and +process.interactive == true and container.id like "?*" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/"