From 57599e37960233268a2eb908ef5ced64a46d9735 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 26 Jan 2026 16:46:59 +0100 Subject: [PATCH] [New Rule] Curl SOCKS Proxy Detected via Defend for Containers (#5596) * [New Rule] Curl SOCKS Proxy Detected via Defend for Containers * Added reference * Update rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update time range for cloud defend rule * Update rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...socks_proxy_detected_inside_container.toml | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml diff --git a/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml b/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml new file mode 100644 index 000000000..c2750e840 --- /dev/null +++ b/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2026/01/22" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" +min_stack_version = "9.3.0" +updated_date = "2026/01/22" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the use of the "curl" command-line tool with SOCKS proxy options. Attackers may use "curl" to establish a +SOCKS proxy connection to bypass network restrictions and exfiltrate data or communicate with C2 servers. +""" +false_positives = [ + """ + There is a potential for false positives if SOCKS proxies are used for legitimate purposes, such as debugging or + troubleshooting, or if the "curl" command-line tool is used to download files from a known benign source. It is + important to investigate any alerts generated by this rule to determine if they are indicative of malicious + activity or part of legitimate container activity. + """, +] +from = "now-6m" +index = ["logs-cloud_defend.process*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Curl SOCKS Proxy Detected via Defend for Containers" +references = ["https://www.trendmicro.com/en_us/research/25/f/tor-enabled-docker-exploit.html"] +risk_score = 47 +rule_id = "eb958cb3-dead-42b6-94ff-b9de6721fab2" +severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.name == "curl" and process.args like ("--socks5-hostname", "--proxy", "--preproxy", "socks5*", "-x") and +process.interactive == true and container.id like "?*" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/"