diff --git a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml new file mode 100644 index 000000000..612f168ac --- /dev/null +++ b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml @@ -0,0 +1,79 @@ +[metadata] +creation_date = "2023/05/12" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/05/16" + +[rule] +author = ["Elastic"] +description = """ +This rule detects interactive 'exec' events launched against a container using the 'exec' command. Using the 'exec' +command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. +This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container's shell. +A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout. +""" +false_positives = [ + """ + An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from + Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands + inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... + ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec + cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell + connected to the terminal: kubectl exec -i -t cassandra -- sh + """, +] +from = "now-6m" +index = ["logs-cloud_defend*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Interactive Exec Command Launched Against A Running Container" +references = [ + "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", + "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/", +] +risk_score = 73 +rule_id = "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1" +severity = "high" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Container"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where container.id : "*" and event.type== "start" and + +/* use of kubectl exec to enter a container */ +process.entry_leader.entry_meta.type : "container" and + +/* process is the inital process run in a container */ +process.entry_leader.same_as_process== true and + +/* interactive process */ +process.interactive == true +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + name = "Execution" + + [[rule.threat.technique]] + id = "T1059" + reference = "https://attack.mitre.org/techniques/T1059/" + name = "Command and Scripting Interpreter" + + [[rule.threat.technique.subtechnique]] + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" + name = "Unix Shell" + + [[rule.threat.technique]] + id = "T1609" + name = "Container Administration Command" + reference = "https://attack.mitre.org/techniques/T1609/"