From b0838cc2cb3eb90f4f952fe151a3e50231a4ed44 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Tue, 16 May 2023 16:56:52 -0400 Subject: [PATCH] [New Rule] SSH Connection Established Inside A Running Container (#2793) * [New Rule] SSH Connection Established Inside A Running Container new rule toml * Update initial_access_ssh_connection_established_inside_a_container.toml moved order of tactics * Apply suggestions from code review updated spacing based on code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...ection_established_inside_a_container.toml | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml diff --git a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml new file mode 100644 index 000000000..ead2f3420 --- /dev/null +++ b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml @@ -0,0 +1,78 @@ +[metadata] +creation_date = "2023/05/12" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/05/16" + +[rule] +author = ["Elastic"] +description = """ +This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside +a container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use +it to gain initial access or establish persistence within a compromised environment. +""" +false_positives = [""" + SSH usage may be legitimate depending on the environment. + Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior. + """ +] +from = "now-6m" +index = ["logs-cloud_defend*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "SSH Connection Established Inside A Running Container" +references = [ + "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", +] +risk_score = 73 +rule_id = "f5488ac1-099e-4008-a6cb-fb638a0f0828" +severity = "high" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access", "Lateral Movement", "Container"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where container.id: "*" and event.type == "start" and + +/* use of sshd to enter a container*/ +process.entry_leader.entry_meta.type: "sshd" and + +/* process is the initial process run in a container or start of a new session*/ +(process.entry_leader.same_as_process== true or process.session_leader.same_as_process== true) and + +/* interactive process*/ +process.interactive== true +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/"