security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Sensitive Keys Or Passwords Searched For Inside A Container (#2789)

Browse Source 
* [New Rule] Sensitive Keys Or Passwords Searched For Inside A Container

new rule toml

* description update

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* added locate and mlocate based on review suggestion

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
This commit is contained in:
Isai
2023-05-16 15:29:54 -04:00
committed by GitHub
parent 73f87ad7e6
commit d8e9874d54
1 changed files with 60 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml
+60
View File
@@ -0,0 +1,60 @@
[metadata]
creation_date = "2023/05/12"
integration = ["cloud_defend"]
maturity = "production"
min_stack_comments = "New Integration: Cloud Defend"
min_stack_version = "8.8.0"
updated_date = "2023/05/16"
[rule]
author = ["Elastic"]
description = "This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine."
from = "now-6m"
index = ["logs-cloud_defend*"]
interval = "5m"
language = "eql"
license = "Elastic License v2"
name = "Sensitive Keys Or Passwords Searched For Inside A Container"
tags = ["Elastic", "Host", "Linux", "Container", "Threat Detection", "Credential Access"]
references = [
"https://sysdig.com/blog/cve-2021-25741-kubelet-falco/",
]
risk_score = 47
rule_id = "9661ed8b-001c-40dc-a777-0983b7b0c91a"
severity = "medium"
timestamp_override = "event.ingested"
type = "eql"
query = """
process where container.id: "*" and event.type== "start" and
((
/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
(process.name in ("grep", "egrep", "fgrep") or process.args in ("grep", "egrep", "fgrep"))
and process.args : ("*BEGIN PRIVATE*", "*BEGIN OPENSSH PRIVATE*", "*BEGIN RSA PRIVATE*",
"*BEGIN DSA PRIVATE*", "*BEGIN EC PRIVATE*", "*pass*", "*ssh*", "*user*")
)
or
(
/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
(process.name in ("find", "locate", "mlocate") or process.args in ("find", "locate", "mlocate"))
and process.args : ("*id_rsa*", "*id_dsa*")
))
"""
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0006"
reference = "https://attack.mitre.org/tactics/TA0006/"
name = "Credential Access"
[[rule.threat.technique]]
id = "T1552"
reference = "https://attack.mitre.org/techniques/T1552/"
name = "Unsecured Credentials"
[[rule.threat.technique.subtechnique]]
id = "T1552.001"
reference = "https://attack.mitre.org/techniques/T1552/001/"
name = "Credentials In Files"