From d8e9874d548f3e42b2ade4827b5039645f347ef8 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Tue, 16 May 2023 15:29:54 -0400 Subject: [PATCH] [New Rule] Sensitive Keys Or Passwords Searched For Inside A Container (#2789) * [New Rule] Sensitive Keys Or Passwords Searched For Inside A Container new rule toml * description update Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * added locate and mlocate based on review suggestion --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...r_passwords_search_inside_a_container.toml | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml new file mode 100644 index 000000000..6b703f0f6 --- /dev/null +++ b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2023/05/12" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/05/16" + +[rule] +author = ["Elastic"] +description = "This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine." +from = "now-6m" +index = ["logs-cloud_defend*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Sensitive Keys Or Passwords Searched For Inside A Container" +tags = ["Elastic", "Host", "Linux", "Container", "Threat Detection", "Credential Access"] +references = [ + "https://sysdig.com/blog/cve-2021-25741-kubelet-falco/", +] +risk_score = 47 +rule_id = "9661ed8b-001c-40dc-a777-0983b7b0c91a" +severity = "medium" +timestamp_override = "event.ingested" +type = "eql" + +query = """ +process where container.id: "*" and event.type== "start" and +(( +/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ + (process.name in ("grep", "egrep", "fgrep") or process.args in ("grep", "egrep", "fgrep")) + and process.args : ("*BEGIN PRIVATE*", "*BEGIN OPENSSH PRIVATE*", "*BEGIN RSA PRIVATE*", +"*BEGIN DSA PRIVATE*", "*BEGIN EC PRIVATE*", "*pass*", "*ssh*", "*user*") +) +or +( +/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ + (process.name in ("find", "locate", "mlocate") or process.args in ("find", "locate", "mlocate")) + and process.args : ("*id_rsa*", "*id_dsa*") +)) +""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0006" + reference = "https://attack.mitre.org/tactics/TA0006/" + name = "Credential Access" + + [[rule.threat.technique]] + id = "T1552" + reference = "https://attack.mitre.org/techniques/T1552/" + name = "Unsecured Credentials" + + [[rule.threat.technique.subtechnique]] + id = "T1552.001" + reference = "https://attack.mitre.org/techniques/T1552/001/" + name = "Credentials In Files"