From f098336ff951dd7c2b78ae67054ad517c846e671 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 3 Dec 2025 16:14:33 +0100 Subject: [PATCH] [New Rule] Pod or Container Creation with Suspicious Command-Line (#5379) * [New Rule] Pod or Container Creation with Suspicious Command-Line * Added container domain tag * Update execution_suspicious_pod_or_container_creation_command_execution.toml * Refine EQL query for suspicious pod/container creation * Update rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml * Update execution_suspicious_pod_or_container_creation_command_execution.toml * Update process name conditions for suspicious execution --- ..._container_creation_command_execution.toml | 118 ++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml diff --git a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml new file mode 100644 index 000000000..6373ccf5f --- /dev/null +++ b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml @@ -0,0 +1,118 @@ +[metadata] +creation_date = "2025/12/01" +integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] +maturity = "production" +updated_date = "2025/12/01" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the creation of pods or containers that execute suspicious commands often associated with persistence or +privilege escalation techniques. Attackers may use container orchestration tools like kubectl or container runtimes like +docker to create pods or containers that run shell commands with arguments that indicate attempts to establish persistence +(e.g., modifying startup scripts, creating backdoors). +""" +from = "now-9m" +index = [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*", +] +language = "eql" +license = "Elastic License v2" +name = "Pod or Container Creation with Suspicious Command-Line" +risk_score = 47 +rule_id = "c595363f-52a6-49e1-9257-0e08ae043dbd" +severity = "medium" +tags = [ + "Domain: Endpoint", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and ( + (process.name == "kubectl" and process.args == "run" and process.args == "--restart=Never" and process.args == "--") or + (process.name in ("docker", "nerdctl", "ctl") and process.args == "run") +) and +process.args in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and +process.command_line like~ ( + "*atd*", "*cron*", "*/etc/rc.local*", "*/dev/tcp/*", "*/etc/init.d*", "*/etc/update-motd.d*", "*/etc/ld.so*", "*/etc/sudoers*", "*base64 *", + "*/etc/profile*", "*/etc/ssh*", "*/home/*/.ssh/*", "*/root/.ssh*" , "*~/.ssh/*", "*autostart*", "*xxd *", "*/etc/shadow*", "*./.*", + "*import*pty*spawn*", "*import*subprocess*call*", "*TCPSocket.new*", "*TCPSocket.open*", "*io.popen*", "*os.execute*", "*fsockopen*", + "*disown*", "* ncat *", "* nc *", "* netcat *", "* nc.traditional *", "*socat*", "*telnet*", "*/tmp/*", "*/dev/shm/*", "*/var/tmp/*", + "*/boot/*", "*/sys/*", "*/lost+found/*", "*/media/*", "*/proc/*", "*/var/backups/*", "*/var/log/*", "*/var/mail/*", "*/var/spool/*" +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"