[metadata] creation_date = "2026/01/21" integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" updated_date = "2026/01/21" [rule] author = ["Elastic"] description = """ This rule detects the installation of tools inside a container. An adversary may need to install additional software to enumerate the container, its environment, and move laterally within the environment. """ false_positives = [ """ There is a potential for false positives if the tools are installed for legitimate purposes, such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity. """, ] from = "now-6m" index = ["logs-cloud_defend.process*"] interval = "5m" language = "eql" license = "Elastic License v2" name = "Tool Installation Detected via Defend for Containers" risk_score = 21 rule_id = "527d23e6-8b67-4a8e-a6bd-5169b90ab2a8" severity = "low" tags = [ "Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.name in ("apt", "apt-get", "dnf", "microdnf", "yum", "zypper", "tdnf") and process.args == "install") or (process.name == "apk" and process.args == "add") or (process.name == "pacman" and process.args like "-*S*") or (process.name in ("rpm", "dpkg") and process.args in ("-i", "--install")) ) and process.args like ( "curl", "wget", "socat", "busybox", "openssl", "torsocks", "netcat", "netcat-openbsd", "netcat-traditional", "ncat", "tor", "python*", "perl", "node", "nodejs", "ruby", "lua" ) and process.interactive == true and container.id like "*" ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1072" name = "Software Deployment Tools" reference = "https://attack.mitre.org/techniques/T1072/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/"