Ruben Groenewoud
c5b64c9fbf
* [New/Tuning] General API Abuse D4C/K8s Rules * [New Rule] DNS Enumeration Detected via Defend for Containers * [New Rule] Tool Enumeration Detected via Defend for Containers * [New Rule] Tool Installation Detected via Defend for Containers * Service Account File Reads * [New Rule] Direct Interactive Kubernetes API Request Detected via Defend for Containers * Rule name update * [New Rules] D4C K8S MDA API Request Rules * Add 'tor' to the list of allowed process args * ++ * ++ * Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update description * Update rules/integrations/cloud_defend/execution_tool_installation.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update rules/integrations/cloud_defend/execution_tool_installation.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update rules/integrations/cloud_defend/execution_tool_installation.toml * Update non-ecs-schema.json --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
65 lines
2.2 KiB
TOML
65 lines
2.2 KiB
TOML
[metadata]
|
|
creation_date = "2026/01/21"
|
|
integration = ["cloud_defend"]
|
|
maturity = "production"
|
|
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
|
|
min_stack_version = "9.3.0"
|
|
updated_date = "2026/01/21"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
This rule detects the installation of tools inside a container. An adversary may need to install additional software
|
|
to enumerate the container, its environment, and move laterally within the environment.
|
|
"""
|
|
false_positives = [
|
|
"""
|
|
There is a potential for false positives if the tools are installed for legitimate purposes,
|
|
such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine
|
|
if they are indicative of malicious activity or part of legitimate container activity.
|
|
""",
|
|
]
|
|
from = "now-6m"
|
|
index = ["logs-cloud_defend.process*"]
|
|
interval = "5m"
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Tool Installation Detected via Defend for Containers"
|
|
risk_score = 21
|
|
rule_id = "527d23e6-8b67-4a8e-a6bd-5169b90ab2a8"
|
|
severity = "low"
|
|
tags = [
|
|
"Data Source: Elastic Defend for Containers",
|
|
"Domain: Container",
|
|
"OS: Linux",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Execution",
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
query = '''
|
|
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
|
|
(process.name in ("apt", "apt-get", "dnf", "microdnf", "yum", "zypper", "tdnf") and process.args == "install") or
|
|
(process.name == "apk" and process.args == "add") or
|
|
(process.name == "pacman" and process.args like "-*S*") or
|
|
(process.name in ("rpm", "dpkg") and process.args in ("-i", "--install"))
|
|
) and process.args like (
|
|
"curl", "wget", "socat", "busybox", "openssl", "torsocks",
|
|
"netcat", "netcat-openbsd", "netcat-traditional", "ncat", "tor",
|
|
"python*", "perl", "node", "nodejs", "ruby", "lua"
|
|
) and process.interactive == true and container.id like "*"
|
|
'''
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1072"
|
|
name = "Software Deployment Tools"
|
|
reference = "https://attack.mitre.org/techniques/T1072/"
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0002"
|
|
name = "Execution"
|
|
reference = "https://attack.mitre.org/tactics/TA0002/"
|