Terrance DeJesus
30 lines
1.5 KiB
TOML
30 lines
1.5 KiB
TOML
[hunt]
|
|
author = "Elastic"
|
|
name = "Sensitive File Access via Docker"
|
|
uuid = "fb136106-207c-11f0-aa05-f661ea17fbcd"
|
|
description = """
|
|
Detects Docker or Docker Desktop processes accessing potentially sensitive host files, including SSH keys, cloud provider credentials, browser data, or crypto wallet files. This behavior may indicate container escape attempts, data harvesting from the host, or misconfigured volume mounts exposing secrets.
|
|
"""
|
|
integration = ["endpoint"]
|
|
language = ["EQL"]
|
|
license = "Elastic License v2"
|
|
mitre = ["T1083", "T1552.001"]
|
|
notes = [
|
|
"Docker processes accessing sensitive host files may suggest attempts to harvest credentials from the host system.",
|
|
"You may enrich this detection by adding file paths for `.aws/credentials`, `.ssh/id_rsa`, `keychain`, or `Cookies`.",
|
|
"Consider filtering legitimate developer use cases or adjusting for specific containers if needed."
|
|
]
|
|
query = [
|
|
'''
|
|
file where event.action == "open" and
|
|
(process.name in ("docker", "Docker Desktop") or process.name like "com.docker*") and
|
|
not file.name in ("System.keychain", "login.keychain-db")
|
|
'''
|
|
]
|
|
references = [
|
|
"https://www.elastic.co/security-labs/dprk-code-of-conduct",
|
|
"https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
|
|
"https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
|
|
"https://x.com/safe/status/1897663514975649938",
|
|
"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
|
|
] |