security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e125a4e4cf6f6d67daa8076a4c259ed02bc9dd3f
sigma-rules/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml
T
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
2023-06-22 18:38:56 -03:00

80 lines
3.0 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/05/12"
integration = ["cloud_defend"]
maturity = "production"
min_stack_comments = "New Integration: Cloud Defend"
min_stack_version = "8.8.0"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
description = """
This rule detects interactive 'exec' events launched against a container using the 'exec' command. Using the 'exec'
command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container.
This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container's shell.
A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout.
"""
false_positives = [
"""
An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from
Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands
inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ...
${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec
cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell
connected to the terminal: kubectl exec -i -t cassandra -- sh
""",
]
from = "now-6m"
index = ["logs-cloud_defend*"]
interval = "5m"
language = "eql"
license = "Elastic License v2"
name = "Interactive Exec Command Launched Against A Running Container"
references = [
"https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/",
"https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/",
]
risk_score = 73
rule_id = "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1"
severity = "high"
tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where container.id : "*" and event.type== "start" and
/* use of kubectl exec to enter a container */
process.entry_leader.entry_meta.type : "container" and
/* process is the inital process run in a container */
process.entry_leader.same_as_process== true and
/* interactive process */
process.interactive == true
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
name = "Execution"
[[rule.threat.technique]]
id = "T1059"
reference = "https://attack.mitre.org/techniques/T1059/"
name = "Command and Scripting Interpreter"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
reference = "https://attack.mitre.org/techniques/T1059/004/"
name = "Unix Shell"
[[rule.threat.technique]]
id = "T1609"
name = "Container Administration Command"
reference = "https://attack.mitre.org/techniques/T1609/"
Reference in New Issue View Git Blame Copy Permalink