security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
edf28367e4dfaeedda024d90e78a39aa5ef9bf50
sigma-rules/rules/integrations/cloud_defend/discovery_tool_enumeration.toml
T
Ruben Groenewoud c5b64c9fbf [New/Tuning] General API Abuse D4C/K8s Rules (#5591) 
* [New/Tuning] General API Abuse D4C/K8s Rules

* [New Rule] DNS Enumeration Detected via Defend for Containers

* [New Rule] Tool Enumeration Detected via Defend for Containers

* [New Rule] Tool Installation Detected via Defend for Containers

* Service Account File Reads

* [New Rule] Direct Interactive Kubernetes API Request Detected via Defend for Containers

* Rule name update

* [New Rules] D4C K8S MDA API Request Rules

* Add 'tor' to the list of allowed process args

* ++

* ++

* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update description

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

* Update non-ecs-schema.json

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
2026-01-26 16:59:14 +01:00

94 lines
3.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2026/01/21"
integration = ["cloud_defend"]
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/01/21"
[rule]
author = ["Elastic"]
description = """
This rule detects the enumeration of tools by the "which" command inside a container. The "which" command is used to list
what tools are installed on a system, and may be used by an adversary to gain information about the container and the services
running inside it.
"""
false_positives = [
"""
There is a potential for false positives if the "which" command is used for legitimate purposes,
such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine
if they are indicative of malicious activity or part of legitimate container activity.
""",
]
from = "now-6m"
index = ["logs-cloud_defend.process*"]
interval = "5m"
language = "eql"
license = "Elastic License v2"
name = "Tool Enumeration Detected via Defend for Containers"
risk_score = 21
rule_id = "b84264aa-37a3-49f8-8bbc-60acbe9d4f86"
severity = "low"
tags = [
"Data Source: Elastic Defend for Containers",
"Domain: Container",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
process.name == "which" or
(
/* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
process.args in ("which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which") and
/* default exclusion list to not FP on default multi-process commands */
not process.args in (
"man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
"chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
"chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
)
)
) and
process.args in (
/* TCP IP */
"curl", "wget", "socat", "nc", "netcat", "ncat", "busybox", "python3", "python", "perl", "node", "openssl", "ruby", "lua",
/* networking */
"getent", "dig", "nslookup", "host", "ip", "tcpdump", "tshark",
/* container management */
"kubectl", "docker", "kubelet", "kube-proxy", "containerd", "systemd", "crictl",
/* compilation */
"gcc", "g++", "clang", "clang++", "cc", "c++", "c99", "c89", "cc1*", "musl-gcc", "musl-clang", "tcc", "zig", "ccache", "distcc", "make",
/* scanning */
"nmap", "zenmap", "nuclei", "netdiscover", "legion", "masscan", "zmap", "zgrab", "ngrep", "telnet", "mitmproxy", "zmap",
"masscan", "zgrab"
) and
process.interactive == true and container.id like "*"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1518"
name = "Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/"
[[rule.threat.technique]]
id = "T1613"
name = "Container and Resource Discovery"
reference = "https://attack.mitre.org/techniques/T1613/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
Reference in New Issue View Git Blame Copy Permalink