IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Sensitive Keys Or Passwords Searched For Inside A Container
editSensitive Keys Or Passwords Searched For Inside A Container
editThis rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine.
Rule type: eql
Rule indices:
- logs-cloud_defend*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Data Source: Elastic Defend for Containers
- Domain: Container
- OS: Linux
- Use Case: Threat Detection
- Tactic: Credential Access
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editprocess where container.id: "*" and event.type== "start" and (( /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ (process.name in ("grep", "egrep", "fgrep") or process.args in ("grep", "egrep", "fgrep")) and process.args : ("*BEGIN PRIVATE*", "*BEGIN OPENSSH PRIVATE*", "*BEGIN RSA PRIVATE*", "*BEGIN DSA PRIVATE*", "*BEGIN EC PRIVATE*", "*pass*", "*ssh*", "*user*") ) or ( /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ (process.name in ("find", "locate", "mlocate") or process.args in ("find", "locate", "mlocate")) and process.args : ("*id_rsa*", "*id_dsa*") ))
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Unsecured Credentials
- ID: T1552
- Reference URL: https://attack.mitre.org/techniques/T1552/
-
Sub-technique:
- Name: Credentials In Files
- ID: T1552.001
- Reference URL: https://attack.mitre.org/techniques/T1552/001/