SSH Connection Established Inside A Running Container

edit

SSH Connection Established Inside A Running Container

edit

This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside a container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use it to gain initial access or establish persistence within a compromised environment.

Rule type: eql

Rule indices:

  • logs-cloud_defend*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Data Source: Elastic Defend for Containers
  • Domain: Container
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Initial Access
  • Tactic: Lateral Movement

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where container.id: "*" and event.type == "start" and

/* use of sshd to enter a container*/
process.entry_leader.entry_meta.type: "sshd"  and

/* process is the initial process run in a container or start of a new session*/
(process.entry_leader.same_as_process== true or process.session_leader.same_as_process== true) and

/* interactive process*/
process.interactive== true

Framework: MITRE ATT&CKTM