Container Management Utility Run Inside A Container
editContainer Management Utility Run Inside A Container
editThis rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration.
Rule type: eql
Rule indices:
- logs-cloud_defend*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Data Source: Elastic Defend for Containers
- Domain: Container
- OS: Linux
- Use Case: Threat Detection
- Tactic: Execution
Version: 2
Rule authors:
- Elastic
Rule license: Elastic Licence v2
Rule query
editprocess where container.id: "*" and event.type== "start" and process.name: ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Container Administration Command
- ID: T1609
- Reference URL: https://attack.mitre.org/techniques/T1609/