Suspicious Interactive Shell Spawned From Inside A Container
editSuspicious Interactive Shell Spawned From Inside A Container
editThis rule detects when an interactive shell is spawned inside a running container. This could indicate a potential container breakout attempt or an attacker’s attempt to gain unauthorized access to the underlying host.
Rule type: eql
Rule indices:
- logs-cloud_defend*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Data Source: Elastic Defend for Containers
- Domain: Container
- OS: Linux
- Use Case: Threat Detection
- Tactic: Execution
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editprocess where container.id: "*" and event.type== "start" and /*D4C consolidates closely spawned event.actions, this excludes end actions to only capture ongoing processes*/ event.action in ("fork", "exec") and event.action != "end" and process.entry_leader.same_as_process== false and ( (process.executable: "*/*sh" and process.args: ("-i", "-it")) or process.args: "*/*sh" )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Sub-technique:
- Name: Unix Shell
- ID: T1059.004
- Reference URL: https://attack.mitre.org/techniques/T1059/004/