Techniques
Sample rules
Interactive Shell Spawn Detected via Defend for Containers
- source: elastic
- technicques:
- T1059
Description
This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential container breakout attempt or an attacker’s attempt to gain unauthorized access to the underlying host.
Detection logic
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
process.entry_leader.same_as_process == false and process.interactive == true and container.id like "*" and
process.args in (
"sh", "dash", "bash", "zsh", "fish", "busybox",
"/bin/sh", "/bin/dash", "/bin/bash", "/bin/zsh", "/bin/fish", "/bin/busybox",
"/usr/bin/sh", "/usr/bin/dash", "/usr/bin/bash", "/usr/bin/zsh", "/usr/bin/fish", "/usr/bin/busybox",
"/usr/local/bin/sh", "/usr/local/bin/dash", "/usr/local/bin/bash", "/usr/local/bin/zsh", "/usr/local/bin/fish", "/usr/local/bin/busybox"
) and process.args in ("-i", "-it")