legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container resulting in false positives.

t1059
cloud_defend
elastic

Techniques

T1059

Sample rules

Suspicious Interactive Shell Spawned From Inside A Container

source: elastic
technicques:
- T1059

Description

This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential container breakout attempt or an attacker’s attempt to gain unauthorized access to the underlying host.

Detection logic

process where container.id: "*" and
event.type== "start" and 

/*D4C consolidates closely spawned event.actions, this excludes end actions to only capture ongoing processes*/
event.action in ("fork", "exec") and event.action != "end"
 and process.entry_leader.same_as_process== false and
(
(process.executable: "*/*sh" and process.args: ("-i", "-it")) or
process.args: "*/*sh"
)