Techniques
Sample rules
SSH Connection Established Inside A Running Container
- source: elastic
- technicques:
- T1021
- T1133
Description
This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside a container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use it to gain initial access or establish persistence within a compromised environment.
Detection logic
process where container.id: "*" and event.type == "start" and
/* use of sshd to enter a container*/
process.entry_leader.entry_meta.type: "sshd" and
/* process is the initial process run in a container or start of a new session*/
(process.entry_leader.same_as_process== true or process.session_leader.same_as_process== true) and
/* interactive process*/
process.interactive== true
SSH Process Launched From Inside A Container
- source: elastic
- technicques:
- T1021
- T1133
Description
This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism.
Detection logic
process where container.id: "*" and event.type== "start" and
event.action in ("fork", "exec") and event.action != "end" and
process.name: ("sshd", "ssh", "autossh")