there is a potential for false positives if socks proxies are used for legitimate purposes, such as debugging or troubleshooting, or if the \"curl\" command-line tool is used to download files from a known benign source. it is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.

t1572
cloud_defend
elastic

Techniques

T1572

Sample rules

Curl SOCKS Proxy Detected via Defend for Containers

source: elastic
technicques:
- T1572

Description

This rule detects the use of the “curl” command-line tool with SOCKS proxy options. Attackers may use “curl” to establish a SOCKS proxy connection to bypass network restrictions and exfiltrate data or communicate with C2 servers.

Detection logic

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name == "curl" and process.args like ("--socks5-hostname", "--proxy", "--preproxy", "socks5*", "-x") and
process.interactive == true and container.id like "?*"