Sample rules
Suspicious Network Tool Launched Inside A Container
- source: elastic
- technicques:
- T1046
- T1105
- T1595
Description
This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container.
Detection logic
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.entry_leader.entry_meta.type == "container" and process.name in (
"nc.traditional", "nc", "ncat", "netcat", "nmap", "tcpdump", "tshark", "ngrep", "telnet",
"mitmproxy", "socat", "zmap", "masscan", "zgrab"
) and
not (process.name in ("nc.traditional", "nc", "ncat", "netcat") and process.args like ("-*z*", "localhost", "127.0.0.1"))
Suspicious Network Tool Launch Detected via Defend for Containers
- source: elastic
- technicques:
- T1046
- T1105
- T1595
Description
This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container.
Detection logic
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
process.name in (
"nc.traditional", "nc", "ncat", "netcat", "nmap", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat",
"zmap", "masscan", "zgrab"
) or
(
/* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
process.args in (
"nc.traditional", "/bin/nc.traditional", "/usr/bin/nc.traditional", "/usr/local/bin/nc.traditional",
"nc", "/bin/nc", "/usr/bin/nc", "/usr/local/bin/nc",
"ncat", "/bin/ncat", "/usr/bin/ncat", "/usr/local/bin/ncat",
"netcat", "/bin/netcat", "/usr/bin/netcat", "/usr/local/bin/netcat",
"nmap", "/bin/nmap", "/usr/bin/nmap", "/usr/local/bin/nmap",
"tcpdump", "/bin/tcpdump", "/usr/bin/tcpdump", "/usr/local/bin/tcpdump",
"tshark", "/bin/tshark", "/usr/bin/tshark", "/usr/local/bin/tshark",
"ngrep", "/bin/ngrep", "/usr/bin/ngrep", "/usr/local/bin/ngrep",
"telnet", "/bin/telnet", "/usr/bin/telnet", "/usr/local/bin/telnet",
"mitmproxy", "/bin/mitmproxy", "/usr/bin/mitmproxy", "/usr/local/bin/mitmproxy",
"socat", "/bin/socat", "/usr/bin/socat", "/usr/local/bin/socat",
"zmap", "/bin/zmap", "/usr/bin/zmap", "/usr/local/bin/zmap",
"masscan", "/bin/masscan", "/usr/bin/masscan", "/usr/local/bin/masscan",
"zgrab", "/bin/zgrab", "/usr/bin/zgrab", "/usr/local/bin/zgrab"
) and
/* default exclusion list to not FP on default multi-process commands */
not process.args in (
"which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which",
"man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
"chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
"chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
)
)
) and process.interactive == true and container.id like "*" and
not (
process.name in ("nc.traditional", "nc", "ncat", "netcat") and
process.args like ("-*z*", "localhost", "127.0.0.1")
)
Container Management Utility Run Inside A Container
- source: elastic
- technicques:
- T1609
Description
This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration.
Detection logic
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.entry_leader.entry_meta.type == "container" and process.interactive == true and
process.name in ("dockerd", "kubelet", "kube-proxy", "kubectl", "containerd", "systemd", "crictl") and
not (
process.parent.executable in ("/sbin/init", "/usr/bin/dockerd", "/usr/bin/runc", "/usr/bin/containerd-shim-runc-v2") or
process.working_directory == "/aws" or
process.parent.command_line == "runc init" or
(process.parent.name == "busybox" and process.name == "kubectl")
)
Container Management Utility Execution Detected via Defend for Containers
- source: elastic
- technicques:
- T1609
Description
This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration.
Detection logic
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
process.name in ("dockerd", "kubelet", "kube-proxy", "kubectl", "containerd", "systemd", "crictl") or
(
/* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
process.args in (
"dockerd", "/bin/dockerd", "/usr/bin/dockerd", "/usr/local/bin/dockerd",
"kubelet", "/bin/kubelet", "/usr/bin/kubelet", "/usr/local/bin/kubelet",
"kube-proxy", "/bin/kube-proxy", "/usr/bin/kube-proxy", "/usr/local/bin/kube-proxy",
"kubectl", "/bin/kubectl", "/usr/bin/kubectl", "/usr/local/bin/kubectl",
"containerd", "/bin/containerd", "/usr/bin/containerd", "/usr/local/bin/containerd",
"systemd", "/bin/systemd", "/usr/bin/systemd", "/usr/local/bin/systemd",
"crictl", "/bin/crictl", "/usr/bin/crictl", "/usr/local/bin/crictl"
) and
/* default exclusion list to not FP on default multi-process commands */
not process.args in (
"which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which",
"man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
"chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
"chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
)
)
) and
process.interactive == true and container.id like "*" and
not (
process.parent.executable in ("/sbin/init", "/usr/bin/dockerd", "/usr/bin/runc", "/usr/bin/containerd-shim-runc-v2") or
process.working_directory == "/aws" or
(process.parent.args == "init" and process.parent.args == "runc") or
(process.parent.name == "busybox" and process.name == "kubectl")
)
Sample rules
Suspicious Network Tool Launched Inside A Container
- source: elastic
- technicques:
- T1046
- T1105
- T1595
Description
This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container.
Detection logic
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.entry_leader.entry_meta.type == "container" and process.name in (
"nc.traditional", "nc", "ncat", "netcat", "nmap", "tcpdump", "tshark", "ngrep", "telnet",
"mitmproxy", "socat", "zmap", "masscan", "zgrab"
) and
not (process.name in ("nc.traditional", "nc", "ncat", "netcat") and process.args like ("-*z*", "localhost", "127.0.0.1"))
Suspicious Network Tool Launch Detected via Defend for Containers
- source: elastic
- technicques:
- T1046
- T1105
- T1595
Description
This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container.
Detection logic
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
process.name in (
"nc.traditional", "nc", "ncat", "netcat", "nmap", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat",
"zmap", "masscan", "zgrab"
) or
(
/* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
process.args in (
"nc.traditional", "/bin/nc.traditional", "/usr/bin/nc.traditional", "/usr/local/bin/nc.traditional",
"nc", "/bin/nc", "/usr/bin/nc", "/usr/local/bin/nc",
"ncat", "/bin/ncat", "/usr/bin/ncat", "/usr/local/bin/ncat",
"netcat", "/bin/netcat", "/usr/bin/netcat", "/usr/local/bin/netcat",
"nmap", "/bin/nmap", "/usr/bin/nmap", "/usr/local/bin/nmap",
"tcpdump", "/bin/tcpdump", "/usr/bin/tcpdump", "/usr/local/bin/tcpdump",
"tshark", "/bin/tshark", "/usr/bin/tshark", "/usr/local/bin/tshark",
"ngrep", "/bin/ngrep", "/usr/bin/ngrep", "/usr/local/bin/ngrep",
"telnet", "/bin/telnet", "/usr/bin/telnet", "/usr/local/bin/telnet",
"mitmproxy", "/bin/mitmproxy", "/usr/bin/mitmproxy", "/usr/local/bin/mitmproxy",
"socat", "/bin/socat", "/usr/bin/socat", "/usr/local/bin/socat",
"zmap", "/bin/zmap", "/usr/bin/zmap", "/usr/local/bin/zmap",
"masscan", "/bin/masscan", "/usr/bin/masscan", "/usr/local/bin/masscan",
"zgrab", "/bin/zgrab", "/usr/bin/zgrab", "/usr/local/bin/zgrab"
) and
/* default exclusion list to not FP on default multi-process commands */
not process.args in (
"which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which",
"man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
"chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
"chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
)
)
) and process.interactive == true and container.id like "*" and
not (
process.name in ("nc.traditional", "nc", "ncat", "netcat") and
process.args like ("-*z*", "localhost", "127.0.0.1")
)
Container Management Utility Run Inside A Container
- source: elastic
- technicques:
- T1609
Description
This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration.
Detection logic
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.entry_leader.entry_meta.type == "container" and process.interactive == true and
process.name in ("dockerd", "kubelet", "kube-proxy", "kubectl", "containerd", "systemd", "crictl") and
not (
process.parent.executable in ("/sbin/init", "/usr/bin/dockerd", "/usr/bin/runc", "/usr/bin/containerd-shim-runc-v2") or
process.working_directory == "/aws" or
process.parent.command_line == "runc init" or
(process.parent.name == "busybox" and process.name == "kubectl")
)
Container Management Utility Execution Detected via Defend for Containers
- source: elastic
- technicques:
- T1609
Description
This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration.
Detection logic
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
process.name in ("dockerd", "kubelet", "kube-proxy", "kubectl", "containerd", "systemd", "crictl") or
(
/* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
process.args in (
"dockerd", "/bin/dockerd", "/usr/bin/dockerd", "/usr/local/bin/dockerd",
"kubelet", "/bin/kubelet", "/usr/bin/kubelet", "/usr/local/bin/kubelet",
"kube-proxy", "/bin/kube-proxy", "/usr/bin/kube-proxy", "/usr/local/bin/kube-proxy",
"kubectl", "/bin/kubectl", "/usr/bin/kubectl", "/usr/local/bin/kubectl",
"containerd", "/bin/containerd", "/usr/bin/containerd", "/usr/local/bin/containerd",
"systemd", "/bin/systemd", "/usr/bin/systemd", "/usr/local/bin/systemd",
"crictl", "/bin/crictl", "/usr/bin/crictl", "/usr/local/bin/crictl"
) and
/* default exclusion list to not FP on default multi-process commands */
not process.args in (
"which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which",
"man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
"chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
"chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
)
)
) and
process.interactive == true and container.id like "*" and
not (
process.parent.executable in ("/sbin/init", "/usr/bin/dockerd", "/usr/bin/runc", "/usr/bin/containerd-shim-runc-v2") or
process.working_directory == "/aws" or
(process.parent.args == "init" and process.parent.args == "runc") or
(process.parent.name == "busybox" and process.name == "kubectl")
)
Netcat File Transfer or Listener Detected via Defend for Containers
- source: elastic
- technicques:
- T1059
Description
This rule detects an established netcat file transfer or listener running inside a container. Netcat is a utility used for reading and writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for persistence, exfiltrating data or file transfer.
Detection logic
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
process.name in ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or
(
/* account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
process.args in (
"nc", "/bin/nc", "/usr/bin/nc", "/usr/local/bin/nc",
"ncat", "/bin/ncat", "/usr/bin/ncat", "/usr/local/bin/ncat",
"netcat", "/bin/netcat", "/usr/bin/netcat", "/usr/local/bin/netcat",
"netcat.openbsd", "/bin/netcat.openbsd", "/usr/bin/netcat.openbsd", "/usr/local/bin/netcat.openbsd",
"netcat.traditional", "/bin/netcat.traditional", "/usr/bin/netcat.traditional", "/usr/local/bin/netcat.traditional"
) and
/* default exclusion list to not FP on default multi-process commands */
not process.args in (
"which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which",
"man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
"chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
"chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
)
)
) and
process.args like~ (
/* bind shell to specific port or listener */
"-*l*","-*p*",
/* reverse shell to command-line interpreter used for command execution */
"-*e*",
/* file transfer via stdout/pipe */
">","<", "|"
) and process.interactive == true and container.id like "*"