there is a potential for false positives if the files are downloaded for legitimate purposes, such as debugging or troubleshooting, or if the files are downloaded from a known benign source. it is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.

Techniques

Sample rules

File Download Detected via Defend for Containers

source: elastic
technicques:
- T1059
- T1071

Description

This rule detects the download of files from inside a container. The files are downloaded using the “curl” or “wget” command-line tools. Adversaries may use these tools to download files from the internet to gain access to sensitive data or communicate with C2 servers.

Detection logic

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.interactive == true and (
  (
    (process.name == "curl" or process.args in ("curl", "/bin/curl", "/usr/bin/curl", "/usr/local/bin/curl")) and
    process.args in ("-o", "-O", "--output", "--remote-name", "--remote-name-all", "--output-dir")
  ) or
  (
    (process.name == "wget" or process.args in ("wget", "/bin/wget", "/usr/bin/wget", "/usr/local/bin/wget")) and
    process.args like ("-*O*", "--output-document=*", "--output-file=*")
  )
) and (
 process.args like~ "*http*" or
 process.args regex~ ".*[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}[:/]{1}.*"
) and container.id like "?*"