Techniques
Sample rules
Tool Enumeration Detected via Defend for Containers
- source: elastic
- technicques:
- T1518
- T1613
Description
This rule detects the enumeration of tools by the “which” command inside a container. The “which” command is used to list what tools are installed on a system, and may be used by an adversary to gain information about the container and the services running inside it.
Detection logic
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
process.name == "which" or
(
/* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
process.args in ("which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which") and
/* default exclusion list to not FP on default multi-process commands */
not process.args in (
"man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
"chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
"chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
)
)
) and
process.args in (
/* TCP IP */
"curl", "wget", "socat", "nc", "netcat", "ncat", "busybox", "python3", "python", "perl", "node", "openssl", "ruby", "lua",
/* networking */
"getent", "dig", "nslookup", "host", "ip", "tcpdump", "tshark",
/* container management */
"kubectl", "docker", "kubelet", "kube-proxy", "containerd", "systemd", "crictl",
/* compilation */
"gcc", "g++", "clang", "clang++", "cc", "c++", "c99", "c89", "cc1*", "musl-gcc", "musl-clang", "tcc", "zig", "ccache", "distcc", "make",
/* scanning */
"nmap", "zenmap", "nuclei", "netdiscover", "legion", "masscan", "zmap", "zgrab", "ngrep", "telnet", "mitmproxy", "zmap",
"masscan", "zgrab"
) and
process.interactive == true and container.id like "*"