|
| 1 | +[metadata] |
| 2 | +creation_date = "2025/12/01" |
| 3 | +integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] |
| 4 | +maturity = "production" |
| 5 | +updated_date = "2025/12/01" |
| 6 | + |
| 7 | +[rule] |
| 8 | +author = ["Elastic"] |
| 9 | +description = """ |
| 10 | +This rule detects the creation of pods or containers that execute suspicious commands often associated with persistence or |
| 11 | +privilege escalation techniques. Attackers may use container orchestration tools like Kubernetes ("kubectl") or container |
| 12 | +runtimes like Docker ("docker") to create pods or containers that run shell commands (e.g., "bash", "sh", "zsh") with |
| 13 | +arguments that indicate attempts to establish persistence (e.g., modifying startup scripts, creating backdoors). |
| 14 | +""" |
| 15 | +from = "now-9m" |
| 16 | +index = [ |
| 17 | + "auditbeat-*", |
| 18 | + "endgame-*", |
| 19 | + "logs-auditd_manager.auditd-*", |
| 20 | + "logs-crowdstrike.fdr*", |
| 21 | + "logs-endpoint.events.process*", |
| 22 | + "logs-sentinel_one_cloud_funnel.*", |
| 23 | +] |
| 24 | +language = "eql" |
| 25 | +license = "Elastic License v2" |
| 26 | +name = "Pod or Container Creation with Suspicious Command-Line" |
| 27 | +risk_score = 47 |
| 28 | +rule_id = "c595363f-52a6-49e1-9257-0e08ae043dbd" |
| 29 | +severity = "medium" |
| 30 | +tags = [ |
| 31 | + "Domain: Endpoint", |
| 32 | + "OS: Linux", |
| 33 | + "Use Case: Threat Detection", |
| 34 | + "Tactic: Execution", |
| 35 | + "Tactic: Privilege Escalation", |
| 36 | + "Tactic: Persistence", |
| 37 | + "Data Source: Elastic Defend", |
| 38 | + "Data Source: Elastic Endgame", |
| 39 | + "Data Source: Auditd Manager", |
| 40 | + "Data Source: Crowdstrike", |
| 41 | + "Data Source: SentinelOne", |
| 42 | +] |
| 43 | +timestamp_override = "event.ingested" |
| 44 | +type = "eql" |
| 45 | +query = ''' |
| 46 | +process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and |
| 47 | +process.name in ("kubectl", "docker") and process.args == "run" and process.args == "--restart=Never" and process.args == "--" and |
| 48 | +process.args in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and |
| 49 | +process.command_line like~ ( |
| 50 | + "*atd*", "*cron*", "*/etc/rc.local*", "*/dev/tcp/*", "*/etc/init.d*", "*/etc/update-motd.d*", "*/etc/ld.so*", "*/etc/sudoers*", "*base64 *", |
| 51 | + "*/etc/profile*", "*/etc/ssh*", "*/home/*/.ssh/*", "*/root/.ssh*" , "*~/.ssh/*", "*autostart*", "*xxd *", "*/etc/shadow*", "*./.*", |
| 52 | + "*import*pty*spawn*", "*import*subprocess*call*", "*TCPSocket.new*", "*TCPSocket.open*", "*io.popen*", "*os.execute*", "*fsockopen*", |
| 53 | + "*disown*", "* ncat *", "* nc *", "* netcat *", "* nc.traditional *", "*socat*", "*telnet*", "*/tmp/*", "*/dev/shm/*", "*/var/tmp/*", |
| 54 | + "*/boot/*", "*/sys/*", "*/lost+found/*", "*/media/*", "*/proc/*", "*/var/backups/*", "*/var/log/*", "*/var/mail/*", "*/var/spool/*" |
| 55 | +) |
| 56 | +''' |
| 57 | + |
| 58 | +[[rule.threat]] |
| 59 | +framework = "MITRE ATT&CK" |
| 60 | + |
| 61 | +[[rule.threat.technique]] |
| 62 | +id = "T1059" |
| 63 | +name = "Command and Scripting Interpreter" |
| 64 | +reference = "https://attack.mitre.org/techniques/T1059/" |
| 65 | + |
| 66 | +[[rule.threat.technique.subtechnique]] |
| 67 | +id = "T1059.004" |
| 68 | +name = "Unix Shell" |
| 69 | +reference = "https://attack.mitre.org/techniques/T1059/004/" |
| 70 | + |
| 71 | +[[rule.threat.technique]] |
| 72 | +id = "T1609" |
| 73 | +name = "Container Administration Command" |
| 74 | +reference = "https://attack.mitre.org/techniques/T1609/" |
| 75 | + |
| 76 | +[rule.threat.tactic] |
| 77 | +id = "TA0002" |
| 78 | +name = "Execution" |
| 79 | +reference = "https://attack.mitre.org/tactics/TA0002/" |
| 80 | + |
| 81 | +[[rule.threat]] |
| 82 | +framework = "MITRE ATT&CK" |
| 83 | + |
| 84 | +[[rule.threat.technique]] |
| 85 | +id = "T1611" |
| 86 | +name = "Escape to Host" |
| 87 | +reference = "https://attack.mitre.org/techniques/T1611/" |
| 88 | + |
| 89 | +[rule.threat.tactic] |
| 90 | +id = "TA0004" |
| 91 | +name = "Privilege Escalation" |
| 92 | +reference = "https://attack.mitre.org/tactics/TA0004/" |
| 93 | + |
| 94 | +[[rule.threat]] |
| 95 | +framework = "MITRE ATT&CK" |
| 96 | + |
| 97 | +[[rule.threat.technique]] |
| 98 | +id = "T1053" |
| 99 | +name = "Scheduled Task/Job" |
| 100 | +reference = "https://attack.mitre.org/techniques/T1053/" |
| 101 | + |
| 102 | +[[rule.threat.technique.subtechnique]] |
| 103 | +id = "T1053.002" |
| 104 | +name = "At" |
| 105 | +reference = "https://attack.mitre.org/techniques/T1053/002/" |
| 106 | + |
| 107 | +[[rule.threat.technique.subtechnique]] |
| 108 | +id = "T1053.003" |
| 109 | +name = "Cron" |
| 110 | +reference = "https://attack.mitre.org/techniques/T1053/003/" |
| 111 | + |
| 112 | +[rule.threat.tactic] |
| 113 | +id = "TA0003" |
| 114 | +name = "Persistence" |
| 115 | +reference = "https://attack.mitre.org/tactics/TA0003/" |
0 commit comments