Refine EQL query for suspicious pod/container creation

Aegrah · web-flow · commit 6f2eafdc37ec · 2025-12-01T11:03:45.000+01:00
diff --git a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml
@@ -45,9 +45,11 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and (
-  (process.name == "kubectl" and process.args == "run" and process.args == "--restart=Never" and process.args == "--" and process.args in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")) or
+  (process.name == "kubectl" and process.args == "run" and process.args == "--restart=Never" and process.args == "--") or
   (process.name == "docker" and process.args == "run")
-) and process.command_line like~ (
+) and 
+process.args in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
+process.command_line like~ (
   "*atd*", "*cron*", "*/etc/rc.local*", "*/dev/tcp/*", "*/etc/init.d*", "*/etc/update-motd.d*", "*/etc/ld.so*", "*/etc/sudoers*", "*base64 *",
   "*/etc/profile*", "*/etc/ssh*", "*/home/*/.ssh/*", "*/root/.ssh*" , "*~/.ssh/*", "*autostart*", "*xxd *", "*/etc/shadow*", "*./.*",
   "*import*pty*spawn*", "*import*subprocess*call*", "*TCPSocket.new*", "*TCPSocket.open*", "*io.popen*", "*os.execute*", "*fsockopen*",
