diff --git a/rules/integrations/cloud_defend/container_workload_protection.toml b/rules/integrations/cloud_defend/container_workload_protection.toml index 49f40294031..9842cd1f148 100644 --- a/rules/integrations/cloud_defend/container_workload_protection.toml +++ b/rules/integrations/cloud_defend/container_workload_protection.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/05" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -16,12 +16,14 @@ index = ["logs-cloud_defend.alerts-*"] language = "kuery" license = "Elastic License v2" max_signals = 10000 -name = "Container Workload Protection" +name = "Deprecated - Container Workload Protection" risk_score = 47 rule_id = "4b4e9c99-27ea-4621-95c8-82341bc6e512" rule_name_override = "message" setup = """## Setup +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. **IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. @@ -42,7 +44,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Container Workload Protection +### Investigating Deprecated - Container Workload Protection Container Workload Protection is crucial for securing containerized environments by monitoring and defending against threats. Adversaries may exploit vulnerabilities in container orchestration or escape isolation to access host systems. The detection rule leverages alerts from cloud defense modules, focusing on suspicious activities within container domains, enabling timely triage and investigation of potential security incidents. diff --git a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml index 8decdf2c8eb..962719fc1f6 100644 --- a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/28" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "AWS Credentials Searched For Inside A Container" +name = "Deprecated - AWS Credentials Searched For Inside A Container" references = ["https://sysdig.com/blog/threat-detection-aws-cloud-containers/"] risk_score = 47 rule_id = "d0b0f3ed-0b37-44bf-adee-e8cb7de92767" @@ -40,12 +40,16 @@ process where event.module == "cloud_defend" and (process.name : ("grep", "egrep", "fgrep", "find", "locate", "mlocate") or process.args : ("grep", "egrep", "fgrep", "find", "locate", "mlocate")) and process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*") ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating AWS Credentials Searched For Inside A Container +### Investigating Deprecated - AWS Credentials Searched For Inside A Container Containers often house applications that interact with AWS services, necessitating the storage of AWS credentials. Adversaries may exploit this by using search utilities to locate these credentials, potentially leading to unauthorized access. The detection rule identifies suspicious use of search tools within containers, flagging attempts to locate AWS credentials by monitoring specific process names and arguments, thus helping to prevent credential theft and subsequent attacks. diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml index 0bf131a2b29..ef3297e2831 100644 --- a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Sensitive Files Compression Inside A Container" +name = "Deprecated - Sensitive Files Compression Inside A Container" risk_score = 47 rule_id = "475b42f0-61fb-4ef0-8a85-597458bfb0a1" severity = "medium" @@ -65,12 +65,16 @@ and process.args: ( "/etc/shadow", "/etc/gshadow") ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Sensitive Files Compression Inside A Container +### Investigating Deprecated - Sensitive Files Compression Inside A Container Containers are lightweight, portable environments used to run applications consistently across different systems. Adversaries may exploit compression utilities within containers to gather and exfiltrate sensitive files, such as credentials and configuration files. The detection rule identifies suspicious compression activities by monitoring for specific utilities and file paths, flagging potential unauthorized data collection attempts. diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml index 95c5a9deda7..0a1a6b0d77e 100644 --- a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Sensitive Keys Or Passwords Searched For Inside A Container" +name = "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container" references = ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"] risk_score = 47 rule_id = "9661ed8b-001c-40dc-a777-0983b7b0c91a" @@ -47,12 +47,16 @@ or and process.args : ("*id_rsa*", "*id_dsa*") )) ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Sensitive Keys Or Passwords Searched For Inside A Container +### Investigating Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container Containers encapsulate applications, providing isolated environments. Adversaries may exploit search utilities like grep or find to locate sensitive credentials within containers, potentially leading to unauthorized access or container escape. The detection rule identifies suspicious searches for private keys or passwords, flagging potential credential access attempts by monitoring process activities and arguments. diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml index 72025efeb6a..ee2373adfbe 100644 --- a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml +++ b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/06" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Modification of Dynamic Linker Preload Shared Object Inside A Container" +name = "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container" references = [ "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/", @@ -34,12 +34,16 @@ type = "eql" query = ''' file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Modification of Dynamic Linker Preload Shared Object Inside A Container +### Investigating Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container The dynamic linker in Linux loads necessary libraries for programs at runtime, with the `ld.so.preload` file specifying libraries to load first. Adversaries exploit this by redirecting it to malicious libraries, gaining unauthorized access and evading detection. The detection rule identifies suspicious modifications to this file within containers, signaling potential hijacking attempts. diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml index c035f87d8fb..ad44da93b51 100644 --- a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Suspicious Network Tool Launched Inside A Container" +name = "Deprecated - Suspicious Network Tool Launched Inside A Container" risk_score = 47 rule_id = "1a289854-5b78-49fe-9440-8a8096b1ab50" severity = "medium" @@ -49,12 +49,16 @@ process where container.id: "*" and event.type== "start" and (process.args: ("nc", "ncat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet", "mitmproxy", "socat", "zmap", "masscan", "zgrab")) ) ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Suspicious Network Tool Launched Inside A Container +### Investigating Deprecated - Suspicious Network Tool Launched Inside A Container Containers are lightweight, portable units that encapsulate applications and their dependencies, often used to ensure consistent environments across development and production. Adversaries exploit network tools within containers for reconnaissance or lateral movement, leveraging utilities like `nc` or `nmap` to map networks or intercept traffic. The detection rule identifies these tools' execution by monitoring process starts and arguments, flagging potential misuse for further investigation. diff --git a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml index 422574e94a0..094241f2eb0 100644 --- a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic Licence v2" -name = "Container Management Utility Run Inside A Container" +name = "Deprecated - Container Management Utility Run Inside A Container" risk_score = 21 rule_id = "6c6bb7ea-0636-44ca-b541-201478ef6b50" severity = "low" @@ -43,12 +43,16 @@ query = ''' process where container.id: "*" and event.type== "start" and process.name: ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl") ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Container Management Utility Run Inside A Container +### Investigating Deprecated - Container Management Utility Run Inside A Container Container management utilities like Docker and Kubernetes are essential for orchestrating and managing containerized applications. They facilitate tasks such as deployment, scaling, and networking. However, adversaries can exploit these tools to execute unauthorized commands within containers, potentially leading to system compromise. The detection rule identifies suspicious execution of these utilities within containers, signaling possible misuse or misconfiguration, by monitoring specific process activities and event types. diff --git a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml index 41c110968dd..0488bbf50bf 100644 --- a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "File Made Executable via Chmod Inside A Container" +name = "Deprecated - File Made Executable via Chmod Inside A Container" risk_score = 47 rule_id = "ec604672-bed9-43e1-8871-cf591c052550" severity = "medium" @@ -39,12 +39,16 @@ file where container.id: "*" and event.type in ("change", "creation") and (process.name : "chmod" or process.args : "chmod") and process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating File Made Executable via Chmod Inside A Container +### Investigating Deprecated - File Made Executable via Chmod Inside A Container Containers provide isolated environments for running applications, often on Linux systems. The `chmod` command is used to change file permissions, including making files executable. Adversaries may exploit this by altering permissions to execute unauthorized scripts or binaries, potentially leading to malicious activity. The detection rule identifies such actions by monitoring for `chmod` usage that grants execute permissions, focusing on specific permission patterns, and excluding benign cases. This helps in identifying potential threats where attackers attempt to execute unauthorized code within containers. diff --git a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml index 3915ee5583e..4e7a870746e 100644 --- a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Interactive Exec Command Launched Against A Running Container" +name = "Deprecated - Interactive Exec Command Launched Against A Running Container" references = [ "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/", @@ -59,12 +59,16 @@ process.entry_leader.same_as_process== true and /* interactive process */ process.interactive == true ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Interactive Exec Command Launched Against A Running Container +### Investigating Deprecated - Interactive Exec Command Launched Against A Running Container In containerized environments, the 'exec' command is used to run processes inside a running container, often for debugging or administrative tasks. Adversaries may exploit this to gain shell access, potentially leading to further compromise or container escape. The detection rule identifies such activities by monitoring for interactive 'exec' sessions, focusing on initial processes within containers, and flagging high-risk interactions. diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml index 7a20535cd5f..cccb71f9293 100644 --- a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Suspicious Interactive Shell Spawned From Inside A Container" +name = "Deprecated - Suspicious Interactive Shell Spawned From Inside A Container" risk_score = 73 rule_id = "8d3d0794-c776-476b-8674-ee2e685f6470" severity = "high" @@ -48,12 +48,16 @@ event.action in ("fork", "exec") and process.args: "*/*sh" ) ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Suspicious Interactive Shell Spawned From Inside A Container +### Investigating Deprecated - Suspicious Interactive Shell Spawned From Inside A Container Containers are lightweight, portable units that encapsulate applications and their dependencies, often used to ensure consistent environments across development and production. Adversaries may exploit containers by spawning interactive shells to execute unauthorized commands, potentially leading to container escape and host compromise. The detection rule identifies such threats by monitoring for shell processes initiated within containers, focusing on specific process actions and arguments indicative of interactive sessions. diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml index 070fe900c3d..1f61a08ea64 100644 --- a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Netcat Listener Established Inside A Container" +name = "Deprecated - Netcat Listener Established Inside A Container" risk_score = 73 rule_id = "a52a9439-d52c-401c-be37-2785235c6547" severity = "high" @@ -53,12 +53,16 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or process.args:("-*l*", "--listen", "-*p*", "--source-port") ) ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Netcat Listener Established Inside A Container +### Investigating Deprecated - Netcat Listener Established Inside A Container Netcat is a versatile networking tool used for reading and writing data across network connections, often employed for legitimate purposes like debugging and network diagnostics. However, adversaries can exploit Netcat to establish unauthorized backdoors or exfiltrate data from containers. The detection rule identifies suspicious Netcat activity by monitoring process events within containers, focusing on specific arguments that indicate a listening state, which is a common trait of malicious use. This proactive detection helps mitigate potential threats by flagging unusual network behavior indicative of compromise. diff --git a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml index ed47d7a84ee..5d303ab5ee2 100644 --- a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "SSH Connection Established Inside A Running Container" +name = "Deprecated - SSH Connection Established Inside A Running Container" references = [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", ] @@ -53,12 +53,16 @@ process.entry_leader.entry_meta.type: "sshd" and /* interactive process*/ process.interactive== true ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating SSH Connection Established Inside A Running Container +### Investigating Deprecated - SSH Connection Established Inside A Running Container SSH (Secure Shell) is a protocol used to securely access and manage systems remotely. In containerized environments, running an SSH daemon is generally discouraged due to security risks. Adversaries may exploit SSH to gain unauthorized access or maintain persistence within a compromised container. The detection rule identifies SSH connections initiated within containers by monitoring for SSH daemon processes that start new sessions, indicating potential unauthorized access attempts. This rule is crucial for identifying and mitigating threats related to initial access and lateral movement within containerized environments. diff --git a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml index 0d38bc0944f..d8c3752bb62 100644 --- a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "SSH Process Launched From Inside A Container" +name = "Deprecated - SSH Process Launched From Inside A Container" references = [ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", "https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/", @@ -48,12 +48,16 @@ process where container.id: "*" and event.type== "start" and event.action in ("fork", "exec") and process.name: ("sshd", "ssh", "autossh") ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating SSH Process Launched From Inside A Container +### Investigating Deprecated - SSH Process Launched From Inside A Container SSH (Secure Shell) is a protocol used for secure remote access and management of systems. Within container environments, SSH usage is atypical and can signal potential security risks. Adversaries may exploit SSH to move laterally between containers or escape to the host system. The detection rule identifies SSH processes initiated within containers, flagging potential unauthorized access or persistence attempts by monitoring process events and container identifiers. diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml index d97607dc184..ca4f95312ed 100644 --- a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml +++ b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "SSH Authorized Keys File Modified Inside a Container" +name = "Deprecated - SSH Authorized Keys File Modified Inside a Container" risk_score = 73 rule_id = "f7769104-e8f9-4931-94a2-68fc04eadec3" severity = "high" @@ -37,12 +37,16 @@ query = ''' file where container.id:"*" and event.type in ("change", "creation") and file.name: ("authorized_keys", "authorized_keys2", "sshd_config") ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating SSH Authorized Keys File Modified Inside a Container +### Investigating Deprecated - SSH Authorized Keys File Modified Inside a Container In containerized environments, SSH keys facilitate secure access, but adversaries can exploit this by altering the authorized_keys file to gain unauthorized access. This detection rule identifies suspicious changes to SSH configuration files within containers, signaling potential persistence tactics. By monitoring file modifications, it helps detect unauthorized SSH usage, a common indicator of compromise. diff --git a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml index 9bdbcf452cb..e55a4294315 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "File System Debugger Launched Inside a Privileged Container" +name = "Deprecated - File System Debugger Launched Inside a Privileged Container" references = [ "https://cyberark.wistia.com/medias/ygbzkzx93q?wvideo=ygbzkzx93q", "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged", @@ -43,12 +43,16 @@ process where event.module == "cloud_defend" and process.args : "/dev/sd*" and not process.args == "-R" and container.security_context.privileged == true ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating File System Debugger Launched Inside a Privileged Container +### Investigating Deprecated - File System Debugger Launched Inside a Privileged Container DebugFS is a Linux utility for direct file system manipulation, often used for debugging. In a privileged container, which has extensive access to the host, adversaries can exploit DebugFS to access sensitive host files, potentially leading to privilege escalation or container escape. The detection rule identifies suspicious DebugFS usage by monitoring process initiation with specific arguments in privileged containers, flagging potential misuse. diff --git a/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml index 911794bc3eb..f63d302437f 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Mount Launched Inside a Privileged Container" +name = "Deprecated - Mount Launched Inside a Privileged Container" references = [ "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged", ] @@ -41,12 +41,16 @@ query = ''' process where event.module == "cloud_defend" and event.type== "start" and (process.name== "mount" or process.args== "mount") and container.security_context.privileged == true ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Mount Launched Inside a Privileged Container +### Investigating Deprecated - Mount Launched Inside a Privileged Container In containerized environments, the `mount` utility is crucial for attaching file systems to the system's directory tree. When executed within a privileged container, which has extensive host capabilities, it can be exploited by adversaries to access sensitive host files, potentially leading to privilege escalation or container escapes. The detection rule identifies such misuse by monitoring the execution of `mount` in privileged containers, flagging potential security threats for further investigation. diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml index c498b546826..cf73f4b2251 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Potential Container Escape via Modified notify_on_release File" +name = "Deprecated - Potential Container Escape via Modified notify_on_release File" references = [ "https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/", "https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/", @@ -42,12 +42,16 @@ query = ''' file where event.module == "cloud_defend" and event.action == "open" and event.type == "change" and file.name : "notify_on_release" ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Potential Container Escape via Modified notify_on_release File +### Investigating Deprecated - Potential Container Escape via Modified notify_on_release File In containerized environments, the `notify_on_release` file in cgroups can trigger host-level commands when a cgroup becomes empty. Adversaries exploit this by modifying the file from privileged containers, potentially executing unauthorized commands on the host. The detection rule monitors changes to `notify_on_release` files, flagging suspicious modifications indicative of privilege escalation attempts. diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml index 9f6a95ed845..814ae42138d 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/06" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ index = ["logs-cloud_defend*"] interval = "5m" language = "eql" license = "Elastic License v2" -name = "Potential Container Escape via Modified release_agent File" +name = "Deprecated - Potential Container Escape via Modified release_agent File" references = [ "https://blog.aquasec.com/threat-alert-container-escape", "https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/", @@ -41,12 +41,16 @@ query = ''' file where event.module == "cloud_defend" and event.action == "open" and event.type == "change" and file.name : "release_agent" ''' -note = """## Triage and analysis +note = """## Setup + +This rule was deprecated in the 8.18 and 9.0 versions of the Elastic Stack due to deprecation of the 'Defend For Containers' integration. Users using 8.18+ versions should disable this rule and enable linux-based rules tagged "Domain: Container". + +## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Potential Container Escape via Modified release_agent File +### Investigating Deprecated - Potential Container Escape via Modified release_agent File In containerized environments, the release_agent file in CGroup directories can execute scripts upon process termination. Adversaries exploit this by modifying the file from privileged containers, potentially escalating privileges or escaping to the host. The detection rule monitors changes to the release_agent file, flagging unauthorized modifications indicative of such exploits.