DNS Enumeration Detected via Defend for Containers

This rule detects the execution of DNS enumeration tools inside a container. DNS enumeration tools are used to enumerate the DNS servers and domains of the container, which can be used by an adversary to gain information about the network configuration of the container and the services running inside it.

Rule type: eql
Rule indices:

logs-cloud_defend.process*

Rule Severity: low
Risk Score: 21
Runs every: 5m
Searches indices from: now-6m
Maximum alerts per execution: ?
References:

Tags:

Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Discovery

Version: ?
Rule authors:

Elastic

Rule license: Elastic License v2

Rule Query

		process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.interactive == true and container.id like "*" and
(
  /* getent hosts is often used without a target arg */
  (process.name == "getent" and process.args == "hosts") or

  /* explicit DNS query tools */
  (
    process.name in ("nslookup", "dig", "host") or
    (
      /* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */
      process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
      process.args in (
        "nslookup", "/bin/nslookup", "/usr/bin/nslookup", "/usr/local/bin/nslookup",
        "dig", "/bin/dig", "/usr/bin/dig", "/usr/local/bin/dig",
        "host", "/bin/host", "/usr/bin/host", "/usr/local/bin/host"
      ) and
      /* default exclusion list to not FP on default multi-process commands */
      not process.args in (
        "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which",
        "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
        "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
        "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
      )
    )
  ) and
  process.args like~ (
    "kubernetes.default",
    "kubernetes",
    "*.svc",
    "*.svc.cluster.local",
    "*.cluster.local"
  )
)
		
	

Framework: MITRE ATT&CK

Tactic:
- Name: Discovery
- Id: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: Remote System Discovery
- Id: T1018
- Reference URL: https://attack.mitre.org/techniques/T1018/
Technique:
- Name: Container and Resource Discovery
- Id: T1613
- Reference URL: https://attack.mitre.org/techniques/T1613/
Technique:
- Name: System Network Configuration Discovery
- Id: T1016
- Reference URL: https://attack.mitre.org/techniques/T1016/
Technique:
- Name: System Network Connections Discovery
- Id: T1049
- Reference URL: https://attack.mitre.org/techniques/T1049/