Tool Enumeration Detected via Defend for Containers

This rule detects the enumeration of tools by the "which" command inside a container. The "which" command is used to list what tools are installed on a system, and may be used by an adversary to gain information about the container and the services running inside it.

Rule type: eql
Rule indices:

logs-cloud_defend.process*

Rule Severity: low
Risk Score: 21
Runs every: 5m
Searches indices from: now-6m
Maximum alerts per execution: ?
References:

Tags:

Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Discovery

Version: ?
Rule authors:

Elastic

Rule license: Elastic License v2

Rule Query

		process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
  process.name == "which" or
  (
    /* Account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */
    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
    process.args in ("which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which") and
    /* default exclusion list to not FP on default multi-process commands */
    not process.args in (
      "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
      "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
      "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
    )
  )
) and
process.args in (

  /* TCP IP */
  "curl", "wget", "socat", "nc", "netcat", "ncat", "busybox", "python3", "python", "perl", "node", "openssl", "ruby", "lua",

  /* networking */
  "getent", "dig", "nslookup", "host", "ip", "tcpdump", "tshark",

  /* container management */
  "kubectl", "docker", "kubelet", "kube-proxy", "containerd", "systemd", "crictl",

  /* compilation */
  "gcc", "g++", "clang", "clang++", "cc", "c++", "c99", "c89", "cc1*", "musl-gcc", "musl-clang", "tcc", "zig", "ccache", "distcc", "make",

  /* scanning */
  "nmap", "zenmap", "nuclei", "netdiscover", "legion", "masscan", "zmap", "zgrab", "ngrep", "telnet", "mitmproxy", "zmap",
  "masscan", "zgrab"
) and
process.interactive == true and container.id like "*"
		
	

Framework: MITRE ATT&CK

Tactic:
- Name: Discovery
- Id: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: Software Discovery
- Id: T1518
- Reference URL: https://attack.mitre.org/techniques/T1518/
Technique:
- Name: Container and Resource Discovery
- Id: T1613
- Reference URL: https://attack.mitre.org/techniques/T1613/