Tool Installation Detected via Defend for Containers

This rule detects the installation of tools inside a container. An adversary may need to install additional software to enumerate the container, its environment, and move laterally within the environment.

Rule type: eql
Rule indices:

• logs-cloud_defend.process*

Rule Severity: low
Risk Score: 21
Runs every: 5m
Searches indices from: now-6m
Maximum alerts per execution: ?
References:

Tags:

• Data Source: Elastic Defend for Containers
• Domain: Container
• OS: Linux
• Use Case: Threat Detection
• Tactic: Execution

Version: ?
Rule authors:

• Elastic

Rule license: Elastic License v2

process where event.type == "start" and event.action == "exec" and (
  (process.name in ("apt", "apt-get", "dnf", "microdnf", "yum", "zypper", "tdnf") and process.args == "install") or
  (process.name == "apk" and process.args == "add") or
  (process.name == "pacman" and process.args like "-*S*") or
  (process.name in ("rpm", "dpkg") and process.args in ("-i", "--install"))
) and process.args like (
  "curl", "wget", "socat", "busybox", "openssl", "busybox", "torsocks",
  "netcat", "netcat-openbsd", "netcat-traditional", "ncat", "tor",
  "python*", "perl", "node", "nodejs", "ruby", "lua"
) and process.interactive == "true" and container.id like "*"
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Execution
  • Id: TA0002
  • Reference URL: https://attack.mitre.org/tactics/TA0002/

• Technique:

  • Name: Software Deployment Tools
  • Id: T1072
  • Reference URL: https://attack.mitre.org/techniques/T1072/