detection-rules
Loading

Suspicious Interactive Interpreter Command Execution Detected via Defend for Containers

This rule detects when an interactive process executes a suspicious interpreter command inside a container. These commands are commonly used by attackers to execute malicious code or exfiltrate data.

Rule type: eql
Rule indices:

  • logs-cloud_defend.process*

Rule Severity: medium
Risk Score: 47
Runs every: 5m
Searches indices from: now-6m
Maximum alerts per execution: 100
References:

Tags:

  • Data Source: Elastic Defend for Containers
  • Domain: Container
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Execution
  • Tactic: Command and Control

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.executable != null and (
  (
    process.executable like ("/bin/perl*", "/usr/bin/perl*", "/usr/local/bin/perl*") and
    process.args == "-e" and process.args like~ (
      "*system(*", "*exec(*", "*IO.popen(*", "*Open3.popen3(*", "*spawn(*", "*eval(*",
      "*load(*IO::*", "*load(*Marshal*", "*load(*Fiddle*", "*load(*Zlib*", "*load(*Base64*",
      "*zlib.inflate(*", "*zlib.deflate(*", "*zlib.decompress(*", "*zlib.uncompress(*", "*zlib.compress(*",
      "*Marshal.load(*", "*Fiddle.dlopen(*", "*Fiddle::Function.new(*", "*base64*", "*zlib*",
      "*net/http*", "*socket.new*", "*open-uri*", "*pack(*"
    )
  ) or
  process.executable like ("/bin/php*", "/usr/bin/php*", "/usr/local/bin/php*") and
  process.args == "-r" and process.args like~ (
    "*exec(*", "*system(*", "*shell_exec(*", "*passthru(*", "*proc_open(*", "*pcntl_exec(*", "*popen(*",
    "*eval(*", "*assert(*", "*create_function(*", "*preg_replace(*e*", "*include(*", "*require(*",
    "*base64_decode(*", "*gzinflate(*", "*gzuncompress(*", "*str_rot13(*", "*urldecode(*", "*chr(*",
    "*ord(*", "*strrev(*", "*strtr(*", "*pack(*", "*unpack(*", "*curl_exec(*", "*curl_multi_exec(*",
    "*file_get_contents(*", "*fopen(*", "*fsockopen(*", "*pfsockopen(*", "*stream_socket_client(*",
    "*socket_create(*", "*socket_connect(*", "*socket_write(*", "*socket_read(*", "*mail(*",
    "*move_uploaded_file(*"
  ) or
  process.executable like ("/bin/lua*", "/usr/bin/lua*", "/usr/local/bin/lua*") and
  process.args == "-e" and process.args like~ (
    "*os.execute(*", "*io.popen(*", "*load(*", "*loadstring(*", "*require(*", "*dofile(*",
    "*package.loadlib(*", "*base64.decode(*", "*base64.encode(*", "*zlib.inflate(*",
    "*zlib.deflate(*", "*zlib.decompress(*", "*zlib.compress(*", "*socket.bind(*",
    "*socket.connect(*", "*socket.receive(*", "*socket.send(*", "*socket.tcp(*",
    "*socket.udp(*", "*socket.listen(*", "*socket.accept(*", "*net.http.request(*",
    "*net.http.get(*", "*net.http.post(*", "*http.request(*", "*http.get(*", "*http.post(*"
  ) or
  process.executable like ("/bin/python*", "/usr/bin/python*", "/usr/local/bin/python*") and
  process.args == "-c" and process.args like~ (
    "*exec(*base64*", "*exec(*decode(*", "*exec(*marshal*", "*exec(*pickle*", "*eval(*exec(*",
    "*eval(*", "*subprocess.popen(*", "*subprocess.run(*", "*pickle.loads(*", "*marshal.loads(*",
    "*binascii*", "*os.system(*", "*os.popen(*", "*pty.*", "*dup2*", "*fileno()*", "*connect(*",
    "*bind(*", "*execve(*", "*base64*", "*base32*", "*base16*", "*base85*", "*decode(*",
    "*zlib.*", "*[::-1]*", "*socket.socket(*", "*socket.connect(*", "*socket.bind(*"
  ) or
  process.executable like ("/bin/ruby*", "/usr/bin/ruby*", "/usr/local/bin/ruby*") and
  process.args like "-e*" and process.args like~ (
    "*system(*", "*exec(*", "*IO.popen(*", "*Open3.popen3(*", "*spawn(*", "*eval(*", "*load(*",
    "*Marshal.load(*", "*Fiddle.dlopen(*", "*Fiddle::Function.new(*", "*base64*", "*zlib*",
    "*net/http*", "*socket*", "*open-uri*", "*pack(*", "*unpack(*"
  )
) and container.id like "?*" and process.interactive == true

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK