SSH Process Launched From Inside A Containeredit
This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism.
Rule type: eql
Rule indices:
- logs-cloud_defend*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Data Source: Elastic Defend for Containers
- Domain: Container
- OS: Linux
- Use Case: Threat Detection
- Tactic: Lateral Movement
- Tactic: Persistence
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule queryedit
process where container.id: "*" and event.type== "start" and
event.action in ("fork", "exec") and event.action != "end" and
process.name: ("sshd", "ssh", "autossh")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
-
Sub-technique:
- Name: SSH
- ID: T1021.004
- Reference URL: https://attack.mitre.org/techniques/T1021/004/
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: External Remote Services
- ID: T1133
- Reference URL: https://attack.mitre.org/techniques/T1133/