AWS Credentials Searched For Inside A Container | Elastic Security Solution [8.13]

› › ›

« AWS Configuration Recorder Stopped AWS Deletion of RDS Instance or Cluster »

AWS Credentials Searched For Inside A Containeredit

This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment.

Rule type: eql

Rule indices:

logs-cloud_defend*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://sysdig.com/blog/threat-detection-aws-cloud-containers/

Tags:

Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule queryedit

process where event.module == "cloud_defend" and
  event.type == "start" and

/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
(process.name : ("grep", "egrep", "fgrep", "find", "locate", "mlocate") or process.args : ("grep", "egrep", "fgrep", "find", "locate", "mlocate")) and
process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Unsecured Credentials
- ID: T1552
- Reference URL: https://attack.mitre.org/techniques/T1552/
Sub-technique:
- Name: Credentials In Files
- ID: T1552.001
- Reference URL: https://attack.mitre.org/techniques/T1552/001/

« AWS Configuration Recorder Stopped AWS Deletion of RDS Instance or Cluster »