Interactive Exec Command Launched Against A Running Containeredit
This rule detects interactive exec events launched against a container using the exec command. Using the exec command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container’s shell. A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout.
Rule type: eql
Rule indices:
- logs-cloud_defend*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Data Source: Elastic Defend for Containers
- Domain: Container
- OS: Linux
- Use Case: Threat Detection
- Tactic: Execution
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule queryedit
process where container.id : "*" and event.type== "start" and /* use of kubectl exec to enter a container */ process.entry_leader.entry_meta.type : "container" and /* process is the inital process run in a container */ process.entry_leader.same_as_process== true and /* interactive process */ process.interactive == true
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Sub-technique:
- Name: Unix Shell
- ID: T1059.004
- Reference URL: https://attack.mitre.org/techniques/T1059/004/
-
Technique:
- Name: Container Administration Command
- ID: T1609
- Reference URL: https://attack.mitre.org/techniques/T1609/