Interactive Exec Command Launched Against A Running Container

edit

Interactive Exec Command Launched Against A Running Containeredit

This rule detects interactive exec events launched against a container using the exec command. Using the exec command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container’s shell. A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout.

Rule type: eql

Rule indices:

  • logs-cloud_defend*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Data Source: Elastic Defend for Containers
  • Domain: Container
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Execution

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

process where container.id : "*" and event.type== "start" and

/* use of kubectl exec to enter a container */
process.entry_leader.entry_meta.type : "container" and

/* process is the inital process run in a container */
process.entry_leader.same_as_process== true and

/* interactive process */
process.interactive == true

Framework: MITRE ATT&CKTM