Sensitive Keys Or Passwords Searched For Inside A Container

edit

Sensitive Keys Or Passwords Searched For Inside A Container

edit

This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine.

Rule type: eql

Rule indices:

  • logs-cloud_defend*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Data Source: Elastic Defend for Containers
  • Domain: Container
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Credential Access

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where container.id: "*" and event.type== "start" and
((
/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
  (process.name in ("grep", "egrep", "fgrep") or process.args in ("grep", "egrep", "fgrep"))
    and process.args : ("*BEGIN PRIVATE*", "*BEGIN OPENSSH PRIVATE*", "*BEGIN RSA PRIVATE*",
"*BEGIN DSA PRIVATE*", "*BEGIN EC PRIVATE*", "*pass*", "*ssh*", "*user*")
)
or
(
/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
  (process.name in ("find", "locate", "mlocate") or process.args in ("find", "locate", "mlocate"))
    and process.args : ("*id_rsa*", "*id_dsa*")
))

Framework: MITRE ATT&CKTM