Interactive Exec Command Launched Against A Running Container

edit

Interactive Exec Command Launched Against A Running Container

edit

This rule detects interactive exec events launched against a container using the exec command. Using the exec command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container’s shell. A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout.

Rule type: eql

Rule indices:

  • logs-cloud_defend*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Execution
  • Container

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where container.id : "*" and event.type== "start" and

/* use of kubectl exec to enter a container */
process.entry_leader.entry_meta.type : "container" and

/* process is the inital process run in a container */
process.entry_leader.same_as_process== true and

/* interactive process */
process.interactive == true

Framework: MITRE ATT&CKTM