System Path File Creation and Execution Detected via Defend for Containers

About

Tags

Data Source: Elastic Defend for ContainersDomain: ContainerOS: LinuxUse Case: Threat DetectionTactic: ExecutionTactic: Command and ControlTactic: Defense EvasionLanguage: eql

Severity

medium

Risk Score

47

MITRE ATT&CK™

Execution (TA0002)(external, opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

Command and Control (TA0011)(external, opens in a new tab or window)

↳ Application Layer Protocol (T1071)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-cloud_defend.file*

Related Integrations

cloud_defend(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗file where host.os.type == "linux" and event.type == "creation" and process.interactive == true and
file.path like (
  "/etc/*", "/root/*", "/bin/*", "/usr/bin/*", "/usr/local/bin/*", "/entrypoint*"
) and (
  process.name like ("wget", "curl") or
  (process.name == "busybox" and process.args == "wget") or
  process.executable like ("/tmp/*", "/dev/shm/*", "/var/tmp/*", "/run/*", "/var/run/*", "/mnt/*")
) and container.id like "?*"