Sensitive Keys Or Passwords Searched For Inside A Container

Last updated 4 months ago on 2025-03-12

Created 4 months ago on 2025-03-12

About

This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine.

Tags

Domain: ContainerOS: LinuxUse Case: Threat DetectionTactic: Credential AccessData Source: Elastic DefendLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

↳ Unsecured Credentials (T1552)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.process*
Related Integrations: endpoint(opens in a new tab or window)
Query

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.entry_leader.entry_meta.type == "container" and
process.name in ("grep", "egrep", "fgrep", "find", "locate", "mlocate") and
process.command_line like~ (
  "*BEGIN PRIVATE*", "*BEGIN OPENSSH PRIVATE*", "*BEGIN RSA PRIVATE*", "*BEGIN DSA PRIVATE*", "*BEGIN EC PRIVATE*",
  "*pass*", "*ssh*", "*user*", "*id_rsa*", "*id_dsa*"
)

Install detection rules in Elastic Security

Detect Sensitive Keys Or Passwords Searched For Inside A Container in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).