Container Management Utility Run Inside A Container

About

Tags

Domain: ContainerOS: LinuxUse Case: Threat DetectionTactic: ExecutionData Source: Elastic DefendLanguage: eql

Severity

low

Risk Score

21

MITRE ATT&CK™

Execution (TA0002)(external, opens in a new tab or window)

↳ Container Administration Command (T1609)(external, opens in a new tab or window)

False Positive Examples

There is a potential for false positives if the container is used for legitimate administrative tasks that require the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-endpoint.events.process*

Related Integrations

endpoint(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.entry_leader.entry_meta.type == "container" and process.interactive == true and
process.name in ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "systemd", "crictl") and
not process.parent.executable in ("/sbin/init", "/usr/bin/dockerd")