Tool Installation Detected via Defend for Containers

About

Tags

Data Source: Elastic Defend for ContainersDomain: ContainerOS: LinuxUse Case: Threat DetectionTactic: ExecutionLanguage: eql

Severity

low

Risk Score

21

MITRE ATT&CK™

Execution (TA0002)(external, opens in a new tab or window)

↳ Software Deployment Tools (T1072)(external, opens in a new tab or window)

False Positive Examples

There is a potential for false positives if the tools are installed for legitimate purposes, such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-cloud_defend.process*

Related Integrations

cloud_defend(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
  (process.name in ("apt", "apt-get", "dnf", "microdnf", "yum", "zypper", "tdnf") and process.args == "install") or
  (process.name == "apk" and process.args == "add") or
  (process.name == "pacman" and process.args like "-*S*") or
  (process.name in ("rpm", "dpkg") and process.args in ("-i", "--install"))
) and process.args like (
  "curl", "wget", "socat", "busybox", "openssl", "torsocks",
  "netcat", "netcat-openbsd", "netcat-traditional", "ncat", "tor",
  "python*", "perl", "node", "nodejs", "ruby", "lua"
) and process.interactive == true and container.id like "*"