Unusual Interactive Process Launched in a Container

Last updated 5 months ago on 2025-03-12

Created 5 months ago on 2025-03-12

About

This rule detects when an unusual interactive process is launched inside a container. Interactive processes are typically run in the foreground and require user input, which is unusual behavior for a containerized environment. This activity could indicate an attacker attempting to gain access to the container environment or perform malicious actions.

Tags

Domain: ContainerOS: LinuxUse Case: Threat DetectionTactic: ExecutionData Source: Elastic DefendLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Execution (TA0002)(opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.process*
Related Integrations: endpoint(opens in a new tab or window)
Query

event.category:process and host.os.type:linux and event.type:start and event.action:exec and
process.entry_leader.entry_meta.type:container and process.interactive:true

Install detection rules in Elastic Security

Detect Unusual Interactive Process Launched in a Container in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).