Suspicious Network Tool Launched Inside A Container

About

Tags

Domain: ContainerOS: LinuxUse Case: Threat DetectionTactic: DiscoveryTactic: Command and ControlTactic: ReconnaissanceData Source: Elastic DefendLanguage: eql

Severity

low

Risk Score

21

MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

↳ Network Service Discovery (T1046)(opens in a new tab or window)

Command and Control (TA0011)(opens in a new tab or window)

↳ Ingress Tool Transfer (T1105)(opens in a new tab or window)

Reconnaissance (TA0043)(opens in a new tab or window)

↳ Active Scanning (T1595)(opens in a new tab or window)

False Positive Examples

There is a potential for false positives if the container is used for legitimate tasks that require the use of network utilities, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-endpoint.events.process*

Related Integrations

endpoint(opens in a new tab or window)

Query

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.entry_leader.entry_meta.type == "container" and process.name in (
  "nc.traditional", "nc", "ncat", "netcat", "nmap", "dig", "nslookup", "tcpdump", "tshark", "ngrep", "telnet",
  "mitmproxy", "socat", "zmap", "masscan", "zgrab"
)