Elastic Security Detection Rules

Interactive Shell Spawn Detected via Defend for Containers

Last updated 23 days ago on 2026-01-15
Created 3 years ago on 2023-04-26

About

This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host.
Tags
Data Source: Elastic Defend for ContainersDomain: ContainerOS: LinuxUse Case: Threat DetectionTactic: ExecutionLanguage: eql
Severity
low
Risk Score
21
MITRE ATT&CK™

Execution (TA0002)(external, opens in a new tab or window)

Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

False Positive Examples
Legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container resulting in false positives.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-cloud_defend.process*
Related Integrations

cloud_defend(external, opens in a new tab or window)

Query
text code block:
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
process.entry_leader.same_as_process == false and process.interactive == true and container.id like "*" and
process.args in (
  "sh", "dash", "bash", "zsh", "fish", "busybox",
  "/bin/sh", "/bin/dash", "/bin/bash", "/bin/zsh", "/bin/fish", "/bin/busybox",
  "/usr/bin/sh", "/usr/bin/dash", "/usr/bin/bash", "/usr/bin/zsh", "/usr/bin/fish", "/usr/bin/busybox",
  "/usr/local/bin/sh", "/usr/local/bin/dash", "/usr/local/bin/bash", "/usr/local/bin/zsh", "/usr/local/bin/fish", "/usr/local/bin/busybox"
) and process.args in ("-i", "-it")

Install detection rules in Elastic Security

Detect Interactive Shell Spawn Detected via Defend for Containers in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).