Sensitive Files Compression Inside A Container

Last updated 4 months ago on 2025-03-12

Created 4 months ago on 2025-03-12

About

Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations inside a container.

Tags

Domain: ContainerOS: LinuxUse Case: Threat DetectionTactic: Credential AccessTactic: CollectionData Source: Elastic DefendLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

↳ Unsecured Credentials (T1552)(opens in a new tab or window)

Collection (TA0009)(opens in a new tab or window)

↳ Archive Collected Data (T1560)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.process*
Related Integrations: endpoint(opens in a new tab or window)
Query

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.entry_leader.entry_meta.type == "container" and process.name in ("zip", "tar", "gzip", "hdiutil", "7z") and
process.command_line like~ (
  "*/root/.ssh/*", "*/home/*/.ssh/*", "*/root/.bash_history*", "*/etc/hosts*", "*/root/.aws/*", "*/home/*/.aws/*",
  "*/root/.docker/*", "*/home/*/.docker/*", "*/etc/group*", "*/etc/passwd*", "*/etc/shadow*", "*/etc/gshadow*"
)

Install detection rules in Elastic Security

Detect Sensitive Files Compression Inside A Container in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).