Curl SOCKS Proxy Detected via Defend for Containers

Last updated 7 days ago on 2026-01-27

Created 12 days ago on 2026-01-22

About

This rule detects the use of the "curl" command-line tool with SOCKS proxy options. Attackers may use "curl" to establish a SOCKS proxy connection to bypass network restrictions and exfiltrate data or communicate with C2 servers.

Tags

Data Source: Elastic Defend for ContainersDomain: ContainerOS: LinuxUse Case: Threat DetectionTactic: Command and ControlLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

↳ Protocol Tunneling (T1572)(external, opens in a new tab or window)

False Positive Examples

There is a potential for false positives if SOCKS proxies are used for legitimate purposes, such as debugging or troubleshooting, or if the "curl" command-line tool is used to download files from a known benign source. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-cloud_defend.process*
Related Integrations: cloud_defend(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name == "curl" and process.args like ("--socks5-hostname", "--proxy", "--preproxy", "socks5*", "-x") and
process.interactive == true and container.id like "?*"

Install detection rules in Elastic Security

Detect Curl SOCKS Proxy Detected via Defend for Containers in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).