Modification of Persistence Relevant Files Detected via Defend for Containers

Last updated 15 days ago on 2026-02-10

Created 15 days ago on 2026-02-10

About

This rule detects attempts from within a Linux container to create or modify files commonly used for persistence on native Linux systems, including cron jobs, systemd units, sudoers files, and shell profile configurations. While many of these mechanisms do not provide reliable persistence in typical containerized workloads, such modifications are unusual and may indicate persistence attempts, privilege abuse, or preparation for container escape, especially when performed outside normal image build or package management processes.

Tags

Data Source: Elastic Defend for ContainersDomain: ContainerOS: LinuxUse Case: Threat DetectionTactic: PersistenceTactic: ExecutionTactic: Privilege EscalationLanguage: eql

Severity

low

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

↳ Create or Modify System Process (T1543)(external, opens in a new tab or window)

↳ Scheduled Task/Job (T1053)(external, opens in a new tab or window)

↳ Boot or Logon Initialization Scripts (T1037)(external, opens in a new tab or window)

↳ Event Triggered Execution (T1546)(external, opens in a new tab or window)

Privilege Escalation (TA0004)(external, opens in a new tab or window)

↳ Create or Modify System Process (T1543)(external, opens in a new tab or window)

↳ Scheduled Task/Job (T1053)(external, opens in a new tab or window)

↳ Abuse Elevation Control Mechanism (T1548)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

↳ Scheduled Task/Job (T1053)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-cloud_defend.file*
Related Integrations: cloud_defend(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗file where event.type != "deletion" and
/* open events currently only log file opens with write intent */
event.action in ("creation", "rename", "open") and (
  file.path like (

	  // Cron & Anacron Jobs
	  "/etc/cron.allow", "/etc/cron.deny", "/etc/cron.d/*", "/etc/cron.hourly/*", "/etc/cron.daily/*",
	  "/etc/cron.weekly/*", "/etc/cron.monthly/*", "/etc/crontab", "/var/spool/cron/crontabs/*",
	  "/var/spool/anacron/*",

	  // At Job
	  "/var/spool/cron/atjobs/*", "/var/spool/atjobs/*",

	  // Sudoers
	  "/etc/sudoers*"
  ) or
  (
  	// Systemd Service/Timer
    file.path like (
	  "/etc/systemd/system/*", "/etc/systemd/user/*", "/usr/local/lib/systemd/system/*",
  	  "/lib/systemd/system/*", "/usr/lib/systemd/system/*", "/usr/lib/systemd/user/*",
      "/home/*/.config/systemd/user/*", "/home/*/.local/share/systemd/user/*",
      "/root/.config/systemd/user/*", "/root/.local/share/systemd/user/*"
    ) and
    file.extension in ("service", "timer")
  ) or
  (
	// Shell Profile Configuration
	file.path like ("/etc/profile.d/*", "/etc/zsh/*") or (
	  file.path like ("/home/*/*", "/etc/*", "/root/*") and
	  file.name in (
  	    "profile", "bash.bashrc", "bash.bash_logout", "csh.cshrc", "csh.login", "config.fish", "ksh.kshrc",
  	    ".bashrc", ".bash_login", ".bash_logout", ".bash_profile", ".bash_aliases", ".zprofile", ".zshrc",
  	    ".cshrc", ".login", ".logout", ".kshrc"
      )
    )
  )
) and container.id like "?*" and
not process.name in ("apt", "apt-get", "dnf", "microdnf", "yum", "zypper", "tdnf", "apk", "pacman", "rpm", "dpkg")

Install detection rules in Elastic Security

Detect Modification of Persistence Relevant Files Detected via Defend for Containers in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).