容器内敏感文件压缩
编辑容器内敏感文件压缩
编辑识别使用压缩工具收集已知包含敏感信息(例如凭据和系统配置)的文件,这些文件位于容器内。
规则类型: eql
规则索引:
- logs-cloud_defend*
严重性: 中等
风险评分: 47
每: 5 分钟运行一次
搜索索引自: now-6m (日期数学格式,另请参见 额外回溯时间)
每次执行的最大告警数: 100
参考: 无
标签:
- 数据源:Elastic Defend for Containers
- 领域:容器
- 操作系统:Linux
- 用例:威胁检测
- 策略:数据收集
- 策略:凭据访问
版本: 2
规则作者:
- Elastic
规则许可证: Elastic License v2
规则查询
编辑process where container.id: "*" and event.type== "start" and
/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
(process.name: ("zip", "tar", "gzip", "hdiutil", "7z") or process.args: ("zip", "tar", "gzip", "hdiutil", "7z"))
and process.args: (
"/root/.ssh/id_rsa",
"/root/.ssh/id_rsa.pub",
"/root/.ssh/id_ed25519",
"/root/.ssh/id_ed25519.pub",
"/root/.ssh/authorized_keys",
"/root/.ssh/authorized_keys2",
"/root/.ssh/known_hosts",
"/root/.bash_history",
"/etc/hosts",
"/home/*/.ssh/id_rsa",
"/home/*/.ssh/id_rsa.pub",
"/home/*/.ssh/id_ed25519",
"/home/*/.ssh/id_ed25519.pub",
"/home/*/.ssh/authorized_keys",
"/home/*/.ssh/authorized_keys2",
"/home/*/.ssh/known_hosts",
"/home/*/.bash_history",
"/root/.aws/credentials",
"/root/.aws/config",
"/home/*/.aws/credentials",
"/home/*/.aws/config",
"/root/.docker/config.json",
"/home/*/.docker/config.json",
"/etc/group",
"/etc/passwd",
"/etc/shadow",
"/etc/gshadow")
框架: MITRE ATT&CKTM
-
策略
- 名称:凭据访问
- ID:TA0006
- 参考 URL:https://attack.mitre.org/tactics/TA0006/
-
技术
- 名称:不安全的凭据
- ID:T1552
- 参考 URL:https://attack.mitre.org/techniques/T1552/
-
子技术
- 名称:文件中的凭据
- ID:T1552.001
- 参考 URL:https://attack.mitre.org/techniques/T1552/001/
-
策略
- 名称:数据收集
- ID:TA0009
- 参考 URL:https://attack.mitre.org/tactics/TA0009/
-
技术
- 名称:存档收集的数据
- ID:T1560
- 参考 URL:https://attack.mitre.org/techniques/T1560/
-
子技术
- 名称:通过实用程序存档
- ID:T1560.001
- 参考 URL:https://attack.mitre.org/techniques/T1560/001/