容器内敏感文件压缩

编辑

识别在容器内使用压缩工具来收集已知包含敏感信息的文件,例如凭据和系统配置。

规则类型: eql

规则索引:

  • logs-cloud_defend*

严重性: 中

风险评分: 47

运行频率: 5m

搜索索引时间范围: now-6m (日期数学格式,另请参阅 额外的回溯时间)

每次执行的最大告警数: 100

参考: 无

标签:

  • 数据源: Elastic Defend for Containers
  • 域: 容器
  • 操作系统: Linux
  • 用例: 威胁检测
  • 战术: 收集
  • 战术: 凭证访问

版本: 2

规则作者:

  • Elastic

规则许可证: Elastic License v2

规则查询

编辑
process where container.id: "*" and event.type== "start" and

/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
(process.name: ("zip", "tar", "gzip", "hdiutil", "7z") or process.args: ("zip", "tar", "gzip", "hdiutil", "7z"))
and process.args: (
"/root/.ssh/id_rsa",
"/root/.ssh/id_rsa.pub",
"/root/.ssh/id_ed25519",
"/root/.ssh/id_ed25519.pub",
"/root/.ssh/authorized_keys",
"/root/.ssh/authorized_keys2",
"/root/.ssh/known_hosts",
"/root/.bash_history",
"/etc/hosts",
"/home/*/.ssh/id_rsa",
"/home/*/.ssh/id_rsa.pub",
"/home/*/.ssh/id_ed25519",
"/home/*/.ssh/id_ed25519.pub",
"/home/*/.ssh/authorized_keys",
"/home/*/.ssh/authorized_keys2",
"/home/*/.ssh/known_hosts",
"/home/*/.bash_history",
"/root/.aws/credentials",
"/root/.aws/config",
"/home/*/.aws/credentials",
"/home/*/.aws/config",
"/root/.docker/config.json",
"/home/*/.docker/config.json",
"/etc/group",
"/etc/passwd",
"/etc/shadow",
"/etc/gshadow")

框架: MITRE ATT&CKTM