容器内敏感文件压缩
编辑容器内敏感文件压缩
编辑识别在容器内使用压缩工具来收集已知包含敏感信息的文件,例如凭据和系统配置。
规则类型: eql
规则索引:
- logs-cloud_defend*
严重性: 中
风险评分: 47
运行频率: 5m
搜索索引时间范围: now-6m (日期数学格式,另请参阅 额外的回溯时间
)
每次执行的最大告警数: 100
参考: 无
标签:
- 数据源: Elastic Defend for Containers
- 域: 容器
- 操作系统: Linux
- 用例: 威胁检测
- 战术: 收集
- 战术: 凭证访问
版本: 2
规则作者:
- Elastic
规则许可证: Elastic License v2
规则查询
编辑process where container.id: "*" and event.type== "start" and /*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ (process.name: ("zip", "tar", "gzip", "hdiutil", "7z") or process.args: ("zip", "tar", "gzip", "hdiutil", "7z")) and process.args: ( "/root/.ssh/id_rsa", "/root/.ssh/id_rsa.pub", "/root/.ssh/id_ed25519", "/root/.ssh/id_ed25519.pub", "/root/.ssh/authorized_keys", "/root/.ssh/authorized_keys2", "/root/.ssh/known_hosts", "/root/.bash_history", "/etc/hosts", "/home/*/.ssh/id_rsa", "/home/*/.ssh/id_rsa.pub", "/home/*/.ssh/id_ed25519", "/home/*/.ssh/id_ed25519.pub", "/home/*/.ssh/authorized_keys", "/home/*/.ssh/authorized_keys2", "/home/*/.ssh/known_hosts", "/home/*/.bash_history", "/root/.aws/credentials", "/root/.aws/config", "/home/*/.aws/credentials", "/home/*/.aws/config", "/root/.docker/config.json", "/home/*/.docker/config.json", "/etc/group", "/etc/passwd", "/etc/shadow", "/etc/gshadow")
框架: MITRE ATT&CKTM
-
战术
- 名称: 凭证访问
- ID: TA0006
- 参考 URL: https://attack.mitre.org/tactics/TA0006/
-
技术
- 名称: 不安全的凭据
- ID: T1552
- 参考 URL: https://attack.mitre.org/techniques/T1552/
-
子技术
- 名称: 文件中的凭据
- ID: T1552.001
- 参考 URL: https://attack.mitre.org/techniques/T1552/001/
-
战术
- 名称: 收集
- ID: TA0009
- 参考 URL: https://attack.mitre.org/tactics/TA0009/
-
技术
- 名称: 存档收集的数据
- ID: T1560
- 参考 URL: https://attack.mitre.org/techniques/T1560/
-
子技术
- 名称: 通过实用程序存档
- ID: T1560.001
- 参考 URL: https://attack.mitre.org/techniques/T1560/001/