Product

Elastic Defend for Containers

3 briefs RSS

Suspicious Web Server Child Process Execution via Elastic Defend for Containers

This rule detects the exploitation of a web server through the execution of a suspicious process by common web server user accounts within a containerized environment, potentially indicating the uploading of a web shell to maintain system access, and covers persistence, execution, and command and control tactics.

Elastic Defend for Containers Data Source: Elastic Defend for Containers Domain: Container OS: Linux Use Case: Threat Detection Tactic: Persistence Tactic: Execution Tactic: Command and Control Resources: Investigation Guide

2r 3t 2w ago

medium advisory

Suspicious Container Runtime CLI Execution

3 rules 2 TTPs

The rule detects execution of container runtime CLI tools (ctr, crictl, nerdctl) with arguments indicating container creation, command execution inside existing containers, image manipulation, or host filesystem mounting, potentially leading to container escape and privilege escalation.

Elastic Defend for Containers container execution privilege_escalation linux

3r 2t Jan 3, 2024

medium advisory

Suspicious Unshare Usage for Container Escape and Privilege Escalation

2 rules 2 TTPs

The rule identifies suspicious usage of unshare to manipulate system namespaces, which can be utilized to escalate privileges or escape container security boundaries.

Elastic Defend for Containers privilege-escalation container-escape linux

2r 2t Jan 2, 2024