Vendor

Docker

4 briefs RSS

Kerberos Traffic from Unusual Process

Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.

Elastic Defend +22 kerberoasting credential-access lateral-movement windows

2r 2t Jan 3, 2024

medium advisory

Unusual Process Connecting to Docker or Containerd Socket

2 rules 3 TTPs

An unusual process connecting to a container runtime Unix socket like Docker or Containerd can indicate an attacker attempting to bypass Kubernetes security measures for container manipulation.

Auditbeat +4 container privilege-escalation lateral-movement linux

2r 3t Jan 3, 2024

high advisory

Suspicious Process Accessing Sensitive Identity Files via Auditd

3 rules 2 TTPs

This rule detects suspicious processes, such as copy utilities or scripting tools, accessing sensitive identity files on Linux systems, including Kubernetes tokens, cloud CLI configurations, and root SSH keys, indicating potential credential theft.

Elastic Agent Auditd Manager +4 credential-access linux auditd

3r 2t Jan 3, 2024

low advisory

Ingress Transfer via Windows BITS

2 rules 2 TTPs

Adversaries may leverage Windows Background Intelligent Transfer Service (BITS) to download executable and archive files to evade defenses and establish command and control.

Background Intelligent Transfer Service +2 bits ingress-transfer command-and-control defense-evasion windows

2r 2t Jan 3, 2024