From 25ba979129b535d65480a35a03eb6c982d840d63 Mon Sep 17 00:00:00 2001 From: imays11 <59296946+imays11@users.noreply.github.com> Date: Tue, 17 May 2022 15:00:11 -0400 Subject: [PATCH 01/12] Create execution_user_exec_to_pod.toml --- .../execution_user_exec_to_pod.toml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 rules/integrations/kubernetes/execution_user_exec_to_pod.toml diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml new file mode 100644 index 00000000000..b3b1e6814b4 --- /dev/null +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2022/05/17" +maturity = "production" +updated_date = "2022/05/17" +integration = "kubernetes" + +[rule] +author = ["Elastic"] +description = """ +This rule detects a user attempt to exec into a pod or container. Execing into a pod allows a user to execute any process in the container which is not already running. A user may execute the bash process to gain an interactive shell which will allow access to any data the pod has permissions to, including secrets. +""" +false_positives = [ + """ + An administrator may need to exec into a pod for a legitimate reason. + """, +] +index = ["filebeat-*", "logs-kubernetes.*"] +language = "kuery" +license = "Elastic License v2" +name = "User Exec into Pod" +note = """## Config + +The Kubernetes Fleet integration with Audit Logs enabled, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = ["https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", +"https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/"] +risk_score = 47 +rule_id = "14de811c-d60f-11ec-9fd7-f661ea17fbce" +severity = "medium" +tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset : "kubernetes.audit_logs" and kubernetes.audit.objectRef.resource : "pods" and kubernetes.audit.objectRef.subresource :"exec" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration"" +reference = "https://attack.mitre.org/techniques/T1609/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002" \ No newline at end of file From 7e283e6cd5cbf3b3817238545b4b33cb1905cf87 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Tue, 17 May 2022 15:09:02 -0400 Subject: [PATCH 02/12] Update execution_user_exec_to_pod.toml --- rules/integrations/kubernetes/execution_user_exec_to_pod.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index b3b1e6814b4..f9908f40d8d 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -39,11 +39,11 @@ event.dataset : "kubernetes.audit_logs" and kubernetes.audit.objectRef.resource framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1609" -name = "Container Administration"" +name = "Container Administration" reference = "https://attack.mitre.org/techniques/T1609/" [rule.threat.tactic] id = "TA0002" name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0002" From 2d13fadba1e410fd2418296faf0747ff0191c1df Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 17 May 2022 16:10:41 -0300 Subject: [PATCH 03/12] Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml --- rules/integrations/kubernetes/execution_user_exec_to_pod.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index f9908f40d8d..3778ea9dad8 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -46,4 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1609/" [rule.threat.tactic] id = "TA0002" name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" From b44f6a810936d788d0ebd5724e56026a6f8b03da Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 17 May 2022 16:14:27 -0300 Subject: [PATCH 04/12] Update non-ecs-schema.json --- detection_rules/etc/non-ecs-schema.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 447f3634c9b..d6f47d23bc1 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -56,5 +56,9 @@ }, "logs-windows.*": { "powershell.file.script_block_text": "text" + }, + "logs-kubernetes.*": { + "kubernetes.audit.objectRef.resource": "keyword", + "kubernetes.audit.objectRef.subresource": "keyword" } } From a375e6b1e3c94d078205e4b548132c32701a0104 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 17 May 2022 16:17:07 -0300 Subject: [PATCH 05/12] Update execution_user_exec_to_pod.toml --- rules/integrations/kubernetes/execution_user_exec_to_pod.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index 3778ea9dad8..4c2fb5c6e2a 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -39,7 +39,7 @@ event.dataset : "kubernetes.audit_logs" and kubernetes.audit.objectRef.resource framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1609" -name = "Container Administration" +name = "Container Administration Command" reference = "https://attack.mitre.org/techniques/T1609/" From f88dcfe0854add27adfe3ca6816e07d4224c1214 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Wed, 18 May 2022 11:13:58 -0400 Subject: [PATCH 06/12] Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- rules/integrations/kubernetes/execution_user_exec_to_pod.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index 4c2fb5c6e2a..a824dc0bea4 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -7,7 +7,7 @@ integration = "kubernetes" [rule] author = ["Elastic"] description = """ -This rule detects a user attempt to exec into a pod or container. Execing into a pod allows a user to execute any process in the container which is not already running. A user may execute the bash process to gain an interactive shell which will allow access to any data the pod has permissions to, including secrets. +This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets. """ false_positives = [ """ From ab0c75affde4b2764bd6d953753025d428337962 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Wed, 25 May 2022 11:17:28 -0400 Subject: [PATCH 07/12] Update execution_user_exec_to_pod.toml --- .../kubernetes/execution_user_exec_to_pod.toml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index a824dc0bea4..ad148819fd0 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -14,13 +14,13 @@ false_positives = [ An administrator may need to exec into a pod for a legitimate reason. """, ] -index = ["filebeat-*", "logs-kubernetes.*"] +index = ["logs-kubernetes.*"] language = "kuery" license = "Elastic License v2" -name = "User Exec into Pod" +name = "Kubernetes User Exec into Pod" note = """## Config -The Kubernetes Fleet integration with Audit Logs enabled, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.""" references = ["https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/"] risk_score = 47 @@ -31,7 +31,9 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" and kubernetes.audit.objectRef.resource : "pods" and kubernetes.audit.objectRef.subresource :"exec" +event.dataset:"kubernetes.audit_logs" + and kubernetes.audit.objectRef.resource:"pods" + and kubernetes.audit.objectRef.subresource:"exec" ''' From 677eedce480f21220df1c8bd1e338de87db2134d Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Wed, 25 May 2022 11:21:00 -0400 Subject: [PATCH 08/12] Update execution_user_exec_to_pod.toml --- .../kubernetes/execution_user_exec_to_pod.toml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index ad148819fd0..0002b22de65 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -36,16 +36,16 @@ event.dataset:"kubernetes.audit_logs" and kubernetes.audit.objectRef.subresource:"exec" ''' - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1609" -name = "Container Administration Command" -reference = "https://attack.mitre.org/techniques/T1609/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + From 0688997458f4f4c7146afadb32bc5560fc6217ad Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Fri, 3 Jun 2022 13:06:45 -0400 Subject: [PATCH 09/12] Update execution_user_exec_to_pod.toml --- .../kubernetes/execution_user_exec_to_pod.toml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index 0002b22de65..f8236bf5030 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -11,7 +11,12 @@ This rule detects a user attempt to establish a shell session into a pod using t """ false_positives = [ """ - An administrator may need to exec into a pod for a legitimate reason. + An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... ${ARGN}. + For example, the following command can be used to look at logs from a running Cassandra pod: + kubectl exec cassandra --cat /var/log/cassandra/system.log + + They might also run a shell connected to their terminal by using the -i and -t arguments. + For example, kubectl exec -i -t cassandra -- sh """, ] index = ["logs-kubernetes.*"] From 767d859121be6d96ab3b82655563269fef98cfdb Mon Sep 17 00:00:00 2001 From: imays11 <59296946+imays11@users.noreply.github.com> Date: Fri, 3 Jun 2022 15:49:12 -0400 Subject: [PATCH 10/12] toml-linted file and add to false positive toml-linted the file and added to the false positive description --- rta/bin/notepad.sct | 12 ------ .../execution_user_exec_to_pod.toml | 38 +++++++++++-------- 2 files changed, 22 insertions(+), 28 deletions(-) delete mode 100644 rta/bin/notepad.sct diff --git a/rta/bin/notepad.sct b/rta/bin/notepad.sct deleted file mode 100644 index 649414204dd..00000000000 --- a/rta/bin/notepad.sct +++ /dev/null @@ -1,12 +0,0 @@ - - - - - - diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index f8236bf5030..2cd1fce1a83 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -1,22 +1,25 @@ [metadata] creation_date = "2022/05/17" -maturity = "production" -updated_date = "2022/05/17" integration = "kubernetes" +maturity = "production" +updated_date = "2022/06/03" [rule] author = ["Elastic"] description = """ -This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets. +This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' +command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An +adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has +permissions to, including secrets. """ false_positives = [ """ - An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... ${ARGN}. - For example, the following command can be used to look at logs from a running Cassandra pod: - kubectl exec cassandra --cat /var/log/cassandra/system.log - - They might also run a shell connected to their terminal by using the -i and -t arguments. - For example, kubectl exec -i -t cassandra -- sh + An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from + Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands + inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... + ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec + cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell + connected to the terminal: kubectl exec -i -t cassandra -- sh """, ] index = ["logs-kubernetes.*"] @@ -26,8 +29,10 @@ name = "Kubernetes User Exec into Pod" note = """## Config The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.""" -references = ["https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", -"https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/"] +references = [ + "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", + "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/", +] risk_score = 47 rule_id = "14de811c-d60f-11ec-9fd7-f661ea17fbce" severity = "medium" @@ -41,16 +46,17 @@ event.dataset:"kubernetes.audit_logs" and kubernetes.audit.objectRef.subresource:"exec" ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -[[rule.threat.technique]] -id = "T1609" -name = "Container Administration Command" -reference = "https://attack.mitre.org/techniques/T1609/" - From 8d65b00ee9a2982143cdc520d59f6c782f51d4b6 Mon Sep 17 00:00:00 2001 From: imays11 <59296946+imays11@users.noreply.github.com> Date: Fri, 3 Jun 2022 19:37:08 -0400 Subject: [PATCH 11/12] Create notepad.sct Added this back into the repo, deleted by mistake. --- rta/bin/notepad.sct | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 rta/bin/notepad.sct diff --git a/rta/bin/notepad.sct b/rta/bin/notepad.sct new file mode 100644 index 00000000000..649414204dd --- /dev/null +++ b/rta/bin/notepad.sct @@ -0,0 +1,12 @@ + + + + + + From 59a94f604b08fd17ee15847f04bb38504c8f693c Mon Sep 17 00:00:00 2001 From: imays11 <59296946+imays11@users.noreply.github.com> Date: Thu, 9 Jun 2022 17:47:51 -0400 Subject: [PATCH 12/12] added min_stack_version based on integration min stack version determined by integration support of necessary fields --- rules/integrations/kubernetes/execution_user_exec_to_pod.toml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index 2cd1fce1a83..00e3af368ce 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -2,7 +2,9 @@ creation_date = "2022/05/17" integration = "kubernetes" maturity = "production" -updated_date = "2022/06/03" +min_stack_comments = "Necessary audit log fields not available prior to 8.2" +min_stack_version = "8.2" +updated_date = "2022/06/09" [rule] author = ["Elastic"]