Created
March 23, 2020 18:22
-
-
Save vicenteherrera/91dc5a790ee47b9e7a0f5b1735fc8600 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - rule: Terminal shell in container | |
| desc: A shell was used as the entrypoint/exec point into a container with an attached terminal. | |
| condition: > | |
| spawned_process and container | |
| and shell_procs and proc.tty != 0 | |
| and container_entrypoint | |
| output: > | |
| A shell was spawned in a container with an attached terminal (user=%user.name %container.info | |
| shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository) | |
| priority: NOTICE | |
| tags: [container, shell, mitre_execution] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment