[New/Tuning] TeamPCP Simulation - New & Tuned Rules

[Aegrah]

[New/Tuning] TeamPCP Simulation - New & Tuned Rules

Summary

This PR introduces 4 new detection rules and tunes 8 existing rules to improve detection coverage for cloud-native ransomware and container-based threats, based on the TeamPCP cloud-native ransomware simulation.

---

New Rules

Rule Name	Severity	MITRE Tactics	Integration
Decoded Payload Piped to Interpreter Detected via Defend for Containers	High	Defense Evasion, Execution	Cloud Defend
File Creation, Execution, and Deletion Cradle Detected via Defend for Containers	High	Defense Evasion, Execution	Cloud Defend
Process Killing Detected via Defend for Containers	Low	Impact	Cloud Defend
Unusual Kubernetes Sensitive Workload Modification	Low	Privilege Escalation, Persistence	Kubernetes

New Rule Details

1. Decoded Payload Piped to Interpreter Detected via Defend for Containers

• File: rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml
• Risk Score: 73 (High)
• Description: Detects the execution of a base64 decoded payload piped to an interpreter inside a container. Attackers may use this technique to execute malicious code while attempting to evade detection.
• MITRE: T1027 (Obfuscated Files or Information), T1140 (Deobfuscate/Decode Files or Information), T1059.004 (Unix Shell)

2. File Creation, Execution, and Deletion Cradle Detected via Defend for Containers

• File: rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml
• Risk Score: 73 (High)
• Description: Detects the creation, execution, and deletion of files inside a container, a common technique used by attackers to evade detection.
• MITRE: T1070.004 (File Deletion), T1059.004 (Unix Shell), T1204.002 (Malicious File)

3. Process Killing Detected via Defend for Containers

• File: rules/integrations/cloud_defend/impact_process_killing.toml
• Risk Score: 21 (Low)
• Description: Detects the killing of processes inside a container. An adversary may attempt to find and kill competing processes to gain control of the container.
• MITRE: T1489 (Service Stop)

4. Unusual Kubernetes Sensitive Workload Modification

• File: rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml
• Risk Score: 21 (Low)
• Type: New Terms
• Description: Detects the creation or modification of sensitive workloads (DaemonSets, Deployments, CronJobs) by an unusual user agent, source IP, and username, which may indicate privilege escalation or unauthorized access.
• MITRE: T1098.006 (Additional Container Cluster Roles)

---

Tuned Rules

Rule Name	Change Summary
Kubernetes API Activity by Unusual Utilities	Added package managers to exclusion list (apk, apt, yum, dnf, etc.)
Web Server Exploitation Detected via Defend for Containers	Major rewrite: Renamed, expanded parent process coverage, enhanced query patterns, raised severity to High
Potential Evasion via Encoded Payload	Added TeamPCP reference
Payload Downloaded and Piped to Shell	Improved sequence detection with broader interpreter coverage
Suspicious File Made Executable via chmod	Added process index, simplified query for better coverage
Suspicious Interactive Interpreter Command Execution	Added TeamPCP reference
Tool Installation Detected via Defend for Containers	Added TeamPCP reference
Suspicious Echo or Printf Execution	Added -cl argument variant

Notable Tuning Changes

Web Server Exploitation Detected via Defend for Containers

This rule received a significant overhaul:

• Renamed from "Web Server Child Shell Spawn Detected" to "Web Server Exploitation Detected"
• Severity raised from Medium (47) to High (73)
• Expanded parent process coverage to include:
  • Python frameworks: uvicorn, flask, django, hypercorn
  • Ruby frameworks: puma, rails, passenger
  • Perl: plackup
  • Node.js: server detection patterns
  • Java: Tomcat, Jetty, WildFly, WebLogic, WebSphere, GlassFish, Spring Boot, Quarkus, Micronaut, etc.
• Enhanced suspicious pattern detection for:
  • Reverse shells (netcat, socat, /dev/tcp, /dev/udp)
  • Encoding/decoding operations
  • File access to sensitive paths
  • Path traversal attempts
  • Piped interpreter execution

Kubernetes API Activity by Unusual Utilities

Added common package managers to the exclusion list to reduce false positives:

• apk, apt, apt-get, dnf, microdnf, yum, zypper, tdnf, pacman, rpm, dpkg

---

Statistics

Metric	Count
New Rules	4
Modified Rules	8
Total Files Changed	12
Lines Added	~638
Lines Removed	~49

---

Data Sources

• Elastic Defend for Containers (logs-cloud_defend.process*, logs-cloud_defend.file*)
• Kubernetes Audit Logs (logs-kubernetes.audit_logs-*)

---

References

• TeamPCP Cloud-Native Ransomware - Flare.io
• Kubernetes RBAC Research - heilancoos

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Creation, Execution, and Deletion Cradle Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Encoded Payload Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Web Server Exploitation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tool Installation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Killing Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[github-actions]

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

• Detailed description of the rule.
• List any new fields required in ECS/data sources.
• Link related issues or PRs.
• Include references.

Rule Metadata Checks

• creation_date matches the date of creation PR initially merged.
• min_stack_version should support the widest stack versions.
• name and description should be descriptive and not include typos.
• query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
• min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
• index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
• integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
• setup should include the necessary steps to configure the integration.
• note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
• tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
• threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

• building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
• bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

• Provide evidence of testing and detecting the expected threat.
• Check for existence of coverage to prevent duplication.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Creation, Execution, and Deletion Cradle Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Encoded Payload Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Web Server Exploitation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tool Installation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Killing Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Creation, Execution, and Deletion Cradle Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Encoded Payload Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Web Server Exploitation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tool Installation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Killing Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Creation, Execution, and Deletion Cradle Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Encoded Payload Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Web Server Exploitation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tool Installation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Killing Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Creation, Execution, and Deletion Cradle Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Encoded Payload Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Web Server Exploitation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tool Installation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Killing Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Creation, Execution, and Deletion Cradle Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Encoded Payload Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Web Server Exploitation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tool Installation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Killing Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Creation, Execution, and Deletion Cradle Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Encoded Payload Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Web Server Exploitation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tool Installation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Killing Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Creation, Execution, and Deletion Cradle Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Encoded Payload Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Web Server Exploitation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tool Installation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Killing Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Creation, Execution, and Deletion Cradle Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Encoded Payload Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Web Server Exploitation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tool Installation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Killing Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Creation, Execution, and Deletion Sequence Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Encoded Payload Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Web Server Exploitation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tool Installation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Killing Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Creation, Execution, and Deletion Sequence Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Encoded Payload Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Web Server Exploitation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tool Installation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Killing Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[w0rk3r]

🔥

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Creation, Execution, and Deletion Sequence Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Encoded Payload Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Web Server Exploitation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tool Installation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Killing Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Encoded Payload Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Web Server Exploitation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tool Installation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Killing Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Direct Interactive Kubernetes API Request by Unusual Utilities (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decoded Payload Piped to Interpreter Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Encoded Payload Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Web Server Exploitation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tool Installation Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Kubernetes Sensitive Workload Modification (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Killing Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Payload Execution via Shell Pipe Detected by Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Interpreter Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Echo or Printf Execution Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Execution Permission Modification Detected via Defend for Containers (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta