Chroot Execution Detected via Defend for Containers
This rule detects when chroot is executed inside a container. Chroot is a Linux utility that allows a user to run a command in a different directory. This can be used to escape a container and gain access to the host system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/03/26"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
6min_stack_version = "9.3.0"
7updated_date = "2026/03/26"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects when chroot is executed inside a container. Chroot is a Linux utility that allows a user to
13run a command in a different directory. This can be used to escape a container and gain access to the host system.
14"""
15from = "now-6m"
16index = ["logs-cloud_defend.process*"]
17interval = "5m"
18language = "eql"
19license = "Elastic License v2"
20name = "Chroot Execution Detected via Defend for Containers"
21references = [
22 "https://some-natalie.dev/container-escapes-chroot/",
23]
24risk_score = 21
25rule_id = "47661529-15ed-4848-93da-9fbded7a3a0e"
26severity = "low"
27tags = [
28 "Data Source: Elastic Defend for Containers",
29 "Domain: Container",
30 "OS: Linux",
31 "Use Case: Threat Detection",
32 "Tactic: Privilege Escalation",
33]
34timestamp_override = "event.ingested"
35type = "eql"
36query = '''
37process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
38 process.name == "chroot" or
39 (
40 /* account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */
41 process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
42 process.args in (
43 "chroot", "/bin/chroot", "/usr/bin/chroot", "/usr/local/bin/chroot"
44 ) and
45 /* default exclusion list to not FP on default multi-process commands */
46 not process.args in (
47 "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which",
48 "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
49 "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
50 "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
51 )
52 )
53) and container.id like "?*"
54'''
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58
59[[rule.threat.technique]]
60id = "T1611"
61name = "Escape to Host"
62reference = "https://attack.mitre.org/techniques/T1611/"
63
64[rule.threat.tactic]
65id = "TA0004"
66name = "Privilege Escalation"
67reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
In this workshop, we’re going to start exploring escapes using chroot. This is a great way to cross the boundary between a container’s filesystem and the host’s filesystem.
Read More
Related rules
- Suspicious Echo or Printf Execution Detected via Defend for Containers
- Modification of Persistence Relevant Files Detected via Defend for Containers
- DebugFS Execution Detected via Defend for Containers
- Mount Execution Detected via Defend for Containers
- Potential notify_on_release Container Escape Detected via Defend for Containers