DebugFS Execution Detected via Defend for Containers

  1[metadata]
  2creation_date = "2023/10/26"
  3integration = ["cloud_defend"]
  4maturity = "production"
  5min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
  6min_stack_version = "9.3.0"
  7updated_date = "2026/01/15"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special
 13file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside
 14a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access
 15sensitive host level files which could be used for further privilege escalation and container escapes to the host
 16machine.
 17"""
 18from = "now-6m"
 19index = ["logs-cloud_defend.process*"]
 20interval = "5m"
 21language = "eql"
 22license = "Elastic License v2"
 23name = "DebugFS Execution Detected via Defend for Containers"
 24note = """## Setup
 25
 26## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating DebugFS Execution Detected via Defend for Containers
 32
 33DebugFS is a Linux utility for direct file system manipulation, often used for debugging. In a privileged container, which has extensive access to the host, adversaries can exploit DebugFS to access sensitive host files, potentially leading to privilege escalation or container escape. The detection rule identifies suspicious DebugFS usage by monitoring process initiation with specific arguments in privileged containers, flagging potential misuse.
 34
 35### Possible investigation steps
 36
 37- Review the alert details to confirm the process name is "debugfs" and check the specific arguments used, particularly looking for "/dev/sd*" to identify potential access to host file systems.
 38- Verify the container's security context to ensure it is indeed privileged, as this increases the risk of host-level access.
 39- Investigate the origin of the container image and deployment configuration to determine if the use of a privileged container was intentional or necessary.
 40- Check the user or service account that initiated the process to assess if it aligns with expected behavior or if it indicates potential unauthorized access.
 41- Examine recent logs and events from the container and host to identify any unusual activities or patterns that coincide with the alert.
 42- Assess the potential impact by identifying any sensitive files or directories that may have been accessed or modified by the debugfs process.
 43
 44### False positive analysis
 45
 46- Routine maintenance tasks using DebugFS in privileged containers can trigger alerts. To manage this, identify and document regular maintenance processes and create exceptions for these specific processes.
 47- Automated scripts or tools that utilize DebugFS for legitimate monitoring or debugging purposes may cause false positives. Review these scripts and whitelist them by excluding their specific process arguments or execution contexts.
 48- Development and testing environments often run privileged containers with DebugFS for debugging purposes. Establish a separate set of rules or exceptions for these environments to prevent unnecessary alerts.
 49- Backup or recovery operations that involve direct disk access might use DebugFS. Ensure these operations are well-documented and create exceptions based on their unique process signatures or execution schedules.
 50
 51### Response and remediation
 52
 53- Immediately isolate the affected container to prevent further access to sensitive host files. This can be done by stopping the container or removing its network access.
 54- Conduct a thorough review of the container's security context and capabilities to ensure it does not have unnecessary privileges. Adjust the container's configuration to remove privileged access if not required.
 55- Analyze the container's logs and process history to identify any unauthorized access or actions taken by the DebugFS utility. This will help determine the extent of the potential breach.
 56- If unauthorized access to host files is confirmed, perform a security assessment of the host system to identify any changes or breaches. This may include checking for new user accounts, modified files, or unexpected network connections.
 57- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected. Provide them with all relevant logs and findings.
 58- Implement additional monitoring and alerting for similar activities across other containers and hosts to detect any recurrence of this threat.
 59- Review and update container deployment policies to enforce the principle of least privilege, ensuring containers only have the necessary permissions to perform their intended functions."""
 60references = [
 61    "https://cyberark.wistia.com/medias/ygbzkzx93q?wvideo=ygbzkzx93q",
 62    "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged",
 63]
 64risk_score = 47
 65rule_id = "97697a52-4a76-4f0a-aa4f-25c178aae6eb"
 66severity = "medium"
 67tags = [
 68    "Data Source: Elastic Defend for Containers",
 69    "Domain: Container",
 70    "OS: Linux",
 71    "Use Case: Threat Detection",
 72    "Tactic: Privilege Escalation",
 73    "Resources: Investigation Guide",
 74]
 75timestamp_override = "event.ingested"
 76type = "eql"
 77query = '''
 78process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
 79  process.name == "debugfs" or
 80  (
 81    /* account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg */
 82    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
 83    process.args in (
 84      "debugfs", "/bin/debugfs", "/usr/bin/debugfs", "/usr/local/bin/debugfs"
 85    ) and
 86    /* default exclusion list to not FP on default multi-process commands */
 87    not process.args in (
 88      "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which",
 89      "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
 90      "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
 91      "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
 92    )
 93  )
 94) and
 95process.args like "/dev/sd*" and not process.args == "-R" and
 96container.security_context.privileged == true and process.interactive == true and container.id like "*"
 97'''
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101
102[[rule.threat.technique]]
103id = "T1611"
104name = "Escape to Host"
105reference = "https://attack.mitre.org/techniques/T1611/"
106
107[rule.threat.tactic]
108id = "TA0004"
109name = "Privilege Escalation"
110reference = "https://attack.mitre.org/tactics/TA0004/"