File System Debugger Launched Inside a Privileged Container

calendar Jul 24, 2024 · Data Source: Elastic Defend for Containers Domain: Container OS: Linux Use Case: Threat Detection Tactic: Privilege Escalation  ·
Share on: linkedin copy

This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/10/26"
 3integration = ["cloud_defend"]
 4maturity = "production"
 5updated_date = "2024/07/23"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special
11file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside
12a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access
13sensitive host level files which could be used for further privilege escalation and container escapes to the host
14machine.
15"""
16from = "now-6m"
17index = ["logs-cloud_defend*"]
18interval = "5m"
19language = "eql"
20license = "Elastic License v2"
21name = "File System Debugger Launched Inside a Privileged Container"
22references = [
23    "https://cyberark.wistia.com/medias/ygbzkzx93q?wvideo=ygbzkzx93q",
24    "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged",
25]
26risk_score = 47
27rule_id = "97697a52-4a76-4f0a-aa4f-25c178aae6eb"
28severity = "medium"
29tags = [
30    "Data Source: Elastic Defend for Containers",
31    "Domain: Container",
32    "OS: Linux",
33    "Use Case: Threat Detection",
34    "Tactic: Privilege Escalation",
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40process where event.module == "cloud_defend" and     
41  event.type == "start" and process.name == "debugfs" and 
42  process.args : "/dev/sd*" and not process.args == "-R" and
43  container.security_context.privileged == true
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1611"
51name = "Escape to Host"
52reference = "https://attack.mitre.org/techniques/T1611/"
53
54
55[rule.threat.tactic]
56id = "TA0004"
57name = "Privilege Escalation"
58reference = "https://attack.mitre.org/tactics/TA0004/"

References

Related rules

to-top