File System Debugger Launched Inside a Privileged Container
This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/26"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "New field added to ecs : container.security_context.privileged"
6min_stack_version = "8.10.0"
7updated_date = "2024/01/05"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special
13file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside
14a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access
15sensitive host level files which could be used for further privilege escalation and container escapes to the host
16machine.
17"""
18from = "now-6m"
19index = ["logs-cloud_defend*"]
20interval = "5m"
21language = "eql"
22license = "Elastic License v2"
23name = "File System Debugger Launched Inside a Privileged Container"
24references = [
25 "https://cyberark.wistia.com/medias/ygbzkzx93q?wvideo=ygbzkzx93q",
26 "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged",
27]
28risk_score = 47
29rule_id = "97697a52-4a76-4f0a-aa4f-25c178aae6eb"
30severity = "medium"
31tags = [
32 "Data Source: Elastic Defend for Containers",
33 "Domain: Container",
34 "OS: Linux",
35 "Use Case: Threat Detection",
36 "Tactic: Privilege Escalation",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42process where event.module == "cloud_defend" and
43 event.type == "start" and process.name == "debugfs" and
44 process.args : "/dev/sd*" and not process.args == "-R" and
45 container.security_context.privileged == true
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1611"
53name = "Escape to Host"
54reference = "https://attack.mitre.org/techniques/T1611/"
55
56
57[rule.threat.tactic]
58id = "TA0004"
59name = "Privilege Escalation"
60reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- Mount Launched Inside a Privileged Container
- Potential Container Escape via Modified notify_on_release File
- Potential Container Escape via Modified release_agent File
- AWS Credentials Searched For Inside A Container
- Container Management Utility Run Inside A Container