Mount Launched Inside a Privileged Container
This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a device or file system accessible to the system, and then to connect its root directory to a specified mount point on the local file system. When launched inside a privileged container--a container deployed with all the capabilities of the host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine. Any usage of mount inside a running privileged container should be further investigated.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/26"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "New field added to ecs : container.security_context.privileged"
6min_stack_version = "8.10.0"
7updated_date = "2024/01/05"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a
13device or file system accessible to the system, and then to connect its root directory to a specified mount point on the
14local file system. When launched inside a privileged container--a container deployed with all the capabilities of the
15host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation
16and container escapes to the host machine. Any usage of mount inside a running privileged container should be further
17investigated.
18"""
19from = "now-6m"
20index = ["logs-cloud_defend*"]
21interval = "5m"
22language = "eql"
23license = "Elastic License v2"
24name = "Mount Launched Inside a Privileged Container"
25references = [
26 "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged",
27]
28risk_score = 21
29rule_id = "41f7da9e-4e9f-4a81-9b58-40d725d83bc0"
30severity = "low"
31tags = [
32 "Data Source: Elastic Defend for Containers",
33 "Domain: Container",
34 "OS: Linux",
35 "Use Case: Threat Detection",
36 "Tactic: Privilege Escalation",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42process where event.module == "cloud_defend" and event.type== "start" and
43(process.name== "mount" or process.args== "mount") and container.security_context.privileged == true
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1611"
51name = "Escape to Host"
52reference = "https://attack.mitre.org/techniques/T1611/"
53
54
55[rule.threat.tactic]
56id = "TA0004"
57name = "Privilege Escalation"
58reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! Use Trickest to easily build and automate workflows powered by the world's most advanced community tools. Get Acces...
Read More
Related rules
- File System Debugger Launched Inside a Privileged Container
- Potential Container Escape via Modified notify_on_release File
- Potential Container Escape via Modified release_agent File
- AWS Credentials Searched For Inside A Container
- Container Management Utility Run Inside A Container