Mount Launched Inside a Privileged Container
This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a device or file system accessible to the system, and then to connect its root directory to a specified mount point on the local file system. When launched inside a privileged container--a container deployed with all the capabilities of the host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine. Any usage of mount inside a running privileged container should be further investigated.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/26"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "New field added to ecs : container.security_context.privileged"
6min_stack_version = "8.10.0"
7updated_date = "2024/01/05"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a
13device or file system accessible to the system, and then to connect its root directory to a specified mount point on the
14local file system. When launched inside a privileged container--a container deployed with all the capabilities of the
15host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation
16and container escapes to the host machine. Any usage of mount inside a running privileged container should be further
17investigated.
18"""
19from = "now-6m"
20index = ["logs-cloud_defend*"]
21interval = "5m"
22language = "eql"
23license = "Elastic License v2"
24name = "Mount Launched Inside a Privileged Container"
25references = [
26 "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged",
27]
28risk_score = 21
29rule_id = "41f7da9e-4e9f-4a81-9b58-40d725d83bc0"
30severity = "low"
31tags = [
32 "Data Source: Elastic Defend for Containers",
33 "Domain: Container",
34 "OS: Linux",
35 "Use Case: Threat Detection",
36 "Tactic: Privilege Escalation",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42process where event.module == "cloud_defend" and event.type== "start" and
43(process.name== "mount" or process.args== "mount") and container.security_context.privileged == true
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1611"
51name = "Escape to Host"
52reference = "https://attack.mitre.org/techniques/T1611/"
53
54
55[rule.threat.tactic]
56id = "TA0004"
57name = "Privilege Escalation"
58reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- File System Debugger Launched Inside a Privileged Container
- Potential Container Escape via Modified notify_on_release File
- Potential Container Escape via Modified release_agent File
- AWS Credentials Searched For Inside A Container
- Container Management Utility Run Inside A Container