Mount Launched Inside a Privileged Container

This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a device or file system accessible to the system, and then to connect its root directory to a specified mount point on the local file system. When launched inside a privileged container--a container deployed with all the capabilities of the host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine. Any usage of mount inside a running privileged container should be further investigated.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/10/26"
 3integration = ["cloud_defend"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a
11device or file system accessible to the system, and then to connect its root directory to a specified mount point on the
12local file system. When launched inside a privileged container--a container deployed with all the capabilities of the
13host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation
14and container escapes to the host machine. Any usage of mount inside a running privileged container should be further
15investigated.
16"""
17from = "now-6m"
18index = ["logs-cloud_defend*"]
19interval = "5m"
20language = "eql"
21license = "Elastic License v2"
22name = "Mount Launched Inside a Privileged Container"
23references = [
24    "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged",
25]
26risk_score = 21
27rule_id = "41f7da9e-4e9f-4a81-9b58-40d725d83bc0"
28severity = "low"
29tags = [
30    "Data Source: Elastic Defend for Containers",
31    "Domain: Container",
32    "OS: Linux",
33    "Use Case: Threat Detection",
34    "Tactic: Privilege Escalation",
35    "Resources: Investigation Guide",
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41process where event.module == "cloud_defend" and  event.type== "start" and
42(process.name== "mount" or process.args== "mount") and container.security_context.privileged == true
43'''
44note = """## Triage and analysis
45
46> **Disclaimer**:
47> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
48
49### Investigating Mount Launched Inside a Privileged Container
50
51In containerized environments, the `mount` utility is crucial for attaching file systems to the system's directory tree. When executed within a privileged container, which has extensive host capabilities, it can be exploited by adversaries to access sensitive host files, potentially leading to privilege escalation or container escapes. The detection rule identifies such misuse by monitoring the execution of `mount` in privileged containers, flagging potential security threats for further investigation.
52
53### Possible investigation steps
54
55- Review the alert details to confirm that the process name or arguments include "mount" and that the container's security context is marked as privileged.
56- Identify the container involved in the alert by examining the container ID or name, and gather information about its purpose and the applications it runs.
57- Check the container's deployment configuration to verify if it was intentionally set as privileged and assess whether this level of privilege is necessary for its function.
58- Investigate the user or process that initiated the mount command within the container to determine if it aligns with expected behavior or if it indicates potential malicious activity.
59- Examine the mounted file systems and directories to identify any sensitive host files that may have been accessed or exposed.
60- Review logs and historical data for any previous suspicious activities associated with the same container or user to identify patterns or repeated attempts at privilege escalation.
61
62### False positive analysis
63
64- Routine maintenance tasks within privileged containers may trigger the rule. Exclude known maintenance scripts or processes by adding them to an exception list based on their unique identifiers or command patterns.
65- Backup operations that require mounting file systems might be flagged. Identify and exclude these operations by specifying the backup process names or arguments in the rule exceptions.
66- Development or testing environments often use privileged containers for convenience. If these environments are known and controlled, consider excluding them by container IDs or labels to reduce noise.
67- Automated deployment tools that use mount commands in privileged containers can be mistaken for threats. Review and whitelist these tools by their process names or specific arguments to prevent false alerts.
68- Certain monitoring or logging solutions may use mount operations for data collection. Verify these solutions and exclude their processes if they are legitimate and necessary for system operations.
69
70### Response and remediation
71
72- Immediately isolate the affected container to prevent further access to sensitive host files. This can be done by stopping the container or disconnecting it from the network.
73- Review and revoke any unnecessary privileges from the container's security context to prevent similar incidents. Ensure that containers run with the least privileges necessary.
74- Conduct a thorough analysis of the container's file system and logs to identify any unauthorized access or modifications to host files.
75- If unauthorized access is confirmed, perform a comprehensive audit of the host system to check for any signs of compromise or privilege escalation attempts.
76- Patch and update the container image and host system to address any vulnerabilities that may have been exploited.
77- Implement stricter access controls and monitoring for privileged containers, ensuring that only trusted users and processes can execute sensitive commands like `mount`.
78- Escalate the incident to the security operations team for further investigation and to assess the need for additional security measures or incident response actions."""
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1611"
85name = "Escape to Host"
86reference = "https://attack.mitre.org/techniques/T1611/"
87
88
89[rule.threat.tactic]
90id = "TA0004"
91name = "Privilege Escalation"
92reference = "https://attack.mitre.org/tactics/TA0004/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Mount Launched Inside a Privileged Container

In containerized environments, the mount utility is crucial for attaching file systems to the system's directory tree. When executed within a privileged container, which has extensive host capabilities, it can be exploited by adversaries to access sensitive host files, potentially leading to privilege escalation or container escapes. The detection rule identifies such misuse by monitoring the execution of mount in privileged containers, flagging potential security threats for further investigation.

Possible investigation steps

  • Review the alert details to confirm that the process name or arguments include "mount" and that the container's security context is marked as privileged.
  • Identify the container involved in the alert by examining the container ID or name, and gather information about its purpose and the applications it runs.
  • Check the container's deployment configuration to verify if it was intentionally set as privileged and assess whether this level of privilege is necessary for its function.
  • Investigate the user or process that initiated the mount command within the container to determine if it aligns with expected behavior or if it indicates potential malicious activity.
  • Examine the mounted file systems and directories to identify any sensitive host files that may have been accessed or exposed.
  • Review logs and historical data for any previous suspicious activities associated with the same container or user to identify patterns or repeated attempts at privilege escalation.

False positive analysis

  • Routine maintenance tasks within privileged containers may trigger the rule. Exclude known maintenance scripts or processes by adding them to an exception list based on their unique identifiers or command patterns.
  • Backup operations that require mounting file systems might be flagged. Identify and exclude these operations by specifying the backup process names or arguments in the rule exceptions.
  • Development or testing environments often use privileged containers for convenience. If these environments are known and controlled, consider excluding them by container IDs or labels to reduce noise.
  • Automated deployment tools that use mount commands in privileged containers can be mistaken for threats. Review and whitelist these tools by their process names or specific arguments to prevent false alerts.
  • Certain monitoring or logging solutions may use mount operations for data collection. Verify these solutions and exclude their processes if they are legitimate and necessary for system operations.

Response and remediation

  • Immediately isolate the affected container to prevent further access to sensitive host files. This can be done by stopping the container or disconnecting it from the network.
  • Review and revoke any unnecessary privileges from the container's security context to prevent similar incidents. Ensure that containers run with the least privileges necessary.
  • Conduct a thorough analysis of the container's file system and logs to identify any unauthorized access or modifications to host files.
  • If unauthorized access is confirmed, perform a comprehensive audit of the host system to check for any signs of compromise or privilege escalation attempts.
  • Patch and update the container image and host system to address any vulnerabilities that may have been exploited.
  • Implement stricter access controls and monitoring for privileged containers, ensuring that only trusted users and processes can execute sensitive commands like mount.
  • Escalate the incident to the security operations team for further investigation and to assess the need for additional security measures or incident response actions.

References

Related rules

to-top