Mount Launched Inside a Privileged Container

 1[metadata]
 2creation_date = "2023/10/26"
 3integration = ["cloud_defend"]
 4maturity = "production"
 5updated_date = "2024/07/23"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a
11device or file system accessible to the system, and then to connect its root directory to a specified mount point on the
12local file system. When launched inside a privileged container--a container deployed with all the capabilities of the
13host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation
14and container escapes to the host machine. Any usage of mount inside a running privileged container should be further
15investigated.
16"""
17from = "now-6m"
18index = ["logs-cloud_defend*"]
19interval = "5m"
20language = "eql"
21license = "Elastic License v2"
22name = "Mount Launched Inside a Privileged Container"
23references = [
24    "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged",
25]
26risk_score = 21
27rule_id = "41f7da9e-4e9f-4a81-9b58-40d725d83bc0"
28severity = "low"
29tags = [
30    "Data Source: Elastic Defend for Containers",
31    "Domain: Container",
32    "OS: Linux",
33    "Use Case: Threat Detection",
34    "Tactic: Privilege Escalation",
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40process where event.module == "cloud_defend" and  event.type== "start" and 
41(process.name== "mount" or process.args== "mount") and container.security_context.privileged == true
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1611"
49name = "Escape to Host"
50reference = "https://attack.mitre.org/techniques/T1611/"
51
52
53[rule.threat.tactic]
54id = "TA0004"
55name = "Privilege Escalation"
56reference = "https://attack.mitre.org/tactics/TA0004/"