Potential Container Escape via Modified notify_on_release File

This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take advantage of this feature, which could be used for further privilege escalation and container escapes to the host machine.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/10/26"
 3integration = ["cloud_defend"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release
11flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the
12command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN
13capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take
14advantage of this feature, which could be used for further privilege escalation and container escapes to the host
15machine.
16"""
17from = "now-6m"
18index = ["logs-cloud_defend*"]
19interval = "5m"
20language = "eql"
21license = "Elastic License v2"
22name = "Potential Container Escape via Modified notify_on_release File"
23references = [
24    "https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/",
25    "https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/",
26]
27risk_score = 73
28rule_id = "ef65e82c-d8b4-4895-9824-5f6bc6166804"
29severity = "high"
30tags = [
31    "Data Source: Elastic Defend for Containers",
32    "Domain: Container",
33    "OS: Linux",
34    "Use Case: Threat Detection",
35    "Tactic: Privilege Escalation",
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41file where event.module == "cloud_defend" and event.action == "open" and 
42event.type == "change" and file.name : "notify_on_release"
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1611"
50name = "Escape to Host"
51reference = "https://attack.mitre.org/techniques/T1611/"
52
53
54[rule.threat.tactic]
55id = "TA0004"
56name = "Privilege Escalation"
57reference = "https://attack.mitre.org/tactics/TA0004/"

References

Related rules

to-top