Potential Container Escape via Modified notify_on_release File
This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take advantage of this feature, which could be used for further privilege escalation and container escapes to the host machine.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/26"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "New Integration: Cloud Defend"
6min_stack_version = "8.8.0"
7updated_date = "2023/12/18"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release
13flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the
14command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN
15capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take
16advantage of this feature, which could be used for further privilege escalation and container escapes to the host
17machine.
18"""
19from = "now-6m"
20index = ["logs-cloud_defend*"]
21interval = "5m"
22language = "eql"
23license = "Elastic License v2"
24name = "Potential Container Escape via Modified notify_on_release File"
25references = [
26 "https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/",
27 "https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/",
28]
29risk_score = 73
30rule_id = "ef65e82c-d8b4-4895-9824-5f6bc6166804"
31severity = "high"
32tags = [
33 "Data Source: Elastic Defend for Containers",
34 "Domain: Container",
35 "OS: Linux",
36 "Use Case: Threat Detection",
37 "Tactic: Privilege Escalation",
38]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43file where event.module == "cloud_defend" and event.action == "open" and
44event.type == "change" and file.name : "notify_on_release"
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1611"
52name = "Escape to Host"
53reference = "https://attack.mitre.org/techniques/T1611/"
54
55
56[rule.threat.tactic]
57id = "TA0004"
58name = "Privilege Escalation"
59reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
Trail of Bits recently completed a security assessment of Kubernetes, including its interaction with Docker. Felix Wilhelm’s recent tweet of a Proof of Concept (PoC) “container escape” sparked our …
Read More -
Linux maintainers disclosed a privilege escalation vulnerability (CVE-2022-0492) in the Linux Kernel rated as a High severity.
Read More
Related rules
- Potential Container Escape via Modified release_agent File
- AWS Credentials Searched For Inside A Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container