Potential Container Escape via Modified notify_on_release File
This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take advantage of this feature, which could be used for further privilege escalation and container escapes to the host machine.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/26"
3integration = ["cloud_defend"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release
11flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the
12command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN
13capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take
14advantage of this feature, which could be used for further privilege escalation and container escapes to the host
15machine.
16"""
17from = "now-6m"
18index = ["logs-cloud_defend*"]
19interval = "5m"
20language = "eql"
21license = "Elastic License v2"
22name = "Potential Container Escape via Modified notify_on_release File"
23references = [
24 "https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/",
25 "https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/",
26]
27risk_score = 73
28rule_id = "ef65e82c-d8b4-4895-9824-5f6bc6166804"
29severity = "high"
30tags = [
31 "Data Source: Elastic Defend for Containers",
32 "Domain: Container",
33 "OS: Linux",
34 "Use Case: Threat Detection",
35 "Tactic: Privilege Escalation",
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41file where event.module == "cloud_defend" and event.action == "open" and
42event.type == "change" and file.name : "notify_on_release"
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1611"
50name = "Escape to Host"
51reference = "https://attack.mitre.org/techniques/T1611/"
52
53
54[rule.threat.tactic]
55id = "TA0004"
56name = "Privilege Escalation"
57reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
Trail of Bits recently completed a security assessment of Kubernetes, including its interaction with Docker. Felix Wilhelm’s recent tweet of a Proof of Concept (PoC) “container escape” sparked our …
Read More -
Linux maintainers disclosed a privilege escalation vulnerability (CVE-2022-0492) in the Linux Kernel rated as a High severity.
Read More
Related rules
- Potential Container Escape via Modified release_agent File
- AWS Credentials Searched For Inside A Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container