Potential Container Escape via Modified release_agent File
This rule detects modification of the CGroup release_agent file from inside a privileged container. The release_agent is a script that is executed at the termination of any process on that CGroup and is invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a CGroup directory and modify the release_agent which could be used for further privilege escalation and container escapes to the host machine.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/26"
3integration = ["cloud_defend"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects modification of the CGroup release_agent file from inside a privileged container. The release_agent is
11a script that is executed at the termination of any process on that CGroup and is invoked from the host. A privileged
12container with SYS_ADMIN capabilities, enables a threat actor to mount a CGroup directory and modify the release_agent
13which could be used for further privilege escalation and container escapes to the host machine.
14"""
15from = "now-6m"
16index = ["logs-cloud_defend*"]
17interval = "5m"
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Container Escape via Modified release_agent File"
21references = [
22 "https://blog.aquasec.com/threat-alert-container-escape",
23 "https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/",
24 "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged-escape-abusing-existent-release_agent-cve-2022-0492-poc1",
25]
26risk_score = 47
27rule_id = "160896de-b66f-42cb-8fef-20f53a9006ea"
28severity = "medium"
29tags = [
30 "Data Source: Elastic Defend for Containers",
31 "Domain: Container",
32 "OS: Linux",
33 "Use Case: Threat Detection",
34 "Tactic: Privilege Escalation",
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40file where event.module == "cloud_defend" and event.action == "open" and
41event.type == "change" and file.name : "release_agent"
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1611"
49name = "Escape to Host"
50reference = "https://attack.mitre.org/techniques/T1611/"
51
52
53[rule.threat.tactic]
54id = "TA0004"
55name = "Privilege Escalation"
56reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
Team Nautilus detected a crypto mining campaign that uses a container escape technique to break out from the container and compromise the host
Read More -
Linux maintainers disclosed a privilege escalation vulnerability (CVE-2022-0492) in the Linux Kernel rated as a High severity.
Read More -
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! Use Trickest to easily build and automate workflows powered by the world's most advanced community tools. Get Acces...
Read More
Related rules
- Potential Container Escape via Modified notify_on_release File
- AWS Credentials Searched For Inside A Container
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container