Privileged Docker Container Creation

This rule leverages the new_terms rule type to identify the creation of a potentially unsafe docker container from an unusual parent process. Attackers can use the --privileged flag to create containers with escalated privileges, which can lead to trivial privilege escalation, docker escaping and persistence. access.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/07/10"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule leverages the new_terms rule type to identify the creation of a potentially unsafe docker container from an
 11unusual parent process. Attackers can use the `--privileged` flag to create containers with escalated privileges, which
 12can lead to trivial privilege escalation, docker escaping and persistence. access.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.process*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "Privileged Docker Container Creation"
 19risk_score = 21
 20rule_id = "a80d96cd-1164-41b3-9852-ef58724be496"
 21setup = """## Setup
 22This rule requires data coming in from Elastic Defend.
 23### Elastic Defend Integration Setup
 24Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 25#### Prerequisite Requirements:
 26- Fleet is required for Elastic Defend.
 27- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 28#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 29- Go to the Kibana home page and click "Add integrations".
 30- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 31- Click "Add Elastic Defend".
 32- Configure the integration name and optionally add a description.
 33- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 34- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 35- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 36- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 37For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 38- Click "Save and Continue".
 39- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 40For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 41"""
 42severity = "low"
 43tags = [
 44    "Domain: Endpoint",
 45    "Domain: Container",
 46    "OS: Linux",
 47    "Use Case: Threat Detection",
 48    "Tactic: Execution",
 49    "Data Source: Elastic Defend",
 50    "Resources: Investigation Guide",
 51]
 52timestamp_override = "event.ingested"
 53type = "new_terms"
 54
 55query = '''
 56host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:docker and
 57process.args:(run and --privileged)
 58'''
 59note = """## Triage and analysis
 60
 61> **Disclaimer**:
 62> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 63
 64### Investigating Privileged Docker Container Creation
 65
 66Docker containers are lightweight, portable units that package applications and their dependencies. The `--privileged` flag grants containers extensive host access, posing security risks. Adversaries exploit this to escalate privileges or escape containers. The detection rule identifies unusual privileged container creation by monitoring specific process actions and arguments, helping to flag potential threats early.
 67
 68### Possible investigation steps
 69
 70- Review the alert details to confirm the presence of the `--privileged` flag in the process arguments, as indicated by the query field `process.args:(run and --privileged)`.
 71- Identify the parent process of the Docker command by examining the `event.category:process` and `event.type:start` fields to determine if it originates from an unusual or unauthorized source.
 72- Check the user account associated with the Docker process to verify if it has legitimate access and permissions to create privileged containers.
 73- Investigate the timeline of events leading up to the container creation by reviewing related logs and events around the `event.action:exec` to identify any suspicious activities or patterns.
 74- Assess the container's configuration and running processes to determine if any unauthorized or potentially harmful applications are being executed within the container.
 75- Correlate the alert with other security events or alerts in the environment to identify potential indicators of compromise or broader attack patterns.
 76
 77### False positive analysis
 78
 79- Routine administrative tasks may trigger the rule if system administrators use the --privileged flag for legitimate container management. To handle this, identify and document these tasks, then create exceptions for known administrative processes.
 80- Automated deployment scripts that require elevated privileges might also cause false positives. Review these scripts and whitelist them by specifying the parent process or script name in the exclusion criteria.
 81- Development environments often use privileged containers for testing purposes. To reduce noise, exclude processes originating from known development machines or user accounts.
 82- Some monitoring or security tools may use privileged containers for legitimate purposes. Verify these tools and add them to the exception list to prevent unnecessary alerts.
 83- Regularly review and update the exclusion list to ensure it reflects current operational practices and does not inadvertently allow malicious activity.
 84
 85### Response and remediation
 86
 87- Immediately isolate the affected container to prevent further interaction with the host system. This can be done by stopping the container using `docker stop <container_id>`.
 88
 89- Review and revoke any unnecessary permissions or access rights granted to the container. Ensure that the `--privileged` flag is not used unless absolutely necessary.
 90
 91- Conduct a thorough investigation of the container's filesystem and running processes to identify any malicious activity or unauthorized changes. Use tools like `docker exec` to inspect the container's environment.
 92
 93- Check for any signs of container escape or host compromise by reviewing system logs and monitoring for unusual activity on the host machine.
 94
 95- If a compromise is confirmed, initiate a full incident response procedure, including forensic analysis and system restoration from clean backups.
 96
 97- Update and patch the Docker daemon and any related software to the latest versions to mitigate known vulnerabilities that could be exploited.
 98
 99- Enhance monitoring and alerting for privileged container creation by integrating additional security tools or services that provide real-time threat intelligence and anomaly detection."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1059"
106name = "Command and Scripting Interpreter"
107reference = "https://attack.mitre.org/techniques/T1059/"
108[[rule.threat.technique.subtechnique]]
109id = "T1059.004"
110name = "Unix Shell"
111reference = "https://attack.mitre.org/techniques/T1059/004/"
112
113
114[[rule.threat.technique]]
115id = "T1609"
116name = "Container Administration Command"
117reference = "https://attack.mitre.org/techniques/T1609/"
118
119
120[rule.threat.tactic]
121id = "TA0002"
122name = "Execution"
123reference = "https://attack.mitre.org/tactics/TA0002/"
124[[rule.threat]]
125framework = "MITRE ATT&CK"
126[[rule.threat.technique]]
127id = "T1611"
128name = "Escape to Host"
129reference = "https://attack.mitre.org/techniques/T1611/"
130
131
132[rule.threat.tactic]
133id = "TA0004"
134name = "Privilege Escalation"
135reference = "https://attack.mitre.org/tactics/TA0004/"
136
137[rule.new_terms]
138field = "new_terms_fields"
139value = ["process.parent.executable"]
140[[rule.new_terms.history_window_start]]
141field = "history_window_start"
142value = "now-14d"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Privileged Docker Container Creation

Docker containers are lightweight, portable units that package applications and their dependencies. The --privileged flag grants containers extensive host access, posing security risks. Adversaries exploit this to escalate privileges or escape containers. The detection rule identifies unusual privileged container creation by monitoring specific process actions and arguments, helping to flag potential threats early.

Possible investigation steps

  • Review the alert details to confirm the presence of the --privileged flag in the process arguments, as indicated by the query field process.args:(run and --privileged).
  • Identify the parent process of the Docker command by examining the event.category:process and event.type:start fields to determine if it originates from an unusual or unauthorized source.
  • Check the user account associated with the Docker process to verify if it has legitimate access and permissions to create privileged containers.
  • Investigate the timeline of events leading up to the container creation by reviewing related logs and events around the event.action:exec to identify any suspicious activities or patterns.
  • Assess the container's configuration and running processes to determine if any unauthorized or potentially harmful applications are being executed within the container.
  • Correlate the alert with other security events or alerts in the environment to identify potential indicators of compromise or broader attack patterns.

False positive analysis

  • Routine administrative tasks may trigger the rule if system administrators use the --privileged flag for legitimate container management. To handle this, identify and document these tasks, then create exceptions for known administrative processes.
  • Automated deployment scripts that require elevated privileges might also cause false positives. Review these scripts and whitelist them by specifying the parent process or script name in the exclusion criteria.
  • Development environments often use privileged containers for testing purposes. To reduce noise, exclude processes originating from known development machines or user accounts.
  • Some monitoring or security tools may use privileged containers for legitimate purposes. Verify these tools and add them to the exception list to prevent unnecessary alerts.
  • Regularly review and update the exclusion list to ensure it reflects current operational practices and does not inadvertently allow malicious activity.

Response and remediation

  • Immediately isolate the affected container to prevent further interaction with the host system. This can be done by stopping the container using docker stop <container_id>.

  • Review and revoke any unnecessary permissions or access rights granted to the container. Ensure that the --privileged flag is not used unless absolutely necessary.

  • Conduct a thorough investigation of the container's filesystem and running processes to identify any malicious activity or unauthorized changes. Use tools like docker exec to inspect the container's environment.

  • Check for any signs of container escape or host compromise by reviewing system logs and monitoring for unusual activity on the host machine.

  • If a compromise is confirmed, initiate a full incident response procedure, including forensic analysis and system restoration from clean backups.

  • Update and patch the Docker daemon and any related software to the latest versions to mitigate known vulnerabilities that could be exploited.

  • Enhance monitoring and alerting for privileged container creation by integrating additional security tools or services that provide real-time threat intelligence and anomaly detection.

Related rules

to-top