Privileged Docker Container Creation
This rule leverages the new_terms rule type to identify the creation of a potentially unsafe docker container from an
unusual parent process. Attackers can use the --privileged
flag to create containers with escalated privileges, which
can lead to trivial privilege escalation, docker escaping and persistence. access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/07/10"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule leverages the new_terms rule type to identify the creation of a potentially unsafe docker container from an
11unusual parent process. Attackers can use the `--privileged` flag to create containers with escalated privileges, which
12can lead to trivial privilege escalation, docker escaping and persistence. access.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Privileged Docker Container Creation"
19risk_score = 21
20rule_id = "a80d96cd-1164-41b3-9852-ef58724be496"
21setup = """## Setup
22This rule requires data coming in from Elastic Defend.
23### Elastic Defend Integration Setup
24Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
25#### Prerequisite Requirements:
26- Fleet is required for Elastic Defend.
27- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
28#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
29- Go to the Kibana home page and click "Add integrations".
30- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
31- Click "Add Elastic Defend".
32- Configure the integration name and optionally add a description.
33- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
34- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
35- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
36- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
37For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
38- Click "Save and Continue".
39- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
40For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
41"""
42severity = "low"
43tags = [
44 "Domain: Endpoint",
45 "Domain: Container",
46 "OS: Linux",
47 "Use Case: Threat Detection",
48 "Tactic: Execution",
49 "Data Source: Elastic Defend",
50 "Resources: Investigation Guide",
51]
52timestamp_override = "event.ingested"
53type = "new_terms"
54
55query = '''
56host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:docker and
57process.args:(run and --privileged)
58'''
59note = """## Triage and analysis
60
61> **Disclaimer**:
62> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
63
64### Investigating Privileged Docker Container Creation
65
66Docker containers are lightweight, portable units that package applications and their dependencies. The `--privileged` flag grants containers extensive host access, posing security risks. Adversaries exploit this to escalate privileges or escape containers. The detection rule identifies unusual privileged container creation by monitoring specific process actions and arguments, helping to flag potential threats early.
67
68### Possible investigation steps
69
70- Review the alert details to confirm the presence of the `--privileged` flag in the process arguments, as indicated by the query field `process.args:(run and --privileged)`.
71- Identify the parent process of the Docker command by examining the `event.category:process` and `event.type:start` fields to determine if it originates from an unusual or unauthorized source.
72- Check the user account associated with the Docker process to verify if it has legitimate access and permissions to create privileged containers.
73- Investigate the timeline of events leading up to the container creation by reviewing related logs and events around the `event.action:exec` to identify any suspicious activities or patterns.
74- Assess the container's configuration and running processes to determine if any unauthorized or potentially harmful applications are being executed within the container.
75- Correlate the alert with other security events or alerts in the environment to identify potential indicators of compromise or broader attack patterns.
76
77### False positive analysis
78
79- Routine administrative tasks may trigger the rule if system administrators use the --privileged flag for legitimate container management. To handle this, identify and document these tasks, then create exceptions for known administrative processes.
80- Automated deployment scripts that require elevated privileges might also cause false positives. Review these scripts and whitelist them by specifying the parent process or script name in the exclusion criteria.
81- Development environments often use privileged containers for testing purposes. To reduce noise, exclude processes originating from known development machines or user accounts.
82- Some monitoring or security tools may use privileged containers for legitimate purposes. Verify these tools and add them to the exception list to prevent unnecessary alerts.
83- Regularly review and update the exclusion list to ensure it reflects current operational practices and does not inadvertently allow malicious activity.
84
85### Response and remediation
86
87- Immediately isolate the affected container to prevent further interaction with the host system. This can be done by stopping the container using `docker stop <container_id>`.
88
89- Review and revoke any unnecessary permissions or access rights granted to the container. Ensure that the `--privileged` flag is not used unless absolutely necessary.
90
91- Conduct a thorough investigation of the container's filesystem and running processes to identify any malicious activity or unauthorized changes. Use tools like `docker exec` to inspect the container's environment.
92
93- Check for any signs of container escape or host compromise by reviewing system logs and monitoring for unusual activity on the host machine.
94
95- If a compromise is confirmed, initiate a full incident response procedure, including forensic analysis and system restoration from clean backups.
96
97- Update and patch the Docker daemon and any related software to the latest versions to mitigate known vulnerabilities that could be exploited.
98
99- Enhance monitoring and alerting for privileged container creation by integrating additional security tools or services that provide real-time threat intelligence and anomaly detection."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1059"
106name = "Command and Scripting Interpreter"
107reference = "https://attack.mitre.org/techniques/T1059/"
108[[rule.threat.technique.subtechnique]]
109id = "T1059.004"
110name = "Unix Shell"
111reference = "https://attack.mitre.org/techniques/T1059/004/"
112
113
114[[rule.threat.technique]]
115id = "T1609"
116name = "Container Administration Command"
117reference = "https://attack.mitre.org/techniques/T1609/"
118
119
120[rule.threat.tactic]
121id = "TA0002"
122name = "Execution"
123reference = "https://attack.mitre.org/tactics/TA0002/"
124[[rule.threat]]
125framework = "MITRE ATT&CK"
126[[rule.threat.technique]]
127id = "T1611"
128name = "Escape to Host"
129reference = "https://attack.mitre.org/techniques/T1611/"
130
131
132[rule.threat.tactic]
133id = "TA0004"
134name = "Privilege Escalation"
135reference = "https://attack.mitre.org/tactics/TA0004/"
136
137[rule.new_terms]
138field = "new_terms_fields"
139value = ["process.parent.executable"]
140[[rule.new_terms.history_window_start]]
141field = "history_window_start"
142value = "now-14d"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Privileged Docker Container Creation
Docker containers are lightweight, portable units that package applications and their dependencies. The --privileged
flag grants containers extensive host access, posing security risks. Adversaries exploit this to escalate privileges or escape containers. The detection rule identifies unusual privileged container creation by monitoring specific process actions and arguments, helping to flag potential threats early.
Possible investigation steps
- Review the alert details to confirm the presence of the
--privileged
flag in the process arguments, as indicated by the query fieldprocess.args:(run and --privileged)
. - Identify the parent process of the Docker command by examining the
event.category:process
andevent.type:start
fields to determine if it originates from an unusual or unauthorized source. - Check the user account associated with the Docker process to verify if it has legitimate access and permissions to create privileged containers.
- Investigate the timeline of events leading up to the container creation by reviewing related logs and events around the
event.action:exec
to identify any suspicious activities or patterns. - Assess the container's configuration and running processes to determine if any unauthorized or potentially harmful applications are being executed within the container.
- Correlate the alert with other security events or alerts in the environment to identify potential indicators of compromise or broader attack patterns.
False positive analysis
- Routine administrative tasks may trigger the rule if system administrators use the --privileged flag for legitimate container management. To handle this, identify and document these tasks, then create exceptions for known administrative processes.
- Automated deployment scripts that require elevated privileges might also cause false positives. Review these scripts and whitelist them by specifying the parent process or script name in the exclusion criteria.
- Development environments often use privileged containers for testing purposes. To reduce noise, exclude processes originating from known development machines or user accounts.
- Some monitoring or security tools may use privileged containers for legitimate purposes. Verify these tools and add them to the exception list to prevent unnecessary alerts.
- Regularly review and update the exclusion list to ensure it reflects current operational practices and does not inadvertently allow malicious activity.
Response and remediation
-
Immediately isolate the affected container to prevent further interaction with the host system. This can be done by stopping the container using
docker stop <container_id>
. -
Review and revoke any unnecessary permissions or access rights granted to the container. Ensure that the
--privileged
flag is not used unless absolutely necessary. -
Conduct a thorough investigation of the container's filesystem and running processes to identify any malicious activity or unauthorized changes. Use tools like
docker exec
to inspect the container's environment. -
Check for any signs of container escape or host compromise by reviewing system logs and monitoring for unusual activity on the host machine.
-
If a compromise is confirmed, initiate a full incident response procedure, including forensic analysis and system restoration from clean backups.
-
Update and patch the Docker daemon and any related software to the latest versions to mitigate known vulnerabilities that could be exploited.
-
Enhance monitoring and alerting for privileged container creation by integrating additional security tools or services that provide real-time threat intelligence and anomaly detection.
Related rules
- Egress Connection from Entrypoint in Container
- AWS SSM `SendCommand` with Run Shell Command Parameters
- At Job Created or Modified
- BPF filter applied using TC
- Binary Executed from Shared Memory Directory