Potential Container Escape via Kernel core_pattern Modification
The Linux kernel invokes the program named in "/proc/sys/kernel/core_pattern" whenever a process core-dumps. When that value begins with a pipe (|), the kernel runs the handler from the host's initial namespace as root, regardless of where the crashing process lived. Because the core-dump up-call is not namespaced, a process inside a container that can write core_pattern can register an attacker-controlled handler and then deliberately crash a process to have it execute on the host as root, resulting in a full container-to-host escape.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/07/02"
3integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_defend"]
4maturity = "production"
5min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
6min_stack_version = "9.3.0"
7updated_date = "2026/07/06"
8
9[rule]
10author = ["Elastic"]
11description = """
12The Linux kernel invokes the program named in "/proc/sys/kernel/core_pattern" whenever a process core-dumps. When
13that value begins with a pipe (|), the kernel runs the handler from the host's initial namespace as root, regardless
14of where the crashing process lived. Because the core-dump up-call is not namespaced, a process inside a container
15that can write core_pattern can register an attacker-controlled handler and then deliberately crash a process to have
16it execute on the host as root, resulting in a full container-to-host escape.
17"""
18from = "now-9m"
19index = [
20 "auditbeat-*",
21 "endgame-*",
22 "logs-auditd_manager.auditd-*",
23 "logs-crowdstrike.fdr*",
24 "logs-endpoint.events.process*",
25 "logs-sentinel_one_cloud_funnel.*",
26 "logs-cloud_defend.process*",
27]
28language = "eql"
29license = "Elastic License v2"
30name = "Potential Container Escape via Kernel core_pattern Modification"
31note = """ ## Triage and analysis
32
33> **Disclaimer**:
34> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
35
36### Investigating Potential Container Escape via Kernel core_pattern Modification
37
38This rule detects attempts on Linux to change the kernel’s core dump handler, a setting that can make the host run a program as root when a process crashes. In a container, an attacker can write a pipe-based core_pattern such as a shell script path, then deliberately crash a process so the host executes the handler outside the container, turning container access into full host compromise.
39
40### Possible investigation steps
41
42- Verify the current and recent value of `kernel.core_pattern` on the affected node, prioritizing pipe-based handlers and whether the referenced program lives in a writable, temporary, container-mounted, or otherwise untrusted path.
43- Reconstruct the full ancestry and session context of the modifying process to determine whether it came from a legitimate admin workflow or from a containerized shell, and identify the associated user, container, image, pod, and privilege level.
44- Review the container or pod security context for escape-enabling conditions such as privileged mode, shared host namespaces, hostPath mounts to `/proc` or the host filesystem, and elevated capabilities that would have allowed changing a host kernel parameter.
45- Hunt for follow-on exploitation by looking for deliberate crashes, core-dump activity, and new root-owned host processes launched shortly after the change, especially executions from `/tmp`, container overlay paths, or bind-mounted locations.
46- If the activity is not authorized, collect the referenced handler file and related artifacts, assess the host for persistence or lateral movement, and contain the node and implicated workload before restoring `kernel.core_pattern` to a known-good value.
47
48### False positive analysis
49
50- An administrator or approved automation may temporarily change `kernel.core_pattern` from a host shell or privileged container during crash-dump troubleshooting; verify the initiating user and parent process, look for a corresponding maintenance window or change record, and confirm the setting was restored to an approved value afterward.
51- A legitimate test or debugging workflow may use `sysctl`, shell redirection, or file-copy utilities to point `core_pattern` to a known crash handler before generating controlled faults; confirm the activity is tied to an expected container or host session, the handler path is trusted, and no unexpected root-owned host processes were launched after the change.
52
53### Response and remediation
54
55- Isolate the affected host from the network, cordon and drain the Kubernetes node if applicable, and stop or quarantine the implicated container or pod so the attacker cannot trigger additional core dumps or spawn new host processes.
56- Preserve the malicious artifacts for incident handling and then remove the attacker-controlled core dump handler, including any scripts or binaries referenced by `/proc/sys/kernel/core_pattern` and copies placed in `/tmp`, `/var/tmp`, container overlay paths, bind mounts, or other writable locations.
57- Restore the node to a known-good state by resetting `kernel.core_pattern` to the approved value, removing unauthorized entries from `/etc/sysctl.conf`, `/etc/sysctl.d/`, and startup scripts that would reapply it, and rebuilding the host from a trusted image if host-level execution occurred.
58- Hunt for and remove persistence added after the escape attempt, including rogue systemd units, cron jobs, `/etc/rc.local` changes, SSH `authorized_keys`, newly created sudoers entries, and unauthorized privileged DaemonSets or containers on the node.
59- Escalate immediately to incident response if the handler executed on the host, if you find root-owned processes launched from a container-writable path such as `/tmp` or an overlay mount, or if the same `core_pattern` change appears on more than one node.
60- Rotate any credentials or tokens exposed on the host or mounted into the compromised workload, then harden the environment by blocking privileged pods, removing dangerous capabilities such as `CAP_SYS_ADMIN`, prohibiting writable `hostPath` access to `/proc` or the host filesystem, and enforcing pod security or admission policies to prevent recurrence.
61"""
62references = [
63 "https://www.sysdig.com/blog/runc-container-escape-vulnerabilities",
64 "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm",
65 "https://kubehound.io/reference/attacks/CE_UMH_CORE_PATTERN/",
66 "https://aquasecurity.github.io/tracee/latest/docs/events/builtin/signatures/core_pattern_modification/"
67]
68risk_score = 47
69rule_id = "4872671a-c8d2-4847-9891-d3ce08b9e4c9"
70setup = """## Setup
71
72This rule requires data coming in from Elastic Defend.
73
74### Elastic Defend Integration Setup
75Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
76
77#### Prerequisite Requirements:
78- Fleet is required for Elastic Defend.
79- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
80#### The following steps should be executed in order to add the Elastic Defend integration on a Linux system:
81- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
82- Click "Add Elastic Defend".
83- Configure the integration name and optionally add a description.
84- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
85- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
86- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
87- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
88For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
89- Click "Save and Continue".
90- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
91For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
92"""
93severity = "medium"
94tags = [
95 "Domain: Endpoint",
96 "Domain: Container",
97 "Domain: Kubernetes",
98 "OS: Linux",
99 "Use Case: Threat Detection",
100 "Tactic: Privilege Escalation",
101 "Data Source: Elastic Defend",
102 "Data Source: Elastic Endgame",
103 "Data Source: Auditd Manager",
104 "Data Source: Crowdstrike",
105 "Data Source: SentinelOne",
106 "Data Source: Elastic Defend for Containers",
107 "Resources: Investigation Guide",
108]
109timestamp_override = "event.ingested"
110type = "eql"
111query = '''
112process where host.os.type == "linux" and event.type == "start" and
113event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
114process.args like ("*/proc/sys/kernel/core_pattern*", "*kernel.core_pattern*") and
115?process.parent.executable != null and
116(
117 process.name in ("tee", "cp", "mv", "dd") or
118 (
119 process.name == "sysctl" and
120 process.args like ("*-w*", "*core_pattern*")
121 ) or
122 (
123 process.name in ("bash", "dash", "sh", "zsh", "ksh", "fish", "ash", "mksh", "busybox") and
124 process.args == "-c" and process.args like ("*echo *", "*printf *")
125 )
126) and
127not ?process.parent.executable in ("/usr/lib/systemd/systemd", "/usr/bin/kdumpctl", "/usr/sbin/abrtd", "/usr/bin/apport")
128'''
129
130[[rule.threat]]
131framework = "MITRE ATT&CK"
132
133[[rule.threat.technique]]
134id = "T1611"
135name = "Escape to Host"
136reference = "https://attack.mitre.org/techniques/T1611/"
137
138[rule.threat.tactic]
139id = "TA0004"
140name = "Privilege Escalation"
141reference = "https://attack.mitre.org/tactics/TA0004/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential Container Escape via Kernel core_pattern Modification
This rule detects attempts on Linux to change the kernel’s core dump handler, a setting that can make the host run a program as root when a process crashes. In a container, an attacker can write a pipe-based core_pattern such as a shell script path, then deliberately crash a process so the host executes the handler outside the container, turning container access into full host compromise.
Possible investigation steps
- Verify the current and recent value of
kernel.core_patternon the affected node, prioritizing pipe-based handlers and whether the referenced program lives in a writable, temporary, container-mounted, or otherwise untrusted path. - Reconstruct the full ancestry and session context of the modifying process to determine whether it came from a legitimate admin workflow or from a containerized shell, and identify the associated user, container, image, pod, and privilege level.
- Review the container or pod security context for escape-enabling conditions such as privileged mode, shared host namespaces, hostPath mounts to
/procor the host filesystem, and elevated capabilities that would have allowed changing a host kernel parameter. - Hunt for follow-on exploitation by looking for deliberate crashes, core-dump activity, and new root-owned host processes launched shortly after the change, especially executions from
/tmp, container overlay paths, or bind-mounted locations. - If the activity is not authorized, collect the referenced handler file and related artifacts, assess the host for persistence or lateral movement, and contain the node and implicated workload before restoring
kernel.core_patternto a known-good value.
False positive analysis
- An administrator or approved automation may temporarily change
kernel.core_patternfrom a host shell or privileged container during crash-dump troubleshooting; verify the initiating user and parent process, look for a corresponding maintenance window or change record, and confirm the setting was restored to an approved value afterward. - A legitimate test or debugging workflow may use
sysctl, shell redirection, or file-copy utilities to pointcore_patternto a known crash handler before generating controlled faults; confirm the activity is tied to an expected container or host session, the handler path is trusted, and no unexpected root-owned host processes were launched after the change.
Response and remediation
- Isolate the affected host from the network, cordon and drain the Kubernetes node if applicable, and stop or quarantine the implicated container or pod so the attacker cannot trigger additional core dumps or spawn new host processes.
- Preserve the malicious artifacts for incident handling and then remove the attacker-controlled core dump handler, including any scripts or binaries referenced by
/proc/sys/kernel/core_patternand copies placed in/tmp,/var/tmp, container overlay paths, bind mounts, or other writable locations. - Restore the node to a known-good state by resetting
kernel.core_patternto the approved value, removing unauthorized entries from/etc/sysctl.conf,/etc/sysctl.d/, and startup scripts that would reapply it, and rebuilding the host from a trusted image if host-level execution occurred. - Hunt for and remove persistence added after the escape attempt, including rogue systemd units, cron jobs,
/etc/rc.localchanges, SSHauthorized_keys, newly created sudoers entries, and unauthorized privileged DaemonSets or containers on the node. - Escalate immediately to incident response if the handler executed on the host, if you find root-owned processes launched from a container-writable path such as
/tmpor an overlay mount, or if the samecore_patternchange appears on more than one node. - Rotate any credentials or tokens exposed on the host or mounted into the compromised workload, then harden the environment by blocking privileged pods, removing dangerous capabilities such as
CAP_SYS_ADMIN, prohibiting writablehostPathaccess to/procor the host filesystem, and enforcing pod security or admission policies to prevent recurrence.
References
Related rules
- Kubectl Secrets Enumeration Across All Namespaces
- Kubectl Permission Discovery
- Kubernetes Direct API Request via Curl or Wget
- Docker Socket Enumeration
- Kubectl Apply Pod from URL