Potential Privilege Escalation via Container Misconfiguration

This rule monitors for the execution of processes that interact with Linux containers through an interactive shell without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container escape attack, which might allow them to escalate privileges and gain further access onto the host file system.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/07/31"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/07/31"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for the execution of processes that interact with Linux containers through an interactive shell 
13without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact 
14with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might 
15be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a 
16container escape attack, which might allow them to escalate privileges and gain further access onto the host file system.
17"""
18from = "now-9m"
19index = ["logs-endpoint.events.*"]
20language = "eql"
21license = "Elastic License v2"
22name = "Potential Privilege Escalation via Container Misconfiguration"
23setup = """This rule leverages `session` fields, which requires that the collection of session data is enabled for Linux operating systems.  
24
25The following steps should be performed in order to enable session data event collection on a Linux system. 

Kibana --> Management --> Fleet --> Agent Policies --> Agent Policy with Elastic Defend installed --> Elastic Defend integration --> Enable the "Collect session data" box under "Event Collection" for "Linux"

 1More information on this topic and how to enable session data collection can be found at https://www.elastic.co/blog/secure-your-cloud-with-cloud-workload-protection-in-elastic-security.
 2"""
 3references = [
 4    "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation",
 5    "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation"
 6    ]
 7risk_score = 47
 8rule_id = "afe6b0eb-dd9d-4922-b08a-1910124d524d"
 9severity = "medium"
10tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"]
11timestamp_override = "event.ingested"
12type = "eql"
13query = '''
14process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (
15  (process.name == "runc" and process.args == "run") or
16  (process.name == "ctr" and process.args == "run" and process.args in ("--privileged", "--mount"))
17) and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" and 
18process.interactive == true and process.parent.interactive == true
19'''
20
21[[rule.threat]]
22framework = "MITRE ATT&CK"
23
24[[rule.threat.technique]]
25id = "T1611"
26name = "Escape to Host"
27reference = "https://attack.mitre.org/techniques/T1611/"
28
29[rule.threat.tactic]
30id = "TA0004"
31name = "Privilege Escalation"
32reference = "https://attack.mitre.org/tactics/TA0004/"

References

Related rules

to-top