Docker Escape via Nsenter
This rule identifies a UID change event via nsenter
. The nsenter
command is used to enter a namespace, which is a
way to isolate processes and resources. Attackers can use nsenter
to escape from a container to the host, which can
lead to privilege escalation and lateral movement.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/07/10"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/07/10"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule identifies a UID change event via `nsenter`. The `nsenter` command is used to enter a namespace, which is a
11way to isolate processes and resources. Attackers can use `nsenter` to escape from a container to the host, which can
12lead to privilege escalation and lateral movement.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Docker Escape via Nsenter"
19references = ["https://www.cyberark.com/resources/threat-research-blog/the-route-to-root-container-escape-using-kernel-exploitation"]
20risk_score = 47
21rule_id = "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88"
22severity = "medium"
23tags = [
24 "Domain: Endpoint",
25 "Domain: Container",
26 "OS: Linux",
27 "Use Case: Threat Detection",
28 "Tactic: Privilege Escalation",
29 "Data Source: Elastic Defend",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33query = '''
34process where host.os.type == "linux" and event.type == "change" and event.action == "uid_change" and
35process.entry_leader.entry_meta.type == "container" and process.args == "nsenter" and
36process.args in ("-t", "--target") and process.args_count >= 4
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41
42[[rule.threat.technique]]
43id = "T1611"
44name = "Escape to Host"
45reference = "https://attack.mitre.org/techniques/T1611/"
46
47[rule.threat.tactic]
48id = "TA0004"
49name = "Privilege Escalation"
50reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- Potential Chroot Container Escape via Mount
- Potential Privilege Escalation through Writable Docker Socket
- Potential Privilege Escalation via Container Misconfiguration
- Egress Connection from Entrypoint in Container
- Process Capability Set via setcap Utility