Docker Escape via Nsenter

 1[metadata]
 2creation_date = "2024/07/10"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/07/10"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule identifies a UID change event via `nsenter`. The `nsenter` command is used to enter a namespace, which is a
11way to isolate processes and resources. Attackers can use `nsenter` to escape from a container to the host, which can
12lead to privilege escalation and lateral movement.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Docker Escape via Nsenter"
19references = ["https://www.cyberark.com/resources/threat-research-blog/the-route-to-root-container-escape-using-kernel-exploitation"]
20risk_score = 47
21rule_id = "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88"
22severity = "medium"
23tags = [
24    "Domain: Endpoint",
25    "Domain: Container",
26    "OS: Linux",
27    "Use Case: Threat Detection",
28    "Tactic: Privilege Escalation",
29    "Data Source: Elastic Defend",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33query = '''
34process where host.os.type == "linux" and event.type == "change" and event.action == "uid_change" and
35process.entry_leader.entry_meta.type == "container" and process.args == "nsenter" and
36process.args in ("-t", "--target") and process.args_count >= 4
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41
42[[rule.threat.technique]]
43id = "T1611"
44name = "Escape to Host"
45reference = "https://attack.mitre.org/techniques/T1611/"
46
47[rule.threat.tactic]
48id = "TA0004"
49name = "Privilege Escalation"
50reference = "https://attack.mitre.org/tactics/TA0004/"