Container With A hostPath Mount Created
Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
Sigma rule (View on GitHub)
1title: Container With A hostPath Mount Created
2id: 402b955c-8fe0-4a8c-b635-622b4ac5f902
3status: test
4description: |
5 Detects creation of a container with a hostPath mount.
6 A hostPath volume mounts a directory or a file from the node to the container.
7 Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
8references:
9 - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/
10 - https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
11author: Leo Tsaousis (@laripping)
12date: 2024-03-26
13tags:
14 - attack.t1611
15 - attack.privilege-escalation
16logsource:
17 category: application
18 product: kubernetes
19 service: audit
20detection:
21 selection:
22 verb: 'create'
23 objectRef.resource: 'pods'
24 hostPath: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
25 condition: selection
26falsepositives:
27 - The DaemonSet controller creates pods with hostPath volumes within the kube-system namespace.
28level: low
References
Related rules
- Privileged Container Deployed
- AWS SAML Provider Deletion Activity
- Credential Dumping Attempt Via Svchost
- HackTool - LittleCorporal Generated Maldoc Injection
- Potential Malicious Usage of CloudTrail System Manager