Container With A hostPath Mount Created
Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
Sigma rule (View on GitHub)
1title: Container With A hostPath Mount Created
2id: 402b955c-8fe0-4a8c-b635-622b4ac5f902
3status: experimental
4description: |
5 Detects creation of a container with a hostPath mount.
6 A hostPath volume mounts a directory or a file from the node to the container.
7 Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
8references:
9 - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/
10 - https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
11author: Leo Tsaousis (@laripping)
12date: 2024/03/26
13tags:
14 - attack.t1611
15logsource:
16 category: application
17 product: kubernetes
18 service: audit
19detection:
20 selection:
21 verb: 'create'
22 objectRef.resource: 'pods'
23 hostPath: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
24 condition: selection
25falsepositives:
26 - The DaemonSet controller creates pods with hostPath volumes within the kube-system namespace.
27level: low
References
-
Writable hostPath mount hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a wr...
Read More -
