Privileged Container Deployed
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
Sigma rule (View on GitHub)
1title: Privileged Container Deployed
2id: c5cd1b20-36bb-488d-8c05-486be3d0cb97
3status: test
4description: |
5 Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks.
6 A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.
7 Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
8references:
9 - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
10 - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer
11 - https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html
12 - https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html
13author: Leo Tsaousis (@laripping)
14date: 2024-03-26
15tags:
16 - attack.t1611
17 - attack.privilege-escalation
18logsource:
19 category: application
20 product: kubernetes
21 service: audit
22detection:
23 selection:
24 verb: 'create'
25 objectRef.resource: 'pods'
26 capabilities: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
27 condition: selection
28falsepositives:
29 - Unknown
30level: low
References
-
Privileged container A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that p...
Read More -
Learn about EKS audit logs finding types in GuardDuty. A EKS Protection finding is a notification that contains details about a potential security issue within a EKS audit logs resource that GuardDuty has discovered.
Read More -
This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing...
Read More -
This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to deploy a container...
Read More
Related rules
- Container With A hostPath Mount Created
- AWS SAML Provider Deletion Activity
- Credential Dumping Attempt Via Svchost
- HackTool - LittleCorporal Generated Maldoc Injection
- Potential Malicious Usage of CloudTrail System Manager