Privileged Container Deployed
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
Sigma rule (View on GitHub)
1title: Privileged Container Deployed
2id: c5cd1b20-36bb-488d-8c05-486be3d0cb97
3status: experimental
4description: |
5 Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks.
6 A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.
7 Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
8references:
9 - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
10 - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer
11 - https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html
12 - https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html
13author: Leo Tsaousis (@laripping)
14date: 2024/03/26
15tags:
16 - attack.t1611
17logsource:
18 category: application
19 product: kubernetes
20 service: audit
21detection:
22 selection:
23 verb: 'create'
24 objectRef.resource: 'pods'
25 capabilities: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
26 condition: selection
27falsepositives:
28 - Unknown
29level: low
References
-
Privileged container A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that p...
Read More -
Learn about Kubernetes audit logs finding types in GuardDuty. A Kubernetes finding is a notification that contains details about a potential security issue within a Kubernetes resource that GuardDuty has discovered.
Read More -
Kubernetes Pod Created With HostNetworkedit This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing s...
Read More -
Kubernetes Container Created with Excessive Linux Capabilitiesedit This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to...
Read More