This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by
default are only be writable by the root user and docker group. Attackers that have permissions to write to these
sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto
the host file system.
This rule monitors for the execution of processes that interact with Linux containers through an interactive shell
without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact
with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might
be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a
container escape attack, which might allow them to escalate privileges and gain further access onto the host file system.
This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container.
The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying
the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and
has been used to evade detection of malicious processes in container environments.
This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment.
This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration.
This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container.
This rule detects interactive 'exec' events launched against a container using the 'exec' command. Using the 'exec'
command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container.
This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container's shell.
A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout.
This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for persistence or exfiltrating data.
This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine.
This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container.
The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication.
Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).
Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated.
This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside
a container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use
it to gain initial access or establish persistence within a compromised environment.
This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process.
SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to
other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism.
This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host.
This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container.