From 10b241dcc5bb04bc4bbdbe26702267665ca76a30 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Fri, 5 Jan 2024 10:28:24 -0500 Subject: [PATCH] =?UTF-8?q?[New=20Rule]=20File=20System=20Debugger=20?= =?UTF-8?q?=E2=80=98debugfs=E2=80=99=20Launched=20Inside=20a=20Privileged?= =?UTF-8?q?=20Container=20(#3241)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine. * added references * Apply suggestions from code review * Update rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Apply suggestions from code review --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> --- ...aunched_inside_a_privileged_container.toml | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml diff --git a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml new file mode 100644 index 000000000..e0896e5cc --- /dev/null +++ b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml @@ -0,0 +1,61 @@ +[metadata] +creation_date = "2023/10/26" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/12/18" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special +file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside +a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access +sensitive host level files which could be used for further privilege escalation and container escapes to the host +machine. +""" +from = "now-6m" +index = ["logs-cloud_defend*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "File System Debugger Launched Inside a Privileged Container" +references = [ + "https://cyberark.wistia.com/medias/ygbzkzx93q?wvideo=ygbzkzx93q", + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged", +] +risk_score = 47 +rule_id = "97697a52-4a76-4f0a-aa4f-25c178aae6eb" +severity = "medium" +tags = [ + "Data Source: Elastic Defend for Containers", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.module == "cloud_defend" and + event.type == "start" and process.name == "debugfs" and + process.args : "/dev/sd*" and not process.args == "-R" and + container.security_context.privileged == true +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +