security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New] Nsenter to PID 1 Namespace via Auditd/D4C (#5988)

Browse Source 
* [New] Nsenter to PID 1 Namespace via Auditd

we have an existing rule https://github.com/elastic/detection-rules/blob/0f521a0848420844f3af383f1dee8481d41b2e5b/rules/linux/privilege_escalation_docker_escape_via_nsenter.toml#L15 (compatible only with Elastic Defend `process.entry_leader.entry_meta.type == "container"`).

This rule is compatible with the auditd integration and scoped to Init/systemd PID namespace commonly targeted for container escape.

* Create privilege_escalation_nsenter_execution_inside_container.toml

* Update privilege_escalation_auditd_nsenter_target_host_pid.toml

* Update privilege_escalation_auditd_nsenter_target_host_pid.toml

* Update privilege_escalation_auditd_nsenter_target_host_pid.toml

* Update privilege_escalation_auditd_nsenter_target_host_pid.toml

* Update rules/linux/privilege_escalation_auditd_nsenter_target_host_pid.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update privilege_escalation_nsenter_execution_inside_container.toml

* Update privilege_escalation_auditd_nsenter_target_host_pid.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
This commit is contained in:
Samirbous
2026-05-02 14:56:06 +01:00
committed by GitHub
parent 80f3ed464c
commit 838e926058
2 changed files with 180 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/cloud_defend/privilege_escalation_nsenter_execution_inside_container.toml
+89
View File
@@ -0,0 +1,89 @@
[metadata]
creation_date = "2026/03/31"
integration = ["cloud_defend"]
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/03/31"
[rule]
author = ["Elastic"]
description = """
Detects nsenter executions from inside a monitored Linux container that include a namespace target flag (-t or
--target). Adversaries abuse nsenter to attach to host or sibling namespaces and escape container isolation when
combined with privileged mounts, exposed PIDs, or shared namespaces.
"""
from = "now-6m"
index = ["logs-cloud_defend.process*"]
interval = "5m"
language = "eql"
license = "Elastic License v2"
name = "Nsenter Execution with Target Flag Inside Container"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Nsenter Execution with Target Flag Inside Container
This alert flags `nsenter` (by process name or as a process argument) launched from a workload with a non-empty
`container.id`, with `-t` or `--target` present on the command line. That pattern is consistent with entering another
process or namespace context and is a common building block for container escape and host pivoting when prerequisites
such as host PID mounts or excessive capabilities exist.
### Possible investigation steps
- Review the full command line and parent process to see which PID or path was passed to `-t` / `--target`, and whether
additional flags such as `-m`, `-n`, `-p`, `-U`, or `-i` indicate mount, network, PID, user, or IPC namespace joins.
- Map the container image, pod, namespace, and node; confirm whether the workload should ever invoke nsenter or share
namespaces with the host.
- Correlate with file, network, and authentication telemetry from the same container for follow-on access to the
container runtime socket, kubelet paths, SSH material, or cloud instance metadata.
### False positive analysis
- Some troubleshooting images or platform agents may wrap nsenter for diagnostics; verify image provenance, scheduled
maintenance, and approved break-glass procedures before treating as malicious.
### Response and remediation
- If the activity is unauthorized, isolate the pod or node, preserve runtime artifacts, rotate any credentials exposed to
the container, and re-image or replace the node when host integrity is in doubt.
- Reduce recurrence by enforcing least privilege, avoiding host namespace sharing, restricting hostPath and sensitive
mounts, and blocking unnecessary capabilities.
"""
references = [
"https://attack.mitre.org/techniques/T1611/",
"https://man7.org/linux/man-pages/man1/nsenter.1.html",
]
risk_score = 73
rule_id = "39029450-8e2d-4034-81b0-15af8e4e3a4e"
severity = "high"
tags = [
"Data Source: Elastic Defend for Containers",
"Domain: Container",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
(process.name == "nsenter" or process.args == "nsenter") and
container.id like "?*" and process.args like ("-t", "--target*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1611"
name = "Escape to Host"
reference = "https://attack.mitre.org/techniques/T1611/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
rules/linux/privilege_escalation_auditd_nsenter_target_host_pid.toml
+91
View File
@@ -0,0 +1,91 @@
[metadata]
creation_date = "2026/04/27"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2026/04/27"
[rule]
author = ["Elastic"]
description = """
Detects nsenter executions that target PID with a namespace target flag, a pattern commonly used to attach to the
host init namespace from a container or session and run with host context.
"""
false_positives = [
"""
Platform engineers may nsenter into PID 1 namespaces during deep node debugging; correlate with tickets and bastion
sessions before escalating.
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "kuery"
license = "Elastic License v2"
name = "Nsenter to PID Namespace via Auditd"
note = """## Triage and analysis
### Investigating Nsenter to PID Namespace via Auditd
Review process.args for the full nsenter invocation (target PID, mount, UTS, IPC, net, user namespaces), parent process,
user identity, and host. PID targeting is a strong escape or host-administration signal when unexpected for the actor.
### Possible investigation steps
- Confirm whether the session originated from a container, SSH session, or automation agent.
- Pivot on the same host for subsequent writes under /etc, docker.sock access, or new systemd units.
### False positive analysis
- Some CNI or snap workflows can resemble nsenter; rely on the built-in exclusions first, then tune by parent command
or service account.
### Response and remediation
- If malicious, isolate the host, revoke credentials, inspect for persistence, and re-image if integrity cannot be proven.
"""
references = [
"https://attack.mitre.org/techniques/T1611/",
"https://man7.org/linux/man-pages/man1/nsenter.1.html",
]
risk_score = 73
rule_id = "75f9b95f-370b-4ff3-a84c-66d9ec0b84eb"
setup = """## Setup
Deploy the Auditd Manager integration on Linux hosts that should emit process execution telemetry (Fleet, Integrations,
Auditd Manager, attach to an agent policy).
Ensure syscall rules capture execve for utilities such as nsenter so event.category process and event.action executed
populate with process.name and process.args.
See https://docs.elastic.co/integrations/auditd_manager for integration details.
"""
severity = "high"
tags = [
"Domain: Endpoint",
"Domain: Container",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Data Source: Auditd Manager",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
host.os.type:linux and
event.category:process and event.action:(executed or exec) and
(process.name:nsenter or process.args:nsenter) and
process.args:((--target* or -t) and not --net=/run/netns/* and not (--assertion and snap) and not (is-active and snap.*))
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1611"
name = "Escape to Host"
reference = "https://attack.mitre.org/techniques/T1611/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"