security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] PE through Writable Docker Socket (#2958)

Browse Source 
* [New Rule] PE through Writable Docker Socket

* simplified query

* Update privilege_escalation_writable_docker_socket.toml

* Update privilege_escalation_writable_docker_socket.toml

* Update rules/linux/privilege_escalation_writable_docker_socket.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2023-07-27 10:01:29 +02:00
committed by GitHub
parent 0666b594c6
commit bbb24704b6
1 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/privilege_escalation_writable_docker_socket.toml
+50
View File
@@ -0,0 +1,50 @@
[metadata]
creation_date = "2023/07/25"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/25"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by
default are only be writable by the root user and docker group. Attackers that have permissions to write to these
sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto
the host file system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privilege Escalation through Writable Docker Socket"
references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"]
risk_score = 47
rule_id = "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
(
(process.name == "docker" and process.args : "run" and process.args : "-it" and
process.args : ("unix://*/docker.sock", "unix://*/dockershim.sock")) or
(process.name == "socat" and process.args : ("UNIX-CONNECT:*/docker.sock", "UNIX-CONNECT:*/dockershim.sock"))
) and not user.Ext.real.id : "0" and not group.Ext.real.id : "0"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1611"
name = "Escape to Host"
reference = "https://attack.mitre.org/techniques/T1611/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"