diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml new file mode 100644 index 000000000..095cb86cc --- /dev/null +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2023/07/25" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/25" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by +default are only be writable by the root user and docker group. Attackers that have permissions to write to these +sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto +the host file system. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Privilege Escalation through Writable Docker Socket" +references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"] +risk_score = 47 +rule_id = "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +( + (process.name == "docker" and process.args : "run" and process.args : "-it" and + process.args : ("unix://*/docker.sock", "unix://*/dockershim.sock")) or + (process.name == "socat" and process.args : ("UNIX-CONNECT:*/docker.sock", "UNIX-CONNECT:*/dockershim.sock")) +) and not user.Ext.real.id : "0" and not group.Ext.real.id : "0" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/"