security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] PE via Container Misconfiguration (#2983)

Browse Source 
* [New Rule] PE via Container Misconfiguration

* fixed boolean comparison unit test error

* Update privilege_escalation_container_util_misconfiguration.toml

* Update rules/linux/privilege_escalation_container_util_misconfiguration.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2023-08-04 16:39:40 +02:00
committed by GitHub
parent ef49709c7d
commit e904ebb760
1 changed files with 66 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/privilege_escalation_container_util_misconfiguration.toml
+66
View File
@@ -0,0 +1,66 @@
[metadata]
creation_date = "2023/07/31"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/31"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the execution of processes that interact with Linux containers through an interactive shell
without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact
with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might
be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a
container escape attack, which might allow them to escalate privileges and gain further access onto the host file system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privilege Escalation via Container Misconfiguration"
setup = """This rule leverages `session` fields, which requires that the collection of session data is enabled for Linux operating systems.
The following steps should be performed in order to enable session data event collection on a Linux system.
```
Kibana -->
Management -->
Fleet -->
Agent Policies -->
Agent Policy with Elastic Defend installed -->
Elastic Defend integration -->
Enable the "Collect session data" box under "Event Collection" for "Linux"
```
More information on this topic and how to enable session data collection can be found at https://www.elastic.co/blog/secure-your-cloud-with-cloud-workload-protection-in-elastic-security.
"""
references = [
"https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation",
"https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation"
]
risk_score = 47
rule_id = "afe6b0eb-dd9d-4922-b08a-1910124d524d"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (
(process.name == "runc" and process.args == "run") or
(process.name == "ctr" and process.args == "run" and process.args in ("--privileged", "--mount"))
) and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" and
process.interactive == true and process.parent.interactive == true
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1611"
name = "Escape to Host"
reference = "https://attack.mitre.org/techniques/T1611/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"