From e904ebb760759a95692a5f8982cde1c0ddff1fbd Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 4 Aug 2023 16:39:40 +0200 Subject: [PATCH] [New Rule] PE via Container Misconfiguration (#2983) * [New Rule] PE via Container Misconfiguration * fixed boolean comparison unit test error * Update privilege_escalation_container_util_misconfiguration.toml * Update rules/linux/privilege_escalation_container_util_misconfiguration.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- ...ation_container_util_misconfiguration.toml | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 rules/linux/privilege_escalation_container_util_misconfiguration.toml diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml new file mode 100644 index 000000000..b6987ec8e --- /dev/null +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -0,0 +1,66 @@ +[metadata] +creation_date = "2023/07/31" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/31" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the execution of processes that interact with Linux containers through an interactive shell +without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact +with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might +be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a +container escape attack, which might allow them to escalate privileges and gain further access onto the host file system. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Privilege Escalation via Container Misconfiguration" +setup = """This rule leverages `session` fields, which requires that the collection of session data is enabled for Linux operating systems. + +The following steps should be performed in order to enable session data event collection on a Linux system. +``` +Kibana --> +Management --> +Fleet --> +Agent Policies --> +Agent Policy with Elastic Defend installed --> +Elastic Defend integration --> +Enable the "Collect session data" box under "Event Collection" for "Linux" +``` +More information on this topic and how to enable session data collection can be found at https://www.elastic.co/blog/secure-your-cloud-with-cloud-workload-protection-in-elastic-security. +""" +references = [ + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation", + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" + ] +risk_score = 47 +rule_id = "afe6b0eb-dd9d-4922-b08a-1910124d524d" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( + (process.name == "runc" and process.args == "run") or + (process.name == "ctr" and process.args == "run" and process.args in ("--privileged", "--mount")) +) and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" and +process.interactive == true and process.parent.interactive == true +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/"