[metadata] creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/07/31" [rule] author = ["Elastic"] description = """ This rule monitors for the execution of processes that interact with Linux containers through an interactive shell without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container escape attack, which might allow them to escalate privileges and gain further access onto the host file system. """ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Container Misconfiguration" setup = """This rule leverages `session` fields, which requires that the collection of session data is enabled for Linux operating systems. The following steps should be performed in order to enable session data event collection on a Linux system. ``` Kibana --> Management --> Fleet --> Agent Policies --> Agent Policy with Elastic Defend installed --> Elastic Defend integration --> Enable the "Collect session data" box under "Event Collection" for "Linux" ``` More information on this topic and how to enable session data collection can be found at https://www.elastic.co/blog/secure-your-cloud-with-cloud-workload-protection-in-elastic-security. """ references = [ "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation", "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" ] risk_score = 47 rule_id = "afe6b0eb-dd9d-4922-b08a-1910124d524d" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( (process.name == "runc" and process.args == "run") or (process.name == "ctr" and process.args == "run" and process.args in ("--privileged", "--mount")) ) and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" and process.interactive == true and process.parent.interactive == true ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/"