[metadata]
creation_date = "2023/07/25"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/25"

[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by 
default are only be writable by the root user and docker group. Attackers that have permissions to write to these 
sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto 
the host file system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privilege Escalation through Writable Docker Socket"
references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"]
risk_score = 47
rule_id = "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
(
  (process.name == "docker" and process.args : "run" and process.args : "-it"  and 
   process.args : ("unix://*/docker.sock", "unix://*/dockershim.sock")) or 
  (process.name == "socat" and process.args : ("UNIX-CONNECT:*/docker.sock", "UNIX-CONNECT:*/dockershim.sock"))
) and not user.Ext.real.id : "0" and not group.Ext.real.id : "0"
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1611"
name = "Escape to Host"
reference = "https://attack.mitre.org/techniques/T1611/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"