sigma-rules

Files

T

Isai 10b241dcc5 [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container (#3241 )

* [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container

This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special
file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside
a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access
sensitive host level files which could be used for further privilege escalation and container escapes to the host
machine.

* added references

* Apply suggestions from code review

* Update rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Apply suggestions from code review

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

2024-01-05 10:28:24 -05:00

aws

[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221 )

2023-10-24 12:51:59 -04:00

azure

[Security Content] Include "Data Source: Elastic Defend" tag (#3002 )

2023-09-05 14:22:01 -04:00

beaconing

Update Advanced Analytics config guides (#3302 )

2023-12-13 07:53:41 -08:00

cloud_defend

[New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container (#3241 )