sigma-rules/rules/integrations/cloud_defend at 10b241dcc5bb04bc4bbdbe26702267665ca76a30 - sigma-rules - GreySec Git

security-tools/sigma-rules

Files

T

History

Isai 10b241dcc5 [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container (#3241 )

* [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container

This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special
file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside
a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access
sensitive host level files which could be used for further privilege escalation and container escapes to the host
machine.

* added references

* Apply suggestions from code review

* Update rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Apply suggestions from code review

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

2024-01-05 10:28:24 -05:00

..

container_workload_protection.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

credential_access_aws_creds_search_inside_a_container.toml

[New Rule] AWS Credentials Searched For Inside a Container (#2887 )

2023-07-17 12:29:02 -04:00

credential_access_collection_sensitive_files_compression_inside_a_container.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml

[New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container (#2837 )

2023-07-17 15:03:24 -04:00

discovery_suspicious_network_tool_launched_inside_a_container.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

execution_container_management_binary_launched_inside_a_container.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

execution_file_made_executable_via_chmod_inside_a_container.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

execution_interactive_exec_to_container.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

execution_interactive_shell_spawned_from_inside_a_container.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

execution_netcat_listener_established_inside_a_container.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

initial_access_ssh_connection_established_inside_a_container.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

lateral_movement_ssh_process_launched_inside_a_container.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_ssh_authorized_keys_modification_inside_a_container.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

privilege_escalation_debugfs_launched_inside_a_privileged_container.toml

[New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container (#3241 )

2024-01-05 10:28:24 -05:00

privilege_escalation_mount_launched_inside_a_privileged_container.toml

[New Rule] Mount Launched Inside a Privileged Container (#3245 )

2024-01-05 10:17:55 -05:00

privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml

[New Rule] Potential Container Escape via Modified notify_on_release File (#3244 )

2024-01-04 22:14:39 -05:00

privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml

[New Rule] Potential Container Escape via Modified release_agent File (#3242 )

2024-01-04 21:24:54 -05:00