security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
187091ef23091e5b83cdc1c179c3b34a9d48f811
sigma-rules/rules/integrations/cloud_defend
T
History
Isai 187091ef23 [New Rule] Mount Launched Inside a Privileged Container (#3245) 
* [New Rule] Mount Launched Inside a Privileged Container

This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a
device or file system accessible to the system, and then to connect its root directory to a specified mount point on the
local file system. When launched inside a privileged container--a container deployed with all the capabilities of the
host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation
and container escapes to the host machine. Any usage of mount inside a running privileged container should be further
investigated.

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit db5e1e5cf2)
2024-01-05 15:22:28 +00:00
..
container_workload_protection.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
credential_access_aws_creds_search_inside_a_container.toml
[New Rule] AWS Credentials Searched For Inside a Container (#2887)
2023-07-17 12:29:02 -04:00
credential_access_collection_sensitive_files_compression_inside_a_container.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml
[New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container (#2837)
2023-07-17 15:03:24 -04:00
discovery_suspicious_network_tool_launched_inside_a_container.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
execution_container_management_binary_launched_inside_a_container.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
execution_file_made_executable_via_chmod_inside_a_container.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
execution_interactive_exec_to_container.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
execution_interactive_shell_spawned_from_inside_a_container.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
execution_netcat_listener_established_inside_a_container.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
initial_access_ssh_connection_established_inside_a_container.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
lateral_movement_ssh_process_launched_inside_a_container.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
persistence_ssh_authorized_keys_modification_inside_a_container.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
privilege_escalation_mount_launched_inside_a_privileged_container.toml
[New Rule] Mount Launched Inside a Privileged Container (#3245)
2024-01-05 15:22:28 +00:00
privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml
[New Rule] Potential Container Escape via Modified notify_on_release File (#3244)
2024-01-05 03:19:15 +00:00
privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml
[New Rule] Potential Container Escape via Modified release_agent File (#3242)
2024-01-05 02:29:40 +00:00