sigma-rules

Files

T

Isai 2ee626a77f [New Rule] Potential Container Escape via Modified release_agent File (#3242 )

* [New Rule] Potential Container Escape via Modified release_agent File

This rule detects modification of the CGroup release_agent file from inside a privileged container. The release_agent is a script that is executed at the termination of any process on that CGroup and is invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a CGroup directory and modify the release_agent which could be used for further privilege escalation and container escapes to the host machine.

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 0a37df713b)

2024-01-05 02:29:40 +00:00

aws

[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221 )

2023-10-24 16:58:20 +00:00

azure

[Security Content] Include "Data Source: Elastic Defend" tag (#3002 )

2023-09-05 18:28:40 +00:00

cloud_defend

[New Rule] Potential Container Escape via Modified release_agent File (#3242 )

2024-01-05 02:29:40 +00:00

cyberarkpas

[Security Content] Tags Reform (#2725 )