security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3ddbfdfbb1979a526186f89d852f9acca70bb81b
sigma-rules/rules/integrations/cloud_defend
T
History
Samirbous 838e926058 [New] Nsenter to PID 1 Namespace via Auditd/D4C (#5988) 
* [New] Nsenter to PID 1 Namespace via Auditd

we have an existing rule https://github.com/elastic/detection-rules/blob/0f521a0848420844f3af383f1dee8481d41b2e5b/rules/linux/privilege_escalation_docker_escape_via_nsenter.toml#L15 (compatible only with Elastic Defend `process.entry_leader.entry_meta.type == "container"`).

This rule is compatible with the auditd integration and scoped to Init/systemd PID namespace commonly targeted for container escape.

* Create privilege_escalation_nsenter_execution_inside_container.toml

* Update privilege_escalation_auditd_nsenter_target_host_pid.toml

* Update privilege_escalation_auditd_nsenter_target_host_pid.toml

* Update privilege_escalation_auditd_nsenter_target_host_pid.toml

* Update privilege_escalation_auditd_nsenter_target_host_pid.toml

* Update rules/linux/privilege_escalation_auditd_nsenter_target_host_pid.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update privilege_escalation_nsenter_execution_inside_container.toml

* Update privilege_escalation_auditd_nsenter_target_host_pid.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
2026-05-02 14:56:06 +01:00
..
command_and_control_curl_socks_proxy_detected_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_interactive_file_download_from_internet.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_tunneling_and_port_forwarding.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
container_workload_protection.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
credential_access_cloud_creds_search_inside_a_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_collection_sensitive_files_compression_inside_a_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_service_account_token_or_cert_read.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_decoded_payload_piped_to_interpreter.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_deletion_of_shell_cmdline_history.toml
[New/Tuning] Misc. New D4C Rules and Tunings (#5692)
2026-02-09 16:58:27 +01:00
defense_evasion_file_creation_execution_deletion_cradle.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_interactive_process_execution_from_suspicious_directory.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_potential_evasion_via_encoded_payload.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_dns_enumeration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_environment_enumeration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kubelet_certificate_file_access.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kubelet_pod_discovery_via_builtin_utilities.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_potential_cluster_enumeration_via_jq.toml
[New Rules] Misc. D4C Rules re: (un)Authenticated API Access (#5661)
2026-02-04 09:58:42 +01:00
discovery_privilege_boundary_enumeration_from_interactive_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_service_account_namespace_read.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_suspicious_network_tool_launched_inside_a_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_tool_enumeration.toml
Add investigation guides (#5630)
2026-01-27 14:28:06 +05:30
execution_container_management_binary_launched_inside_a_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_direct_interactive_kubernetes_api_request.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_interactive_exec_to_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
execution_interactive_file_creation_followed_by_execution.toml
[New/Tuning] Misc. New D4C Rules and Tunings (#5692)
2026-02-09 16:58:27 +01:00
execution_interactive_file_creation_in_system_binary_locations.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_interactive_shell_spawned_from_inside_a_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
execution_kubeletctl_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_netcat_listener_established_inside_a_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_payload_downloaded_and_piped_to_shell.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_potential_direct_kubelet_access_via_process_args.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_interactive_interpreter_command_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_tool_installation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
impact_process_killing.toml
[New/Tuning] TeamPCP Simulation - New & Tuned Rules (#5812)
2026-03-09 17:03:39 +01:00
persistence_modification_of_persistence_relevant_files.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_ssh_authorized_keys_modification_inside_a_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_suspicious_echo_or_printf_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_suspicious_webserver_child_process_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_chroot_execution_detected_inside_container.toml
Monthly Manifest and Schema Updation (#5920)
2026-04-06 17:35:33 +05:30
privilege_escalation_debugfs_launched_inside_a_privileged_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_mount_launched_inside_a_privileged_container.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
privilege_escalation_nsenter_execution_inside_container.toml
[New] Nsenter to PID 1 Namespace via Auditd/D4C (#5988)
2026-05-02 14:56:06 +01:00
privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561)
2026-01-26 16:37:34 +01:00
privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_unshare_namespace_manip.toml
[Tuning/New] Namespace Manipulation Using Unshare (#6024)
2026-05-01 15:29:44 +01:00