security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4233fef23895302a7f3e1e35628cbecef8a263f7
sigma-rules/rules/linux/privilege_escalation_writable_docker_socket.toml
T
Jonhnathan 4233fef238 [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
2023-09-05 14:22:01 -04:00

51 lines
2.0 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/07/25"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/25"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by
default are only be writable by the root user and docker group. Attackers that have permissions to write to these
sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto
the host file system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privilege Escalation through Writable Docker Socket"
references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"]
risk_score = 47
rule_id = "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
(
(process.name == "docker" and process.args : "run" and process.args : "-it" and
process.args : ("unix://*/docker.sock", "unix://*/dockershim.sock")) or
(process.name == "socat" and process.args : ("UNIX-CONNECT:*/docker.sock", "UNIX-CONNECT:*/dockershim.sock"))
) and not user.Ext.real.id : "0" and not group.Ext.real.id : "0"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1611"
name = "Escape to Host"
reference = "https://attack.mitre.org/techniques/T1611/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
Reference in New Issue View Git Blame Copy Permalink