sigma-rules

Files

T

Isai 5e57d440ed [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container (#3241 )

* [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container

This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special
file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside
a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access
sensitive host level files which could be used for further privilege escalation and container escapes to the host
machine.

* added references

* Apply suggestions from code review

* Update rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Apply suggestions from code review

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 10b241dcc5)

2024-01-05 15:33:00 +00:00

aws

[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221 )

2023-10-24 16:58:20 +00:00

azure

[Security Content] Include "Data Source: Elastic Defend" tag (#3002 )

2023-09-05 18:28:40 +00:00

cloud_defend

[New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container (#3241 )

2024-01-05 15:33:00 +00:00

cyberarkpas

[Security Content] Tags Reform (#2725 )