sigma-rules

Files

T

Isai db5e1e5cf2 [New Rule] Mount Launched Inside a Privileged Container (#3245 )

* [New Rule] Mount Launched Inside a Privileged Container

This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a
device or file system accessible to the system, and then to connect its root directory to a specified mount point on the
local file system. When launched inside a privileged container--a container deployed with all the capabilities of the
host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation
and container escapes to the host machine. Any usage of mount inside a running privileged container should be further
investigated.

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

2024-01-05 10:17:55 -05:00

aws

[Rule Tuning] Bump Minimum Stacks for AWS and Okta for Version Control (#3221 )

2023-10-24 12:51:59 -04:00

azure

[Security Content] Include "Data Source: Elastic Defend" tag (#3002 )

2023-09-05 14:22:01 -04:00

beaconing

Update Advanced Analytics config guides (#3302 )

2023-12-13 07:53:41 -08:00

cloud_defend

[New Rule] Mount Launched Inside a Privileged Container (#3245 )