Mount Launched Inside a Privileged Container

edit

Mount Launched Inside a Privileged Container

edit

This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a device or file system accessible to the system, and then to connect its root directory to a specified mount point on the local file system. When launched inside a privileged container—​a container deployed with all the capabilities of the host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine. Any usage of mount inside a running privileged container should be further investigated.

Rule type: eql

Rule indices:

  • logs-cloud_defend*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Data Source: Elastic Defend for Containers
  • Domain: Container
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Privilege Escalation

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where event.module == "cloud_defend" and  event.type== "start" and
(process.name== "mount" or process.args== "mount") and container.security_context.privileged == true

Framework: MITRE ATT&CKTM