File System Debugger Launched Inside a Privileged Container
editFile System Debugger Launched Inside a Privileged Container
editThis rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine.
Rule type: eql
Rule indices:
- logs-cloud_defend*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Data Source: Elastic Defend for Containers
- Domain: Container
- OS: Linux
- Use Case: Threat Detection
- Tactic: Privilege Escalation
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editprocess where event.module == "cloud_defend" and event.type == "start" and process.name == "debugfs" and process.args : "/dev/sd*" and not process.args == "-R" and container.security_context.privileged == true
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Escape to Host
- ID: T1611
- Reference URL: https://attack.mitre.org/techniques/T1611/