IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Appendix Z: Downloadable rule update v8.11.7 Mount Launched Inside a Privileged Container »

› ›

File System Debugger Launched Inside a Privileged Container

edit

File System Debugger Launched Inside a Privileged Container

edit

This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine.

Rule type: eql

Rule indices:

logs-cloud_defend*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Data Source: Elastic Defend for Containers
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

process where event.module == "cloud_defend" and
  event.type == "start" and process.name == "debugfs" and
  process.args : "/dev/sd*" and not process.args == "-R" and
  container.security_context.privileged == true

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Escape to Host
- ID: T1611
- Reference URL: https://attack.mitre.org/techniques/T1611/

« Appendix Z: Downloadable rule update v8.11.7 Mount Launched Inside a Privileged Container »