Container With A hostPath Mount Created

Rule Info

Name
Container With A hostPath Mount Created
Author
Leo Tsaousis (@laripping)
Description
Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
Reference
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/
Date
2024-03-26 00:00:00
Modified
None
Id
402b955c-8fe0-4a8c-b635-622b4ac5f902
Tags
attack.t1611 attack.privilege-escalation
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=402b955c-8fe0-4a8c-b635-622b4ac5f902

Rule History

Author
Title
Date
Commit
david-syk
Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules
2025-06-04
3eaaa050b
github-actions[bot]
Merge PR #5177 from @nasbench - promote older rules status from `experimental` to `test`
2025-02-03
2bfb0935a
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Leo Tsaousis
Merge PR #4694 from @LAripping - Add native Kubernetes detections
2024-03-26
0d63f52ff
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022