Container With A hostPath Mount Created

Rule Info

Name
Container With A hostPath Mount Created
Author
Leo Tsaousis (@laripping)
Description
Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
Reference
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/
Date
2024-03-26 00:00:00
Modified
None
Id
402b955c-8fe0-4a8c-b635-622b4ac5f902
Tags
attack.t1611 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=402b955c-8fe0-4a8c-b635-622b4ac5f902

Rule History

Author
Title
Date
Commit
Leo Tsaousis
Merge PR #4694 from @LAripping - Add native Kubernetes detections
2024-03-26
0d63f52ff
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022