Privileged Container Deployed

Rule Info

Name
Privileged Container Deployed
Author
Leo Tsaousis (@laripping)
Description
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
Reference
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
Date
2024-03-26 00:00:00
Modified
None
Id
c5cd1b20-36bb-488d-8c05-486be3d0cb97
Tags
attack.t1611 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=c5cd1b20-36bb-488d-8c05-486be3d0cb97

Rule History

Author
Title
Date
Commit
Leo Tsaousis
Merge PR #4694 from @LAripping - Add native Kubernetes detections
2024-03-26
0d63f52ff
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022