Skip to content

Commit bbb2470

Browse files
Aegrahw0rk3r
Aegrah
and
w0rk3r
authored
[New Rule] PE through Writable Docker Socket (#2958)
* [New Rule] PE through Writable Docker Socket * simplified query * Update privilege_escalation_writable_docker_socket.toml * Update privilege_escalation_writable_docker_socket.toml * Update rules/linux/privilege_escalation_writable_docker_socket.toml Co-authored-by: Jonhnathan <[email protected]> --------- Co-authored-by: Jonhnathan <[email protected]>
1 parent 0666b59 commit bbb2470

File tree

1 file changed

+50
-0
lines changed

1 file changed

+50
-0
lines changed

rules/linux/privilege_escalation_writable_docker_socket.toml

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
[metadata]
2+
creation_date = "2023/07/25"
3+
integration = ["endpoint"]
4+
maturity = "production"
5+
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6+
min_stack_version = "8.3.0"
7+
updated_date = "2023/07/25"
8+
9+
[rule]
10+
author = ["Elastic"]
11+
description = """
12+
This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by
13+
default are only be writable by the root user and docker group. Attackers that have permissions to write to these
14+
sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto
15+
the host file system.
16+
"""
17+
from = "now-9m"
18+
index = ["logs-endpoint.events.*"]
19+
language = "eql"
20+
license = "Elastic License v2"
21+
name = "Potential Privilege Escalation through Writable Docker Socket"
22+
references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"]
23+
risk_score = 47
24+
rule_id = "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8"
25+
severity = "medium"
26+
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container"]
27+
timestamp_override = "event.ingested"
28+
type = "eql"
29+
30+
query = '''
31+
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
32+
(
33+
(process.name == "docker" and process.args : "run" and process.args : "-it" and
34+
process.args : ("unix://*/docker.sock", "unix://*/dockershim.sock")) or
35+
(process.name == "socat" and process.args : ("UNIX-CONNECT:*/docker.sock", "UNIX-CONNECT:*/dockershim.sock"))
36+
) and not user.Ext.real.id : "0" and not group.Ext.real.id : "0"
37+
'''
38+
39+
[[rule.threat]]
40+
framework = "MITRE ATT&CK"
41+
42+
[[rule.threat.technique]]
43+
id = "T1611"
44+
name = "Escape to Host"
45+
reference = "https://attack.mitre.org/techniques/T1611/"
46+
47+
[rule.threat.tactic]
48+
id = "TA0004"
49+
name = "Privilege Escalation"
50+
reference = "https://attack.mitre.org/tactics/TA0004/"

0 commit comments

Comments
 (0)