Skip to content

[New Rule] PE through Writable Docker Socket #2958

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jul 27, 2023
Merged

[New Rule] PE through Writable Docker Socket #2958

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
502bb83
[New Rule] PE through Writable Docker Socket
Aegrah Jul 25, 2023
166b6f4
simplified query
Aegrah Jul 25, 2023
22f3338
Update privilege_escalation_writable_docker_socket.toml
Aegrah Jul 25, 2023
fca3f8f
Update privilege_escalation_writable_docker_socket.toml
Aegrah Jul 25, 2023
e18531f
Update rules/linux/privilege_escalation_writable_docker_socket.toml
Aegrah Jul 26, 2023
3e9401a
Merge branch 'main' into new-rule-pe-writabe-docker-socket
Aegrah Jul 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions rules/linux/privilege_escalation_writable_docker_socket.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
[metadata]
creation_date = "2023/07/25"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/25"

[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by
default are only be writable by the root user and docker group. Attackers that have permissions to write to these
sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto
the host file system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privilege Escalation through Writable Docker Socket"
references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"]
risk_score = 47
rule_id = "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
(
(process.name == "docker" and process.args : "run" and process.args : "-it" and
process.args : ("unix://*/docker.sock", "unix://*/dockershim.sock")) or
(process.name == "socat" and process.args : ("UNIX-CONNECT:*/docker.sock", "UNIX-CONNECT:*/dockershim.sock"))
) and not user.Ext.real.id : "0" and not group.Ext.real.id : "0"
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1611"
name = "Escape to Host"
reference = "https://attack.mitre.org/techniques/T1611/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"