{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/auditd-manager/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Auditd Manager"],"_cs_severities":["high"],"_cs_tags":["container-escape","privilege-escalation","linux","chroot"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies instances of the \u003ccode\u003echroot\u003c/code\u003e command being executed within a Linux containerized environment. It leverages process execution telemetry from Elastic Defend and Auditd Manager to detect potential container escape attempts. The rule focuses on processes where the name is \u003ccode\u003echroot\u003c/code\u003e or the command-line arguments contain \u003ccode\u003echroot\u003c/code\u003e. Container context is determined by identifying processes with a title matching \u003ccode\u003erunc init\u003c/code\u003e, a container workload entry leader, or \u003ccode\u003erunc\u003c/code\u003e as the parent process. Successful container escapes can allow attackers to gain unauthorized access to the host system. The technique is often combined with sensitive host mounts, which are then leveraged after the \u003ccode\u003echroot\u003c/code\u003e to access files and processes outside the container.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a container, potentially through exploiting a vulnerability in the containerized application.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies sensitive host mounts within the container\u0026rsquo;s filesystem, such as \u003ccode\u003e/host\u003c/code\u003e, \u003ccode\u003e/proc/1/root\u003c/code\u003e, or other unexpected node paths.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003echroot\u003c/code\u003e command, specifying an alternate root filesystem, typically a host-linked mount.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003echroot\u003c/code\u003e command redirects system calls to the new root filesystem, effectively isolating the attacker from the container\u0026rsquo;s original environment.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the new root filesystem to access files, directories, and processes on the host system outside the container\u0026rsquo;s boundaries.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to escalate privileges by exploiting vulnerabilities in host system services or binaries.\u003c/li\u003e\n\u003cli\u003eThe attacker may install malware or establish persistence mechanisms on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised host system to pivot to other systems on the network or to exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful container escape can lead to full compromise of the underlying host system, potentially impacting all containers running on the same host. This can enable attackers to access sensitive data, disrupt services, and move laterally within the network. In multi-tenant environments, a container escape can compromise the security of other tenants sharing the same infrastructure. A single successful container escape can lead to a widespread breach impacting numerous systems and applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eChroot Execution in Container Context\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process execution telemetry from Elastic Defend and Auditd Manager on Linux to ensure the required data is available for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the \u003ccode\u003echroot\u003c/code\u003e execution was authorized and the target directory is an internal build root versus a host filesystem mount.\u003c/li\u003e\n\u003cli\u003eMonitor for follow-on shell execution, access to the container runtime socket, or kubelet credential paths, as these are common indicators of container escape attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:45:21Z","date_published":"2026-05-02T12:45:21Z","id":"/briefs/2026-05-chroot-container-escape/","summary":"Detects suspicious chroot execution within a Linux container context, potentially indicating a container escape attempt by pivoting to an alternate root filesystem.","title":"Chroot Execution in Container Context on Linux","url":"https://feed.craftedsignal.io/briefs/2026-05-chroot-container-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditd Manager"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","linux","auditd"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies potential privilege escalation attempts on Linux systems by monitoring for processes with a root effective user ID (EUID) but a non-root real user ID (RUID), combined with the use of the \u003ccode\u003e-p\u003c/code\u003e flag (commonly used to preserve privileges in shells like bash or dash) and execution from a non-standard path (outside of \u003ccode\u003e/bin\u003c/code\u003e, \u003ccode\u003e/sbin\u003c/code\u003e, \u003ccode\u003e/usr/bin\u003c/code\u003e, etc.).  Attackers may copy or link setuid-capable shells or similar helpers into writable locations to regain a root context after local exploitation. This behavior is often associated with post-exploitation activities where attackers attempt to maintain or regain elevated privileges.  The rule relies on Auditd data to provide visibility into process execution events and user context. The original rule was published on 2026-04-24 by Elastic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system with limited privileges (e.g., through exploiting a vulnerability or using stolen credentials).\u003c/li\u003e\n\u003cli\u003eAttacker identifies a writable directory outside of standard system binary paths (e.g., \u003ccode\u003e/tmp\u003c/code\u003e, \u003ccode\u003e/var/tmp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker copies or creates a symbolic link to a setuid-capable shell (e.g., \u003ccode\u003e/bin/bash\u003c/code\u003e, \u003ccode\u003e/bin/dash\u003c/code\u003e) into the identified writable directory. This copied shell retains the setuid bit.\u003c/li\u003e\n\u003cli\u003eAttacker executes the copied or linked shell from the non-standard path with the \u003ccode\u003e-p\u003c/code\u003e flag (e.g., \u003ccode\u003e/tmp/bash -p\u003c/code\u003e). The \u003ccode\u003e-p\u003c/code\u003e flag instructs the shell to preserve privileges, effectively running with the effective user ID (EUID) of root.\u003c/li\u003e\n\u003cli\u003eAuditd logs this process execution event, capturing the non-standard path, the use of the \u003ccode\u003e-p\u003c/code\u003e flag, the root EUID, and the non-root RUID.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies the process execution event based on the criteria outlined above.\u003c/li\u003e\n\u003cli\u003eAttacker now has a root shell and can perform administrative tasks, install malware, or further compromise the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful privilege escalation attack can grant an attacker complete control over the compromised system. This allows them to access sensitive data, install malicious software, modify system configurations, and potentially pivot to other systems on the network. This can lead to data breaches, system downtime, and significant financial losses.  The risk score for this type of activity is considered high due to the potential for significant impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Root Effective Shell from Non-Standard Path via Auditd\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnsure that Auditd Manager or Auditbeat is properly configured to collect process execution events with relevant fields (\u003ccode\u003eevent.action\u003c/code\u003e, \u003ccode\u003euser.id\u003c/code\u003e, \u003ccode\u003euser.effective.id\u003c/code\u003e, \u003ccode\u003eprocess.args\u003c/code\u003e, and \u003ccode\u003eprocess.executable\u003c/code\u003e) as described in the rule setup to enable the rule to function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule by inspecting \u003ccode\u003eprocess.executable\u003c/code\u003e, \u003ccode\u003eprocess.args\u003c/code\u003e, \u003ccode\u003eprocess.parent\u003c/code\u003e, and the full command line reconstructed in audit logs.\u003c/li\u003e\n\u003cli\u003eRegularly audit all setuid binaries on the filesystem to identify any unauthorized or malicious setuid executables.\u003c/li\u003e\n\u003cli\u003eImplement access controls and file integrity monitoring to prevent unauthorized modification of system binaries and writable directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T09:51:29Z","date_published":"2026-05-01T09:51:29Z","id":"/briefs/2024-01-potential-root-effective-shell/","summary":"This rule identifies process execution events where the effective user is root while the real user is not, the process arguments include the privileged shell flag commonly associated with setuid-capable shells, and the executable path is outside standard system binary directories, indicating potential privilege escalation.","title":"Potential Root Effective Shell from Non-Standard Path via Auditd","url":"https://feed.craftedsignal.io/briefs/2024-01-potential-root-effective-shell/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-31431"}],"_cs_exploited":false,"_cs_products":["Auditbeat","Auditd Manager"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","linux","vulnerability","cve-2026-31431"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eCVE-2026-31431, dubbed Copy Fail, is a Linux kernel vulnerability that allows an attacker to write controlled bytes into the page cache of a readable file by abusing the \u003ccode\u003eauthencesn\u003c/code\u003e AEAD path through AF_ALG and \u003ccode\u003esplice()\u003c/code\u003e. Public exploitation targets setuid-root binaries such as \u003ccode\u003e/usr/bin/su\u003c/code\u003e, then executes the corrupted in-memory copy to gain root. The vulnerability lies in the shared host page cache, making container-originated activity a possible node-compromise attempt. This exploit leverages the AF_ALG interface, which, while uncommon for unprivileged users, may be used in specific environments like kernel crypto testing or HSM integrations. Defenders should prioritize patching vulnerable kernels and restricting AF_ALG socket creation for untrusted workloads to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged user initiates multiple AF_ALG socket creation events (auditd.data.syscall == \u0026ldquo;socket\u0026rdquo; and auditd.data.a0 == \u0026ldquo;26\u0026rdquo;) or splice operations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the vulnerability to corrupt the page cache of a setuid-root binary, such as \u003ccode\u003e/usr/bin/su\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the targeted setuid-root binary (e.g., \u003ccode\u003e/usr/bin/su\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDue to the corrupted page cache, the executed binary behaves in an unexpected manner, leading to a privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe process transitions to a root UID, indicating successful privilege escalation.\u003c/li\u003e\n\u003cli\u003eA root shell is spawned, providing the attacker with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions requiring root privileges, such as creating persistence mechanisms or accessing sensitive credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially compromises the entire host or node, especially in containerized environments.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31431 leads to privilege escalation, allowing attackers to gain root access on the affected Linux system. This can result in complete system compromise, data exfiltration, and the ability to install malware or create persistent backdoors. In containerized environments, a compromised container can lead to node compromise, affecting other containers running on the same host. The vulnerability affects systems running vulnerable kernel versions, potentially impacting a wide range of servers and workstations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket - Socket Creation Burst\u0026rdquo; to detect initial exploitation attempts based on AF_ALG socket activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket - Privilege Escalation\u0026rdquo; to detect privilege escalation attempts by monitoring executed processes with an effective user ID of root.\u003c/li\u003e\n\u003cli\u003eImmediately patch the kernel with the vendor fix for CVE-2026-31431 to eliminate the underlying vulnerability.\u003c/li\u003e\n\u003cli\u003eUntil patching is possible, consider blocking \u003ccode\u003ealgif_aead\u003c/code\u003e module loading or restricting AF_ALG socket creation via seccomp for untrusted workloads.\u003c/li\u003e\n\u003cli\u003eAdd audit rules for \u003ccode\u003esocket\u003c/code\u003e, \u003ccode\u003esplice\u003c/code\u003e, and \u003ccode\u003ebind\u003c/code\u003e events as described in the rule\u0026rsquo;s Setup instructions to ensure comprehensive monitoring of AF_ALG related syscalls.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T16:24:01Z","date_published":"2026-04-30T16:24:01Z","id":"/briefs/2024-01-cve-2026-31431-exploitation/","summary":"This rule detects potential exploitation of CVE-2026-31431, a Copy Fail vulnerability in the Linux kernel, via AF_ALG socket abuse, by correlating non-root AF_ALG-class socket or splice events with a subsequent process execution where the effective user is root but the login user remains non-root, indicating a privilege escalation attempt.","title":"Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-31431-exploitation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditd Manager"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","execution","container","auditd","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies instances of \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e being executed from within containers managed by \u003ccode\u003erunc\u003c/code\u003e on Linux systems. The rule leverages Auditd Manager to monitor system calls and flags processes running with the title \u003ccode\u003erunc init\u003c/code\u003e that then execute \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e. This activity is noteworthy because attackers often use these tools to download malicious payloads (stagers, scripts, implants) or to exfiltrate data after compromising a container. While these tools can be used legitimately within containers, their execution in the context of \u003ccode\u003erunc init\u003c/code\u003e suggests a higher risk of malicious activity. The rule focuses on narrowing the signal to the container runtime boundary where unexpected download clients are more worthy of review. The rule specifically leverages Auditd Manager for data collection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a host system, possibly through exploiting a vulnerability in an application running outside the container (e.g., web application).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a containerized application running on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability within the container, or abuses a privileged workload within the container, to gain elevated privileges or code execution within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to download additional tools or scripts into the container. These tools might include reverse shells, credential dumping tools, or data exfiltration utilities.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded tools to further compromise the container or the underlying host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to stage data for exfiltration to an external server. This may involve compressing and encoding data before transmission.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the data exfiltration process using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e to send the staged data to a remote server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which could include data theft, system disruption, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised containers can lead to data breaches, service disruptions, and further attacks on internal systems. Successful exploitation could allow attackers to steal sensitive data, install malware, or pivot to other parts of the network, impacting confidentiality, integrity, and availability. The number of affected systems depends on the scope of the container deployment and the privileges granted to the compromised container.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Curl or Wget Execution from Container Context\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Auditd Manager with syscall coverage including \u003ccode\u003eexecve\u003c/code\u003e to capture process execution and arguments within containers, as mentioned in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts from this rule with network logs to identify the destination IP addresses and domains contacted by the compromised container.\u003c/li\u003e\n\u003cli\u003eBaseline trusted images and exclude stable image digests or namespaces when noisy to reduce false positives, as suggested in the rule\u0026rsquo;s false positives section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-curl-wget-container-execution/","summary":"This rule detects the execution of curl or wget from within runc-backed containers on Linux systems monitored by Auditd Manager, indicating potential ingress tool transfer or data exfiltration by attackers who have compromised the container.","title":"Curl or Wget Execution from Container Context","url":"https://feed.craftedsignal.io/briefs/2024-01-curl-wget-container-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditd Manager"],"_cs_severities":["high"],"_cs_tags":["container","privilege-escalation","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies a potential privilege escalation vulnerability within container environments utilizing \u003ccode\u003erunc\u003c/code\u003e, the low-level container runtime used by Docker and containerd. The rule focuses on audit events triggered by \u003ccode\u003erunc init\u003c/code\u003e child processes. Specifically, it flags instances where the effective user ID is root (0), while the login user ID is not root. This discrepancy can indicate malicious activity, such as exploiting credential separation or namespace transitions to gain unauthorized root privileges within the container or escape to the host. This is relevant for defenders because a compromised container can lead to host compromise, data exfiltration, or denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a container with limited privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability within the container to execute code as the \u003ccode\u003erunc init\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erunc init\u003c/code\u003e process spawns a child process while retaining a non-root user ID in audit telemetry.\u003c/li\u003e\n\u003cli\u003eThe child process is assigned an effective user ID of 0 (root), bypassing normal permission controls.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to modify sensitive files or execute commands as root within the container\u0026rsquo;s namespace.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to escape the container by exploiting kernel vulnerabilities or misconfigurations to gain access to the host system.\u003c/li\u003e\n\u003cli\u003eUpon gaining access to the host system, the attacker can install malware, steal sensitive data, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful privilege escalation attack within a container environment can lead to complete compromise of the container and potentially the host system. This can result in data breaches, service disruptions, and unauthorized access to sensitive resources. The impact is significant because a single compromised container can become a launchpad for attacks against other containers or the underlying infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Privilege Escalation via Runc Init\u0026rdquo; to your SIEM to detect suspicious \u003ccode\u003erunc init\u003c/code\u003e process executions.\u003c/li\u003e\n\u003cli\u003eEnable Linux audit logging via the Auditd Manager integration, ensuring that \u003ccode\u003eexecve\u003c/code\u003e and identity-related fields are captured.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the full audit event details, including process ancestry, user IDs, and container metadata.\u003c/li\u003e\n\u003cli\u003eReview container configurations and security profiles to identify potential misconfigurations that could facilitate privilege escalation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of a compromised container.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-05T14:22:00Z","date_published":"2024-01-05T14:22:00Z","id":"/briefs/2024-01-runc-privilege-escalation/","summary":"Detection of runc init child processes with root effective user and non-root login user ID, indicating potential container privilege escalation.","title":"Potential Privilege Escalation in Container via Runc Init","url":"https://feed.craftedsignal.io/briefs/2024-01-runc-privilege-escalation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Auditbeat","Auditd Manager","Docker","containerd","kubelet"],"_cs_severities":["medium"],"_cs_tags":["container","privilege-escalation","lateral-movement","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic","Docker","Kubernetes"],"content_html":"\u003cp\u003eThis threat involves unauthorized processes connecting directly to container runtime sockets (Docker or Containerd) on Linux systems. This bypasses Kubernetes API server restrictions, potentially allowing attackers to create, execute, or manipulate containers without proper authorization or logging. The risk lies in attackers circumventing RBAC, admission webhooks, and pod security standards. The attack can start when a compromised process attempts to connect to the Docker or Containerd socket, potentially leading to privilege escalation and lateral movement within the containerized environment. This attack is significant because it undermines core security controls within container orchestration platforms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious or compromised process gains initial access to the host system.\u003c/li\u003e\n\u003cli\u003eThe process attempts to connect to the container runtime socket (e.g., \u003ccode\u003e/var/run/docker.sock\u003c/code\u003e or \u003ccode\u003e/run/containerd/containerd.sock\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe process bypasses the Kubernetes API server and associated security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the direct socket connection to create a new container.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive data or resources within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the compromised container.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised container to move laterally to other containers or hosts within the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass Kubernetes security measures, create unauthorized containers, and potentially gain control over the entire cluster. The observed impact includes privilege escalation, lateral movement, and data exfiltration. The severity of this attack depends on the level of access granted to the compromised container and the sensitivity of the data and resources within the cluster.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Auditd Manager to capture network and socket events, specifically monitoring for \u003ccode\u003econnect\u003c/code\u003e calls to Unix sockets as described in the \u003ca href=\"https://docs.elastic.co/integrations/auditd_manager\"\u003eAuditd Manager documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Unusual Process Connecting to Docker or Containerd Socket\u0026rdquo; to detect suspicious processes connecting to container runtime sockets, tuning \u003ccode\u003eprocess.executable\u003c/code\u003e and \u003ccode\u003euser.name\u003c/code\u003e for known legitimate processes.\u003c/li\u003e\n\u003cli\u003eMonitor file permissions on the socket paths (\u003ccode\u003e/var/run/docker.sock\u003c/code\u003e, \u003ccode\u003e/run/docker.sock\u003c/code\u003e, \u003ccode\u003e/var/run/containerd/containerd.sock\u003c/code\u003e, \u003ccode\u003e/run/containerd/containerd.sock\u003c/code\u003e) and restrict access to trusted groups only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unusual-container-socket-connection/","summary":"An unusual process connecting to a container runtime Unix socket like Docker or Containerd can indicate an attacker attempting to bypass Kubernetes security measures for container manipulation.","title":"Unusual Process Connecting to Docker or Containerd Socket","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-container-socket-connection/"}],"language":"en","title":"CraftedSignal Threat Feed — Auditd Manager","version":"https://jsonfeed.org/version/1.1"}