{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/elastic-defend-for-containers/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend for Containers"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","container-escape","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThe \u003ccode\u003eunshare\u003c/code\u003e command in Linux is used to create new namespaces, isolating processes from the rest of the system. This isolation is crucial for containerization and security. However, attackers can exploit \u003ccode\u003eunshare\u003c/code\u003e to break out of containers or elevate privileges by creating namespaces that bypass security controls. This activity has been observed in containerized environments where threat actors attempt to gain unauthorized access to the host system or escalate their privileges within the container. The detection rule identifies suspicious \u003ccode\u003eunshare\u003c/code\u003e executions by monitoring process starts, filtering out benign parent processes, and focusing on unusual usage patterns, thus highlighting potential misuse. The rule covers activity starting from Elastic Defend for Containers version 9.3.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA containerized process is compromised, potentially through an initial exploit or misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eunshare\u003c/code\u003e command within the container.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eunshare\u003c/code\u003e is used to create new namespaces, isolating the attacker\u0026rsquo;s process from the container\u0026rsquo;s limitations.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates these namespaces to gain access to resources outside the container.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escape the container by leveraging the newly created namespaces.\u003c/li\u003e\n\u003cli\u003eUpon successful escape, the attacker gains access to the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges on the host, potentially exploiting vulnerabilities or misconfigurations.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full control over the host system, allowing for data exfiltration, system compromise, or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to container escape, allowing attackers to gain unauthorized access to the host system. This can result in privilege escalation, data exfiltration, and complete system compromise. The rule aims to detect and prevent such attacks by identifying suspicious usage of the \u003ccode\u003eunshare\u003c/code\u003e command, helping to maintain the integrity and security of containerized environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious \u003ccode\u003eunshare\u003c/code\u003e executions within containers and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate uses of \u003ccode\u003eunshare\u003c/code\u003e by system management tools like \u003ccode\u003eudevadm\u003c/code\u003e and \u003ccode\u003esystemd-udevd\u003c/code\u003e to reduce false positives, as mentioned in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring and alerting for unusual \u003ccode\u003eunshare\u003c/code\u003e usage patterns to enhance detection capabilities and prevent future occurrences.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-unshare-container-escape/","summary":"The rule identifies suspicious usage of unshare to manipulate system namespaces, which can be utilized to escalate privileges or escape container security boundaries.","title":"Suspicious Unshare Usage for Container Escape and Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-unshare-container-escape/"}],"language":"en","title":"CraftedSignal Threat Feed — Elastic Defend for Containers","version":"https://jsonfeed.org/version/1.1"}