Sentinel_one_cloud_funnel

Adversaries may achieve lateral movement by creating malicious files in remote Windows startup folders via RDP or SMB, leading to code execution upon system reboot or user logon.

The rule detects a potential chroot container escape via mount, which involves a user within a container mounting the host's root file system and using chroot to escape the containerized environment, indicating a privilege escalation attempt.