
Summary
A Linux-specific EQL detection rule that flags potential container escapes by abuse of the kernel core_pattern mechanism. The rule triggers on process start events on Linux hosts when the process attempts to read or write /proc/sys/kernel/core_pattern (or kernel.core_pattern) via CLI actions. It detects common attacker techniques that push a handler into the host namespace by writing a new core_pattern, including using tee, cp, mv, or dd to modify the file, or using wrappers like sysctl -w core_pattern to set the value. It also covers shell-based attempts to echo or printf into core_pattern (with shells such as bash, dash, sh, zsh, etc) when invoked with appropriate flags. The rule requires a non-null parent process and excludes a small set of legitimate parent executables (e.g., systemd, kdumpctl, abrtd, apport) to reduce false positives. By correlating a process start with these core_pattern modification patterns, it aims to detect attempts to register an attacker-controlled handler that can cause the kernel to execute code in the host namespace, enabling container-to-host escapes. In addition to host OS level indicators, the rule aligns with container context (containerized workloads) and maps to MITRE ATT&CK technique T1611 (Escape to Host) under Privilege Escalation (TA0004). This logic makes it suitable for environments using Elastic Defend, Auditd Manager, CrowdStrike, SentinelOne Cloud Funnel, and Cloud Defend integrations across Linux endpoints and container deployments.
Categories
- Endpoint
- Containers
- Linux
- Kubernetes
Data Sources
- Process
- Kernel
- File
ATT&CK Techniques
- T1611
Created: 2026-07-02