heroui logo

Privileged Docker Container Creation

Elastic Detection Rules

View Source
Summary
This threat detection rule is designed to identify the potentially unsafe creation of Docker containers using the `--privileged` flag, an action that can indicate malicious activities such as privilege escalation, Docker escaping, or persistence by attackers. Utilizing the new_terms rule type and a KQL (Kibana Query Language) query, the rule targets Linux systems by capturing process events of Docker commands that initiate with elevated privileges. The rule operates based on data ingested through Elastic Defend, requiring setup via the Elastic Agent to monitor critical process events. Its severity is classified as low, with a risk score of 21, indicating that while the creation of privileged containers is not inherently malicious, it can pose substantial security risks if unmonitored. Key investigation steps include verifying the presence of the `--privileged` flag in docker commands, checking for an unusual parent process initiating the command, and conducting a thorough review of the user privileges that allowed such action. False positives can arise from legitimate administrative practices, necessitating a process for whitelisting known safe instances while maintaining vigilant monitoring of anomalous behavior.
Categories
  • Endpoint
  • Containers
  • Linux
Data Sources
  • Process
  • Container
  • Logon Session
ATT&CK Techniques
  • T1059
  • T1059.004
  • T1609
  • T1611
Created: 2024-07-10