This PR adds two rules to extend coverage on Docker.
Egress Connection from Entrypoint in Container
This rule identifies a sequence of events where a process named entrypoint.sh is started in a container, followed by a network connection attempt. This sequence indicates a potential egress connection from an entrypoint in a container. An entrypoint is a command or script specified in the Dockerfile and executed when the container starts. Attackers can use this technique to establish a foothold in the environment, escape from a container to the host, or establish persistence.
0 hits in telemetry last 90d, only TPs in my testing stack.
Docker Escape via Nsenter
This rule identifies a UID change event via nsenter. The nsenter command is used to enter a namespace, which is a way to isolate processes and resources. Attackers can use nsenter to escape from a container to the host, which can lead to privilege escalation and lateral movement.
0 hits in telemetry last 7 days, only TPs (when removing cidr_match due to private IP testing):
Summary
This PR adds two rules to extend coverage on Docker.
Egress Connection from Entrypoint in Container
This rule identifies a sequence of events where a process named
entrypoint.sh
is started in a container, followed by a network connection attempt. This sequence indicates a potential egress connection from an entrypoint in a container. An entrypoint is a command or script specified in the Dockerfile and executed when the container starts. Attackers can use this technique to establish a foothold in the environment, escape from a container to the host, or establish persistence.0 hits in telemetry last 90d, only TPs in my testing stack.
Docker Escape via Nsenter
This rule identifies a UID change event via
nsenter
. Thensenter
command is used to enter a namespace, which is a way to isolate processes and resources. Attackers can usensenter
to escape from a container to the host, which can lead to privilege escalation and lateral movement.0 hits in telemetry last 7 days, only TPs (when removing cidr_match due to private IP testing):