Goal
Detect container escape attacks by correlating multiple indicators of container breakout activity within the same execution context.
Strategy
This correlation rule identifies container escape operations by detecting combinations of the following activity groups:
- Container Breakout Enumeration: Reading container environment files (
/proc/*/status, /proc/*/cgroup, /proc/*/mountinfo, etc.) from processes in the container’s upper layer - Privileged Container: Detects containers starting with
CAP_SYS_ADMIN capability (privileged mode) - Socket Discovery: Searching for container management sockets using
find *.sock - Container Management Abuse: Execution of container management utilities (
docker, kubectl, ctr) or curl requests to management sockets inside a container - Namespace Manipulation: Mounting host file systems, hiding processes using
/proc mounts, or using nsenter/unshare to escape namespaces - Cgroup Escape: Writing to cgroup
release_agent file to execute code on the host - Proc Write Escape: Writing to
/proc/sys/kernel/core_pattern and triggering a coredump for host code execution - Ptrace Escape: Using
ptrace to trace privileged processes or inject code into host processes - Kernel Module Escape: Loading kernel modules from disk or memory to gain kernel-level access
- Evasive Execution: Executing from
/dev/shm, hidden files, newly created files, or using nohup
The rule triggers different severity levels based on the combination of detected activities:
| Case | Severity | Condition |
|---|
| Kernel Module Container Escape | Critical | Enumeration and Kernel Module Loading |
| Core Pattern Container Escape | Critical | Enumeration and /proc/sys/kernel/core_pattern Write |
| Ptrace Host Injection | Critical | Enumeration and Ptrace on Host Processes |
| Cgroup Release Agent Escape | Critical | Enumeration, Privileged Container and release_agent Write |
| Privileged Namespace Escape | High | Enumeration, Privileged Container, and Namespace Manipulation |
| Docker Socket Escape | High | Enumeration, Socket Discovery, and Container Management Abuse |
| Namespace Breakout with Evasion | Medium | Enumeration, Namespace Manipulation, and Evasive Execution |
| Suspicious Container Activity | Medium | Enumeration, Container Management Abuse, and Evasive Execution |
Triage & Response
Assume host compromise: Immediately isolate the affected host and container. Treat the situation as a potential host compromise given the nature of container escape attacks.
Terminate suspicious processes: Identify and stop all processes involved in the escape attempt.
Check container configuration: Review container security settings, capabilities, privileged mode, and mount points for misconfigurations that enabled the attack.
Examine escape techniques: Analyze the specific escape vector used:
- For kernel module escapes: Check loaded modules with
lsmod - For core_pattern escapes: Verify
/proc/sys/kernel/core_pattern contents - For docker socket escapes: Review containers created using the socket
- For ptrace escapes: Identify processes that were traced and injected.
Verify host impact: Check host file system and processes for signs of successful container escape.
Capture forensic evidence: Take memory dumps and system snapshots from both container and host before remediation.
Hunt for additional escapes: Search for other containers attempting similar escape techniques across your environment.
Rebuild with security: Recreate containers with proper security controls, including restricted capabilities, read-only root file systems, and enhanced monitoring.
