Container escape attack

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1609-container-administration-command

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect container escape attacks by correlating multiple indicators of container breakout activity within the same execution context.

Strategy

This correlation rule identifies container escape operations by detecting combinations of the following activity groups:

  • Container Breakout Enumeration: Reading container environment files (/proc/*/status, /proc/*/cgroup, /proc/*/mountinfo, etc.) from processes in the container’s upper layer
  • Privileged Container: Detects containers starting with CAP_SYS_ADMIN capability (privileged mode)
  • Socket Discovery: Searching for container management sockets using find *.sock
  • Container Management Abuse: Execution of container management utilities (docker, kubectl, ctr) or curl requests to management sockets inside a container
  • Namespace Manipulation: Mounting host file systems, hiding processes using /proc mounts, or using nsenter/unshare to escape namespaces
  • Cgroup Escape: Writing to cgroup release_agent file to execute code on the host
  • Proc Write Escape: Writing to /proc/sys/kernel/core_pattern and triggering a coredump for host code execution
  • Ptrace Escape: Using ptrace to trace privileged processes or inject code into host processes
  • Kernel Module Escape: Loading kernel modules from disk or memory to gain kernel-level access
  • Evasive Execution: Executing from /dev/shm, hidden files, newly created files, or using nohup

The rule triggers different severity levels based on the combination of detected activities:

CaseSeverityCondition
Kernel Module Container EscapeCriticalEnumeration and Kernel Module Loading
Core Pattern Container EscapeCriticalEnumeration and /proc/sys/kernel/core_pattern Write
Ptrace Host InjectionCriticalEnumeration and Ptrace on Host Processes
Cgroup Release Agent EscapeCriticalEnumeration, Privileged Container and release_agent Write
Privileged Namespace EscapeHighEnumeration, Privileged Container, and Namespace Manipulation
Docker Socket EscapeHighEnumeration, Socket Discovery, and Container Management Abuse
Namespace Breakout with EvasionMediumEnumeration, Namespace Manipulation, and Evasive Execution
Suspicious Container ActivityMediumEnumeration, Container Management Abuse, and Evasive Execution

Triage & Response

  1. Assume host compromise: Immediately isolate the affected host and container. Treat the situation as a potential host compromise given the nature of container escape attacks.

  2. Terminate suspicious processes: Identify and stop all processes involved in the escape attempt.

  3. Check container configuration: Review container security settings, capabilities, privileged mode, and mount points for misconfigurations that enabled the attack.

  4. Examine escape techniques: Analyze the specific escape vector used:

    • For kernel module escapes: Check loaded modules with lsmod
    • For core_pattern escapes: Verify /proc/sys/kernel/core_pattern contents
    • For docker socket escapes: Review containers created using the socket
    • For ptrace escapes: Identify processes that were traced and injected.

  5. Verify host impact: Check host file system and processes for signs of successful container escape.

  6. Capture forensic evidence: Take memory dumps and system snapshots from both container and host before remediation.

  7. Hunt for additional escapes: Search for other containers attempting similar escape techniques across your environment.

  8. Rebuild with security: Recreate containers with proper security controls, including restricted capabilities, read-only root file systems, and enhanced monitoring.