← Back to Explore
elasticmediumTTP
Potential release_agent Container Escape Detected via Defend for Containers
This rule detects modification of the CGroup release_agent file from inside a privileged container. The release_agent is a script that is executed at the termination of any process on that CGroup and is invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a CGroup directory and modify the release_agent which could be used for further privilege escalation and container escapes to the host machine.
Detection Query
file where host.os.type == "linux" and event.type == "change" and event.action == "open" and
file.name == "release_agent" and process.interactive == true and container.id like "*"
Author
Elastic
Created
2023/10/26
Data Sources
Elastic Defend for Containerslogs-cloud_defend.file*
References
- https://blog.aquasec.com/threat-alert-container-escape
- https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged-escape-abusing-existent-release_agent-cve-2022-0492-poc1
Tags
Data Source: Elastic Defend for ContainersDomain: ContainerOS: LinuxUse Case: Threat DetectionTactic: Privilege EscalationResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2023/10/26"
integration = ["cloud_defend"]
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
description = """
This rule detects modification of the CGroup release_agent file from inside a privileged container. The release_agent is
a script that is executed at the termination of any process on that CGroup and is invoked from the host. A privileged
container with SYS_ADMIN capabilities, enables a threat actor to mount a CGroup directory and modify the release_agent
which could be used for further privilege escalation and container escapes to the host machine.
"""
from = "now-6m"
index = ["logs-cloud_defend.file*"]
interval = "5m"
language = "eql"
license = "Elastic License v2"
name = "Potential release_agent Container Escape Detected via Defend for Containers"
note = """## Setup
## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Potential release_agent Container Escape Detected via Defend for Containers
In containerized environments, the release_agent file in CGroup directories can execute scripts upon process termination. Adversaries exploit this by modifying the file from privileged containers, potentially escalating privileges or escaping to the host. The detection rule monitors changes to the release_agent file, flagging unauthorized modifications indicative of such exploits.
### Possible investigation steps
- Identify the container from which the modification attempt originated, focusing on whether it has SYS_ADMIN capabilities, which could indicate a privileged container.
- Check the history of the release_agent file for any recent changes or modifications, including timestamps and user accounts involved, to understand the context of the modification.
- Investigate the processes running within the container at the time of the alert to identify any suspicious or unauthorized activities that could be related to privilege escalation attempts.
- Examine the network activity and connections from the container to detect any unusual outbound traffic that might suggest an attempt to communicate with external systems or exfiltrate data.
- Review system logs and audit logs on the host for any signs of unauthorized access or privilege escalation attempts that coincide with the alert timestamp.
- Assess the security posture of the container environment, including the configuration of CGroup directories and permissions, to identify potential vulnerabilities that could be exploited for container escape.
### False positive analysis
- Routine maintenance scripts or system updates may modify the release_agent file without malicious intent. Users can create exceptions for known maintenance activities by identifying the specific processes or scripts involved and excluding them from the rule.
- Automated container management tools might access and modify the release_agent file as part of their normal operations. Users should verify the legitimacy of these tools and whitelist their actions to prevent unnecessary alerts.
- Custom container orchestration solutions could interact with the release_agent file for legitimate reasons. Users should document these interactions and configure the rule to ignore changes made by these trusted solutions.
- Development and testing environments often involve frequent changes to container configurations, including the release_agent file. Users can reduce false positives by setting up separate monitoring profiles for these environments, allowing more lenient detection thresholds.
### Response and remediation
- Immediately isolate the affected container to prevent further unauthorized actions or potential spread to other containers or the host system.
- Revoke SYS_ADMIN capabilities from the container to limit its ability to modify critical system files and directories.
- Conduct a thorough review of the modified release_agent file to identify any malicious scripts or commands that may have been inserted.
- Restore the release_agent file to its original state from a known good backup to ensure no unauthorized scripts are executed.
- Investigate the source of the privilege escalation to determine how the adversary gained SYS_ADMIN capabilities and address any security gaps.
- Escalate the incident to the security operations team for further analysis and to assess the potential impact on the host system.
- Implement additional monitoring and alerting for changes to critical files and directories within privileged containers to enhance detection of similar threats in the future."""
references = [
"https://blog.aquasec.com/threat-alert-container-escape",
"https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/",
"https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged-escape-abusing-existent-release_agent-cve-2022-0492-poc1",
]
risk_score = 47
rule_id = "160896de-b66f-42cb-8fef-20f53a9006ea"
severity = "medium"
tags = [
"Data Source: Elastic Defend for Containers",
"Domain: Container",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.type == "change" and event.action == "open" and
file.name == "release_agent" and process.interactive == true and container.id like "*"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1611"
name = "Escape to Host"
reference = "https://attack.mitre.org/techniques/T1611/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"