EXPLORE
Sign In
← Back to Explore
T1611

Escape to Host

Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow an adversary access to other containerized or virtualized resources from the host level or to the host itself. In principle, containerized / virtualized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview) There are multiple ways an adversary may escape from a container to a host enviro...

WindowsLinuxContainersESXi
28
Detections
3
Sources
1
Threat Actors

BY SOURCE

24elastic2sigma2splunk_escu

PROCEDURES (16)

Privilege6 detections

Auto-extracted: 6 detections for privilege

Privilege5 detections

Auto-extracted: 5 detections for privilege

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Lateral2 detections

Auto-extracted: 2 detections for lateral

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Privilege1 detections

Auto-extracted: 1 detections for privilege

Lateral1 detections

Auto-extracted: 1 detections for lateral

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Privilege1 detections

Auto-extracted: 1 detections for privilege

Lateral1 detections

Auto-extracted: 1 detections for lateral

Api1 detections

Auto-extracted: 1 detections for api

Api1 detections

Auto-extracted: 1 detections for api

Persist1 detections

Auto-extracted: 1 detections for persist

Bypass1 detections

Auto-extracted: 1 detections for bypass

THREAT ACTORS (1)

TeamTNT

DETECTIONS (28)

Chroot Execution Detected via Defend for Containers
elasticlow
Cisco Isovalent - Potential Escape to Host
splunk_escu
Container With A hostPath Mount Created
sigmalow
DebugFS Execution Detected via Defend for Containers
elasticmedium
Docker Release File Creation
elasticlow
Egress Connection from Entrypoint in Container
elasticmedium
File System Debugger Launched Inside a Container
elasticmedium
Kernel Load or Unload via Kexec Detected
elasticmedium
Kubernetes Container Created with Excessive Linux Capabilities
elasticmedium
Kubernetes Pod Created with a Sensitive hostPath Volume
elasticmedium
Kubernetes Pod Created With HostIPC
elasticmedium
Kubernetes Pod Created With HostNetwork
elasticmedium
Kubernetes Pod Created With HostPID
elasticmedium
Kubernetes Privileged Pod Created
elasticmedium
Linux Docker Root Directory Mount
splunk_escu
Mount Execution Detected via Defend for Containers
elasticlow
Mount Launched Inside a Container
elasticmedium
Namespace Manipulation Using Unshare
elasticmedium
Pod or Container Creation with Suspicious Command-Line
elasticmedium
Potential Chroot Container Escape via Mount
elasticmedium
Potential Docker Escape via Nsenter
elasticmedium
Potential notify_on_release Container Escape Detected via Defend for Containers
elasticmedium
Potential Privilege Escalation through Writable Docker Socket
elasticmedium
Potential Privilege Escalation via Container Misconfiguration
elastichigh
Potential release_agent Container Escape Detected via Defend for Containers
elasticmedium
Privileged Container Creation with Host Directory Mount
elastichigh
Privileged Container Deployed
sigmalow
Privileged Docker Container Creation
elasticmedium