EXPLORE
← Back to Explore
T1611

Escape to Host

Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow an adversary access to other containerized or virtualized resources from the host level or to the host itself. In principle, containerized / virtualized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview) There are multiple ways an adversary may escape from a container to a host enviro...

WindowsLinuxContainersESXi
45
Detections
3
Sources
1
Threat Actors

BY SOURCE

41elastic2sigma2splunk_escu

PROCEDURES (22)

Privilege7 detections

Auto-extracted: 7 detections for privilege

Privilege7 detections

Auto-extracted: 7 detections for privilege

General Monitoring5 detections

Auto-extracted: 5 detections for general monitoring

Lateral3 detections

Auto-extracted: 3 detections for lateral

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Service2 detections

Auto-extracted: 2 detections for service

Kernel2 detections

Auto-extracted: 2 detections for kernel

Privilege1 detections

Auto-extracted: 1 detections for privilege

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Credential1 detections

Auto-extracted: 1 detections for credential

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Bypass1 detections

Auto-extracted: 1 detections for bypass

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Service1 detections

Auto-extracted: 1 detections for service

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Token1 detections

Auto-extracted: 1 detections for token

Lateral1 detections

Auto-extracted: 1 detections for lateral

Credential1 detections

Auto-extracted: 1 detections for credential

Lateral1 detections

Auto-extracted: 1 detections for lateral

Parent Process1 detections

Auto-extracted: 1 detections for parent process

THREAT ACTORS (1)

DETECTIONS (45)

Chroot Execution Detected via Defend for Containers
elasticlow
Chroot Execution in Container Context on Linux
elastichigh
Cisco Isovalent - Potential Escape to Host
splunk_escu
Container Runtime CLI Execution with Suspicious Arguments
elasticmedium
Container With A hostPath Mount Created
sigmalow
DebugFS Execution Detected via Defend for Containers
elasticmedium
Docker Release File Creation
elasticlow
Egress Connection from Entrypoint in Container
elasticmedium
File System Debugger Launched Inside a Container
elasticmedium
GKE Container Created with Excessive Linux Capabilities
elasticmedium
GKE Pod Created with a Sensitive hostPath Volume
elasticmedium
GKE Pod Created With HostIPC
elasticmedium
GKE Pod Created With HostNetwork
elasticmedium
GKE Pod Created With HostPID
elasticmedium
GKE Privileged Pod Created
elasticmedium
Kernel Load or Unload via Kexec Detected
elasticmedium
Kubernetes API Server Proxying Request to Kubelet
elasticmedium
Kubernetes Container Created with Excessive Linux Capabilities
elasticmedium
Kubernetes Ephemeral Container Added to Pod
elasticmedium
Kubernetes Pod Created with a Sensitive hostPath Volume
elasticmedium
Kubernetes Pod Created With HostIPC
elasticmedium
Kubernetes Pod Created With HostNetwork
elasticmedium
Kubernetes Pod Created With HostPID
elasticmedium
Kubernetes Privileged Pod Created
elasticmedium
Linux Docker Root Directory Mount
splunk_escu
Mount Execution Detected via Defend for Containers
elasticlow
Mount Launched Inside a Container
elasticmedium
Namespace Manipulation Using Unshare
elasticmedium
Namespace Manipulation Using Unshare in a Container
elasticmedium
Nsenter Execution with Target Flag Inside Container
elastichigh
Nsenter to PID Namespace via Auditd
elastichigh
Pod or Container Creation with Suspicious Command-Line
elasticmedium
Potential Chroot Container Escape via Mount
elastichigh
Potential Container Escape via Kernel core_pattern Modification
elasticmedium
Potential Docker Escape via Nsenter
elasticmedium
Potential notify_on_release Container Escape Detected via Defend for Containers
elasticmedium
Potential Privilege Escalation in Container via Runc Init
elastichigh
Potential Privilege Escalation through Writable Docker Socket
elasticmedium
Potential Privilege Escalation via Container Misconfiguration
elastichigh
Potential release_agent Container Escape Detected via Defend for Containers
elasticmedium
Privileged Container Creation with Host Directory Mount
elastichigh
Privileged Container Deployed
sigmalow
Privileged Docker Container Creation
elasticmedium
Suspicious Container Runtime CLI Execution
elasticmedium
Unusual Process Connection to Docker or Containerd Socket
elasticmedium