Technique on mitre.org

T1611: Escape to Host

Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.

There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as unshare and keyctl to escalate privileges and steal secrets.

Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as docker.sock, to break out of the container via a Container Administration Command. Adversaries may also escape via Exploitation for Privilege Escalation, such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.

Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers running on the host, or setting up a command and control channel on the host.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

— Monitoring of kubectl process start events, where the command line contains 'hostPID:true' (a container with access to host process IDs) or 'privileged:true' (a privileged container). In this case, execution of the command 'nsenter --mount=/proc/1/ns/mnt -- /bin/bash' may result in a process escape from the container. — Monitoring of events related to unintended usage of the 'mount' command, which may be an indicator of escaping from a privileged container to the host.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for process activity (such as unexpected processes spawning outside a container and/or on a host) that might indicate an attempt to escape from a privileged container to host.

ID	DS0008	Data source and component	Kernel: Kernel Module Load	Description	Monitor for the installation of kernel modules that could be abused to escape containers on a host.

ID	DS0032	Data source and component	Container: Container Creation	Description	Monitor for the deployment of suspicious or unknown container images and pods in your environment, particularly containers running as root.

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for unexpected usage of syscalls such as `mount` that may indicate an attempt to escape from a privileged container to host.

ID	DS0034	Data source and component	Volume: Volume Modification	Description	Monitor cluster-level (Kubernetes) data and events associated with changing containers' volume configurations.

ID	Data source and component	Description
DS0009	Process: Process Creation	Monitor for process activity (such as unexpected processes spawning outside a container and/or on a host) that might indicate an attempt to escape from a privileged container to host.
DS0008	Kernel: Kernel Module Load	Monitor for the installation of kernel modules that could be abused to escape containers on a host.
DS0032	Container: Container Creation	Monitor for the deployment of suspicious or unknown container images and pods in your environment, particularly containers running as root.
DS0009	Process: OS API Execution	Monitor for unexpected usage of syscalls such as `mount` that may indicate an attempt to escape from a privileged container to host.
DS0034	Volume: Volume Modification	Monitor cluster-level (Kubernetes) data and events associated with changing containers' volume configurations.

Mitigation

ID	M1038	Name	Execution Prevention	Description	Use read-only containers, read-only file systems, and minimal images when possible to prevent the running of commands. Where possible, also consider using application control and software restriction tools (such as those provided by SELinux) to restrict access to files, processes, and system calls in containers.

ID	M1048	Name	Application Isolation and Sandboxing	Description	Consider utilizing seccomp, seccomp-bpf, or a similar solution that restricts certain system calls such as mount. In Kubernetes environments, consider defining Pod Security Standards that limit container access to host process namespaces, the host network, and the host file system.

ID	M1042	Name	Disable or Remove Feature or Program	Description	Remove unnecessary tools and software from containers.

ID	M1026	Name	Privileged Account Management	Description	Ensure containers are not running as root by default and do not use unnecessary privileges or mounted components. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers.

ID	Name	Description
M1038	Execution Prevention	Use read-only containers, read-only file systems, and minimal images when possible to prevent the running of commands. Where possible, also consider using application control and software restriction tools (such as those provided by SELinux) to restrict access to files, processes, and system calls in containers.
M1048	Application Isolation and Sandboxing	Consider utilizing seccomp, seccomp-bpf, or a similar solution that restricts certain system calls such as mount. In Kubernetes environments, consider defining Pod Security Standards that limit container access to host process namespaces, the host network, and the host file system.
M1042	Disable or Remove Feature or Program	Remove unnecessary tools and software from containers.
M1026	Privileged Account Management	Ensure containers are not running as root by default and do not use unnecessary privileges or mounted components. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers.