Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
A docker contained executable from a mounted share was executed on a host.
Running a contained executable is highly dangerous and atypical.
Attacker's Goals
Gain high privileged command execution on the host machine via one of its running containers.
Investigative actions
- Check what actions were made after the suspicious file execution.
- Investigate the contained process and its process tree.
Variations
A contained executable was executed by the Linux kernel thread daemon
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
High |
Description
A contained executable in a cloud machine was executed by the Linux kernel thread daemon.
This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only.
Attacker's Goals
Gain high privileged command execution on the host machine via one of its running containers.
Investigative actions
- Check what actions were made after the suspicious file execution.
- Investigate the contained process and its process tree.
A contained executable was executed by the Linux kernel thread daemon
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
High |
Description
A contained executable was executed by the Linux kernel thread daemon.
This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only.
Attacker's Goals
Gain high privileged command execution on the host machine via one of its running containers.
Investigative actions
- Check what actions were made after the suspicious file execution.
- Investigate the contained process and its process tree.
A contained executable was executed by an unusual process
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
A docker contained executable from a mounted share on a cloud machine was executed on a host.
Running a contained executable is highly dangerous and atypical.
Attacker's Goals
Gain high privileged command execution on the host machine via one of its running containers.
Investigative actions
- Check what actions were made after the suspicious file execution.
- Investigate the contained process and its process tree.