Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

13 alerts match the current filters. tactic: TA0004 ✕ technique: T1611 ✕

Show ATT&CK heatmap
  • A contained executable from a mounted share initiated a suspicious outbound network connection Medium 1 variation

    A contained executable from a mounted share initiated a suspicious outbound network connection.Running binaries from a mounted share is highly dangerous and not typical.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Escape to Host (T1611)
    Required data: XDR Agent
    Attacker's goals: Gain high privileged command execution on the host machine via one of its running containers.
    Investigative actions: Check if the requested IP address is known or malicious. Investigate the contained process and its process tree.

    Variations

    A contained executable from a mounted share initiated a suspicious outbound network connection

    Medium overridden

    A cloud machine contained executable from a mounted share initiated a suspicious outbound network connection.Running binaries from a mounted share is highly dangerous and not typical. overridden

  • A contained executable was executed by an unusual process Medium 3 variations

    A Docker-contained executable from a mounted share was executed on a host.Running a contained executable is highly dangerous and atypical.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)
    ATT&CK techniques: Escape to Host (T1611) Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)
    Required data: XDR Agent
    Attacker's goals: Gain high privileged command execution on the host machine via one of its running containers.
    Investigative actions: Check what actions were made after the suspicious file execution. Investigate the contained process and its process tree.

    Variations

    A contained executable was executed by the Linux kernel thread daemon

    High overridden

    A contained executable in a cloud machine was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden

    A contained executable was executed by the Linux kernel thread daemon

    High overridden

    A contained executable was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden

    A contained executable was executed by an unusual process

    Medium overridden

    A Docker-contained executable from a mounted share on a cloud machine was executed on a host.Running a contained executable is highly dangerous and atypical. overridden

  • A contained process attempted to escape using the 'notify on release' feature Medium 1 variation

    A contained process attempted to escape the host by leveraging the Docker's 'notify on release' feature.The calling process modified relevant files that might trigger a command on the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Escape to Host (T1611)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Execute arbitrary commands on the host and gain a larger foothold.
    Investigative actions: Check which commands were executed on the host afterward. Look for the root cause of the execution within the container. Examine the release_agent script content on the container.

    Variations

    A contained process attempted to escape using the 'notify on release' feature

    Medium overridden

    A contained process attempted to escape the host by leveraging the Docker's 'notify on release' feature.The calling process modified relevant files that might trigger a command on the cloud host. overridden

  • Access to sensitive host files from within a Kubernetes pod Informational 2 variations

    A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Escape to Host (T1611)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft Analytics
    Attacker's goals: Access to the host filesystem.
    Investigative actions: Look for additional suspicious activities. Verify if the exposed files were used for malicious activity. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

    Variations

    Access to sensitive host files from within a Kubernetes pod via an interactive shell

    Medium overridden

    A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt. overridden

    Unusual access to sensitive host files from within a Kubernetes pod

    Low overridden

    A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt. overridden

  • Kubelet server communication from a pod Informational 1 variation

    The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Discovery (TA0007)
    ATT&CK techniques: Escape to Host (T1611) Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubelet server to attempt a container breakout or escalate privileges.
    Investigative actions: Examine the process on the pod to understand its purpose.

    Variations

    Kubelet server communication from a pod by a first seen process

    Low overridden

    The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges. overridden

  • Kubernetes Pod Created With Sensitive Volume Informational Cloud 3 variations

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the host's filesystem. Gain root access to the host.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Kubernetes Pod Created With Sensitive Volume for the first time in the cluster

    Low overridden

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden

    Kubernetes Pod Created With Sensitive Volume for the first time in the namespace

    Low overridden

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden

    Kubernetes Pod Created With Sensitive Volume for the first time by the identity

    Low overridden

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden

  • Kubernetes Pod Created with host Inter Process Communications (IPC) namespace Informational Cloud 3 variations

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Access data used by other pods that use the host's IPC namespace.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any files in the /dev/shm shared memory location. Inspect for any IPC facilities being used with /usr/bin/ipcs.

    Variations

    Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden

    Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden

    Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden

  • Kubernetes Pod created with host process ID (PID) namespace Informational Cloud 3 variations

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: View processes on the host. View the environment variables for each pod on the host. View the file descriptors for each pod on the host. Kill processes on the node.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Kubernetes Pod created with host process ID (PID) namespace for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden

    Kubernetes Pod created with host process ID (PID) namespace for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden

    Kubernetes Pod created with host process ID (PID) namespace for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden

  • Kubernetes Privileged Pod Creation Informational Cloud 3 variations

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the host's filesystem. Gain root access to the host.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Kubernetes Privileged Pod Creation for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden

    Kubernetes Privileged Pod Creation for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden

    Kubernetes Privileged Pod Creation for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden

  • Kubernetes nsenter container escape Informational 2 variations

    The nsenter command was used to execute a process in the context of the initialization process.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Escape to Host (T1611)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Attackers may break out of a container to run commands on the host.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.

    Variations

    Kubernetes nsenter container escape from a new Pod

    Medium overridden

    The nsenter command was used to execute a process in the context of the initialization process. overridden

    Kubernetes nsenter container escape from a Pod

    Low overridden

    The nsenter command was used to execute a process in the context of the initialization process. overridden

  • Kubernetes pod creation with host network Informational Cloud 3 variations

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Access services bound to localhost. Sniff traffic on any interface on the host. Bypass network policy.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any unusual access to localhost services. Inspect for any network sniffing tool being used inside the Kubernetes Pod.

    Variations

    Kubernetes pod creation with host network for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden

    Kubernetes pod creation with host network for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden

    Kubernetes pod creation with host network for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden

  • Mount command was executed from within a Kubernetes pod to list all the attached filesystems Low 1 variation

    The mount command was executed inside a Kubernetes pod to list all the attached filesystems, which may serve as a precursor to container escape and host filesystem access.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004)
    ATT&CK techniques: Escape to Host (T1611)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Access to the host filesystem.
    Investigative actions: Look for additional suspicious activities. Verify if there was an attempt to access the host system.

    Variations

    Unusual mount command was executed from within a Kubernetes pod to list all the attached filesystems

    Medium overridden

    The mount command was executed inside a Kubernetes pod to list all the attached filesystems, which may serve as a precursor to container escape and host filesystem access. overridden

  • Suspicious process execution in a privileged container Informational 1 variation

    A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Container Administration Command (T1609) Escape to Host (T1611)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network and gain higher privileges.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the command run from the host and understand which software initiated it.

    Variations

    Suspicious process execution in a new privileged container

    Informational overridden

    A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days. overridden