Analytics Alerts
Browse the Cortex analytics alert reference.
13 alerts match the current filters. technique: T1611 ✕
Show ATT&CK heatmapA contained executable from a mounted share initiated a suspicious outbound network connection Medium 1 variation
A contained executable from a mounted share initiated a suspicious outbound network connection.Running binaries from a mounted share is highly dangerous and not typical.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Escape to Host (T1611)Required data: XDR AgentAttacker's goals: Gain high privileged command execution on the host machine via one of its running containers.Investigative actions: Check if the requested IP address is known or malicious. Investigate the contained process and its process tree.Variations
A contained executable from a mounted share initiated a suspicious outbound network connection
Medium overridden
A cloud machine contained executable from a mounted share initiated a suspicious outbound network connection.Running binaries from a mounted share is highly dangerous and not typical. overridden
A contained executable was executed by an unusual process Medium 3 variations
A Docker-contained executable from a mounted share was executed on a host.Running a contained executable is highly dangerous and atypical.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Persistence (TA0003)ATT&CK techniques: Escape to Host (T1611) Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)Required data: XDR AgentAttacker's goals: Gain high privileged command execution on the host machine via one of its running containers.Investigative actions: Check what actions were made after the suspicious file execution. Investigate the contained process and its process tree.Variations
A contained executable was executed by the Linux kernel thread daemon
High overridden
A contained executable in a cloud machine was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden
A contained executable was executed by the Linux kernel thread daemon
High overridden
A contained executable was executed by the Linux kernel thread daemon.This behavior is suspicious as it may be a result of an attacker attempting to escape from a container, as the kernel thread daemon is usually used to spawn kernel processes only. overridden
A contained executable was executed by an unusual process
Medium overridden
A Docker-contained executable from a mounted share on a cloud machine was executed on a host.Running a contained executable is highly dangerous and atypical. overridden
A contained process attempted to escape using the 'notify on release' feature Medium 1 variation
A contained process attempted to escape the host by leveraging the Docker's 'notify on release' feature.The calling process modified relevant files that might trigger a command on the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Escape to Host (T1611)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Execute arbitrary commands on the host and gain a larger foothold.Investigative actions: Check which commands were executed on the host afterward. Look for the root cause of the execution within the container. Examine the release_agent script content on the container.Variations
A contained process attempted to escape using the 'notify on release' feature
Medium overridden
A contained process attempted to escape the host by leveraging the Docker's 'notify on release' feature.The calling process modified relevant files that might trigger a command on the cloud host. overridden
Access to sensitive host files from within a Kubernetes pod Informational 2 variations
A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Escape to Host (T1611)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Kubernetes - AGENT, Kubernetes Credentials Theft AnalyticsAttacker's goals: Access to the host filesystem.Investigative actions: Look for additional suspicious activities. Verify if the exposed files were used for malicious activity. Investigate which operations were used against the Kubernetes cluster with the exposed credentials.Variations
Access to sensitive host files from within a Kubernetes pod via an interactive shell
Medium overridden
A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt. overridden
Unusual access to sensitive host files from within a Kubernetes pod
Low overridden
A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt. overridden
Kubelet server communication from a pod Informational 1 variation
The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Discovery (TA0007)ATT&CK techniques: Escape to Host (T1611) Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubelet server to attempt a container breakout or escalate privileges.Investigative actions: Examine the process on the pod to understand its purpose.Variations
Kubelet server communication from a pod by a first seen process
Low overridden
The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges. overridden
Kubernetes Pod Created With Sensitive Volume Informational Cloud 3 variations
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to the host's filesystem. Gain root access to the host.Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.Variations
Kubernetes Pod Created With Sensitive Volume for the first time in the cluster
Low overridden
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden
Kubernetes Pod Created With Sensitive Volume for the first time in the namespace
Low overridden
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden
Kubernetes Pod Created With Sensitive Volume for the first time by the identity
Low overridden
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace Informational Cloud 3 variations
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Access data used by other pods that use the host's IPC namespace.Investigative actions: Check the identity's role designation in the organization. Inspect for any files in the /dev/shm shared memory location. Inspect for any IPC facilities being used with /usr/bin/ipcs.Variations
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the cluster
Low overridden
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the namespace
Low overridden
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time by the identity
Low overridden
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden
Kubernetes Pod created with host process ID (PID) namespace Informational Cloud 3 variations
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: View processes on the host. View the environment variables for each pod on the host. View the file descriptors for each pod on the host. Kill processes on the node.Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.Variations
Kubernetes Pod created with host process ID (PID) namespace for the first time in the cluster
Low overridden
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden
Kubernetes Pod created with host process ID (PID) namespace for the first time in the namespace
Low overridden
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden
Kubernetes Pod created with host process ID (PID) namespace for the first time by the identity
Low overridden
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden
Kubernetes Privileged Pod Creation Informational Cloud 3 variations
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to the host's filesystem. Gain root access to the host.Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.Variations
Kubernetes Privileged Pod Creation for the first time in the cluster
Low overridden
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden
Kubernetes Privileged Pod Creation for the first time in the namespace
Low overridden
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden
Kubernetes Privileged Pod Creation for the first time by the identity
Low overridden
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden
Kubernetes nsenter container escape Informational 2 variations
The nsenter command was used to execute a process in the context of the initialization process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Escape to Host (T1611)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Attackers may break out of a container to run commands on the host.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Kubernetes nsenter container escape from a new Pod
Medium overridden
The nsenter command was used to execute a process in the context of the initialization process. overridden
Kubernetes nsenter container escape from a Pod
Low overridden
The nsenter command was used to execute a process in the context of the initialization process. overridden
Kubernetes pod creation with host network Informational Cloud 3 variations
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Access services bound to localhost. Sniff traffic on any interface on the host. Bypass network policy.Investigative actions: Check the identity's role designation in the organization. Inspect for any unusual access to localhost services. Inspect for any network sniffing tool being used inside the Kubernetes Pod.Variations
Kubernetes pod creation with host network for the first time in the cluster
Low overridden
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden
Kubernetes pod creation with host network for the first time in the namespace
Low overridden
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden
Kubernetes pod creation with host network for the first time by the identity
Low overridden
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden
Mount command was executed from within a Kubernetes pod to list all the attached filesystems Low 1 variation
The mount command was executed inside a Kubernetes pod to list all the attached filesystems, which may serve as a precursor to container escape and host filesystem access.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004)ATT&CK techniques: Escape to Host (T1611)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Access to the host filesystem.Investigative actions: Look for additional suspicious activities. Verify if there was an attempt to access the host system.Variations
Unusual mount command was executed from within a Kubernetes pod to list all the attached filesystems
Medium overridden
The mount command was executed inside a Kubernetes pod to list all the attached filesystems, which may serve as a precursor to container escape and host filesystem access. overridden
Suspicious process execution in a privileged container Informational 1 variation
A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: Container Administration Command (T1609) Escape to Host (T1611)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network and gain higher privileges.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the command run from the host and understand which software initiated it.Variations
Suspicious process execution in a new privileged container
Informational overridden
A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days. overridden