CVE-2022-0492 IBM QRadar · QRadar

Detect Linux Kernel cgroup v1 release_agent Privilege Escalation (CVE-2022-0492) in IBM QRadar

CVE-2022-0492 is a Linux kernel vulnerability (CWE-287/CWE-862) in the cgroup v1 release_agent mechanism. A local unprivileged user can exploit improper capability checks to write to /sys/fs/cgroup/*/release_agent and execute arbitrary commands as root, enabling container escape and full host compromise. This vulnerability is listed on CISA KEV, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Execution

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "processname",
  "cmdline",
  "filepath",
  logsourcename(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux', 'Syslog', 'SysmonLinux')
  AND (
    (LOWER("filepath") LIKE '/sys/fs/cgroup/%release_agent%')
    OR (LOWER("cmdline") LIKE '%release_agent%')
    OR (LOWER("cmdline") LIKE '%notify_on_release%')
    OR (
      LOWER("processname") IN ('unshare', 'nsenter')
      AND LOWER("cmdline") LIKE '%cgroup%'
    )
  )
  AND QIDNAME(qid) NOT IN ('Container Runtime Management', 'Kubernetes Lifecycle')
LAST 24 HOURS
ORDER BY starttime DESC
critical severity medium confidence

QRadar AQL query searching for cgroup release_agent file path access and command-line patterns associated with CVE-2022-0492 exploitation across Linux and syslog sources.

Data Sources

QRadar Linux DSMSyslogSysmonLinux

Required Tables

events

False Positives & Tuning

  • Container orchestration management operations from approved automation accounts
  • Approved security tooling that inspects cgroup configurations
  • Kernel developers or admins with documented need to access cgroup release_agent
  • Routine container lifecycle events from known container runtime processes

Other platforms for CVE-2022-0492

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Write payload to cgroup release_agent (non-privileged namespace simulation)

    Expected signal: Process event for unshare with -UrmC flags; file write event to path matching /sys/fs/cgroup/*/release_agent or the tmp mount path; child bash process inheriting modified cgroup namespace

  2. Test 2Enumerate cgroup v1 hierarchy for exploitable release_agent

    Expected signal: Process event for sh/bash with find commands targeting /sys/fs/cgroup paths; multiple file read events against notify_on_release and release_agent pseudo-files

  3. Test 3Container escape simulation via cgroup release_agent (lab environment)

    Expected signal: Docker daemon log showing privileged container creation; host-level process events for cgroup mount, release_agent write; if successful: unexpected process spawned outside container namespace with UID 0; file creation event for escape_proof.txt on host

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2022-0492 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0002Execution

Related Techniques

T1611Escape to HostT1548.001Setuid and SetgidT1059.004Unix Shell

Same Tactic: Privilege Escalation

Popular Detections