Detect Linux Kernel cgroup v1 release_agent Privilege Escalation (CVE-2022-0492) in Microsoft Sentinel
CVE-2022-0492 is a Linux kernel vulnerability (CWE-287/CWE-862) in the cgroup v1 release_agent mechanism. A local unprivileged user can exploit improper capability checks to write to /sys/fs/cgroup/*/release_agent and execute arbitrary commands as root, enabling container escape and full host compromise. This vulnerability is listed on CISA KEV, indicating active exploitation in the wild.
MITRE ATT&CK
KQL Detection Query
union
(
DeviceProcessEvents
| where FileName in~ ("sh", "bash", "dash") or ProcessCommandLine has_any ("/sys/fs/cgroup", "release_agent", "notify_on_release")
| where ProcessCommandLine has_any ("release_agent", "notify_on_release", "/sys/fs/cgroup")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, ParentProcessName=InitiatingProcessFileName
),
(
DeviceFileEvents
| where FolderPath has "/sys/fs/cgroup"
| where FileName in~ ("release_agent", "notify_on_release")
| where ActionType in ("FileModified", "FileCreated")
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessCommandLine
),
(
DeviceProcessEvents
| where InitiatingProcessCommandLine has_any ("unshare", "nsenter") and ProcessCommandLine has "/sys/fs/cgroup"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
)
| extend AlertDetail = "Potential CVE-2022-0492 cgroup v1 release_agent exploitation"
| order by TimeGenerated descDetects writes to cgroup v1 release_agent or notify_on_release pseudo-files, unshare/nsenter usage combined with cgroup path access, and shell processes referencing cgroup paths — all indicators of CVE-2022-0492 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate container runtimes (containerd, runc, podman) may interact with cgroup release_agent during normal lifecycle operations
- System administrators performing cgroup configuration or tuning
- Monitoring and observability agents reading cgroup filesystem metrics
- CI/CD pipeline runners that manage container namespaces
Other platforms for CVE-2022-0492
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Write payload to cgroup release_agent (non-privileged namespace simulation)
Expected signal: Process event for unshare with -UrmC flags; file write event to path matching /sys/fs/cgroup/*/release_agent or the tmp mount path; child bash process inheriting modified cgroup namespace
- Test 2Enumerate cgroup v1 hierarchy for exploitable release_agent
Expected signal: Process event for sh/bash with find commands targeting /sys/fs/cgroup paths; multiple file read events against notify_on_release and release_agent pseudo-files
- Test 3Container escape simulation via cgroup release_agent (lab environment)
Expected signal: Docker daemon log showing privileged container creation; host-level process events for cgroup mount, release_agent write; if successful: unexpected process spawned outside container namespace with UID 0; file creation event for escape_proof.txt on host
Unlock Pro Content
Get the full detection package for CVE-2022-0492 including response playbook, investigation guide, and atomic red team tests.