Detect Escape to Host in Google Chronicle
This detection identifies adversaries attempting to escape containerized or virtualized environments to gain access to the underlying host. Key indicators include execution of namespace manipulation utilities (nsenter, unshare), privileged container operations, Docker socket abuse from within containers, cgroup release_agent exploitation, kernel module loading via insmod/modprobe, and host filesystem access via /proc/1/root bind mounts. The detection targets techniques used by malware families such as Doki, Hildegard, and Siloscape, as well as threat groups like TeamTNT that exploit container misconfigurations or kernel vulnerabilities to break out of isolation boundaries and gain host-level code execution.
MITRE ATT&CK
- Tactic
- Privilege Escalation
- Technique
- T1611 Escape to Host
- Canonical reference
- https://attack.mitre.org/techniques/T1611/
YARA-L Detection Query
rule detect_container_abuse {
meta:
author = "Argus"
description = "Detects suspicious container management and escape attempts"
severity = "HIGH"
technique = "T1609_T1611"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
$e.target.process.file.full_path = "/usr/bin/docker" or
$e.target.process.file.full_path = "/usr/bin/kubectl" or
$e.target.process.file.full_path = "/usr/bin/nsenter" or
re.regex($e.target.process.file.full_path, `crictl|podman|runc`) nocase
)
(
re.regex($e.target.process.command_line, `--privileged|--pid=host|--cap-add=SYS_ADMIN|nsenter.*--pid.*1`) nocase
)
condition:
$e
}Google Chronicle YARA-L 2.0 rule for T1611 detection using UDM event types and field matching. Detects container escape attempts by monitoring for namespace manipulation utilities (nsenter target
Data Sources
Required Tables
False Positives & Tuning
- Legitimate container orchestration runtimes (kubelet, containerd, cri-o) using nsenter internally for container exec and health check operations
- System administrators using nsenter or unshare on the host for namespace debugging or network troubleshooting tasks
- Legitimate kernel driver installation by hardware vendors or OS package managers using insmod/modprobe during system initialization
Other platforms for T1611
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Container Escape via nsenter Targeting Host PID 1
Expected signal: Sysmon EventCode=1: Image=nsenter, CommandLine contains '-t 1 -m -u -i -n -p'; parent process chain includes containerd-shim or runc; AccountName=root; SHA256 of nsenter binary logged
- Test 2Container Escape via Cgroup v1 Release Agent
Expected signal: Sysmon EventCode=1: Image=mount with cgroup filesystem type; Sysmon EventCode=11 (File Create): TargetFilename matches /sys/fs/cgroup/*/release_agent or /tmp/cgrp_escape/release_agent; auditd SYSCALL=mount and write to cgroup path
- Test 3Container Escape via Docker Socket Bind Mount
Expected signal: Sysmon EventCode=1: Image=docker, CommandLine contains 'docker.sock' and 'run -v /:/'; second process creation for chroot with /hostroot argument; DeviceNetworkEvents showing Unix socket connection to /var/run/docker.sock
References (8)
- https://attack.mitre.org/techniques/T1611/
- https://docs.docker.com/storage/bind-mounts/
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
- https://intezer.com/blog/cloud-security/doki-infecting-docker-servers-in-the-cloud/
- https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
- https://www.crowdstrike.com/blog/cve-2022-0492-linux-container-escape/
- https://github.com/IntezerLabs/peirates
- https://www.microsoft.com/security/blog/2021/07/19/windows-server-containers-are-open-and-here-is-why-that-is-okay/
Unlock Pro Content
Get the full detection package for T1611 including response playbook, investigation guide, and atomic red team tests.