Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Container With A hostPath Mount Created

Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Leo TsaousisCreated Tue Mar 26402b955c-8fe0-4a8c-b635-622b4ac5f902application
Log Source
Kubernetesapplicationaudit
ProductKubernetes← raw: kubernetes
Categoryapplication← raw: application
Serviceaudit← raw: audit
Detection Logic
Detection Logic1 selector
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        hostPath: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
    condition: selection
False Positives

The DaemonSet controller creates pods with hostPath volumes within the kube-system namespace.

References
1
Resolving title…
microsoft.github.io
2
Resolving title…
blog.appsecco.com
MITRE ATT&CK
Rule Metadata
Rule ID
402b955c-8fe0-4a8c-b635-622b4ac5f902
Status
test
Level
low
Type
Detection
Created
Tue Mar 26
Author
Leo Tsaousis
Path
rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml
Raw Tags
attack.t1611attack.privilege-escalation
View on GitHub