Privileged Container Deployed (c5cd1b20-36bb-488d-8c05-486be3d0cb97)
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Privileged Container Deployed (c5cd1b20-36bb-488d-8c05-486be3d0cb97) | Sigma-Rules | Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665) | Attack Pattern | 1 |