feat(nsenter): catch setns syscall

padok-team · Jan 19, 2024 · ac415de · ac415de
1 parent a19f96f
commit ac415de
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/custom_rules1.yaml b/custom_rules1.yaml
@@ -9,3 +9,10 @@
   condition: container and proc.name = nsenter and spawned_process and proc.pname exists and not proc.pname in (bash, docker)
   output: "nsenter used in container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
   priority: WARNING
+
+- rule: Detect setns syscall
+  desc: Detect privilege escalationof binaries executed in /tmp
+  condition: >
+    evt.type = setns and evt.dir=>
+  output: "The binary %proc.name has tried to change namespace: %evt.args"
+  priority: WARNING