Common Information
| Type | Value |
|---|---|
| Value |
Escape to Host - T1611 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview) There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes Container Escape)(Citation: Keyctl-unmask) Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open) Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers running on the host, or setting up a command and control channel on the host. |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-10-23 | 2 | Climbing The Ladder | Kubernetes Privilege Escalation (Part 1) | ||
| Details | Website | 2024-10-21 | 21 | Attackers Target Exposed Docker Remote API Servers With perfctl Malware | ||
| Details | Website | 2024-06-06 | 9 | Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers | ||
| Details | Website | 2024-06-06 | 9 | Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers | ||
| Details | Website | 2023-11-01 | 0 | Security considerations for running containers on Amazon ECS | Amazon Web Services | ||
| Details | Website | 2023-07-19 | 1 | Kubernetes API limitations in finding non-standard pods and containers | Wiz Blog | ||
| Details | Website | 2023-05-14 | 14 | Cryptojacking attack analysis: RCE through vulnerable Apache | ||
| Details | Website | 2023-03-02 | 199 | Russia/Ukraine Update - February 2023 | ||
| Details | Website | 2023-01-03 | 13 | Cloud Forensic Write-up Investigating Cloud and Container Compromised Simulator using Cado Security… | ||
| Details | Website | 2022-12-20 | 133 | Russia/Ukraine Update - December 2022 | ||
| Details | Website | 2022-11-29 | 132 | Russia/Ukraine Update - November 2022 | ||
| Details | Website | 2022-09-29 | 68 | Russia/Ukraine Update - September 2022 | ||
| Details | Website | 2022-08-25 | 66 | Russia/Ukraine Update - August 2022 | ||
| Details | Website | 2022-06-30 | 65 | UNKNOWN |