osquery-defense-kit/detection/privesc/unexpected-privileged-conta...

-- Detect the execution of priveleged Docker containers which can be used to escape to the host.
--
-- references:
--   * https://attack.mitre.org/techniques/T1611/
--
-- This query works on macOS as well, but is only an in-the-wild security problem on Linux,
-- where the kernel namespaces can be shared. These kind of attacks tend to be
--
-- platform: linux
-- tags: transient state container escalation
SELECT
  command,
  image_id,
  path,
  security_options,
  started_at,
  image
FROM
  docker_containers
WHERE
  privileged = 1
  AND image NOT LIKE 'kindest/node:%';
Add metadata, mark as Linux only. 2022-10-14 12:42:10 +00:00			`-- Detect the execution of priveleged Docker containers which can be used to escape to the host.`
			`--`
			`-- references:`
			`-- * https://attack.mitre.org/techniques/T1611/`
			`--`
			`-- This query works on macOS as well, but is only an in-the-wild security problem on Linux,`
Tighten down the field list, update metadata 2022-10-14 13:16:24 +00:00			`-- where the kernel namespaces can be shared. These kind of attacks tend to be`
Add metadata, mark as Linux only. 2022-10-14 12:42:10 +00:00			`--`
			`-- platform: linux`
Add support for interval tags 2022-10-14 18:19:13 +00:00			`-- tags: transient state container escalation`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`SELECT`
Apply 'npx sql-formatter -l sqlite' 2022-10-17 23:06:17 +00:00			`command,`
			`image_id,`
			`path,`
			`security_options,`
			`started_at,`
			`image`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`FROM`
			`docker_containers`
			`WHERE`
			`privileged = 1`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`AND image NOT LIKE 'kindest/node:%';`