From 050d7d466ccff2eaded52bc3e47e2f599f9448bf Mon Sep 17 00:00:00 2001 From: DipsyTipsy Date: Mon, 2 Mar 2026 15:40:38 +0100 Subject: [PATCH 1/4] Splitting linux_docker_privilege_escalation into two detections, modifying the queries to more precisely trigger on the activity --- .../linux_docker_root_directory_mount.yml | 82 ++++++++++++++++++ .../endpoint/linux_docker_shell_execution.yml | 83 +++++++++++++++++++ 2 files changed, 165 insertions(+) create mode 100644 detections/endpoint/linux_docker_root_directory_mount.yml create mode 100644 detections/endpoint/linux_docker_shell_execution.yml diff --git a/detections/endpoint/linux_docker_root_directory_mount.yml b/detections/endpoint/linux_docker_root_directory_mount.yml new file mode 100644 index 0000000000..8f1bdc1342 --- /dev/null +++ b/detections/endpoint/linux_docker_root_directory_mount.yml @@ -0,0 +1,82 @@ +name: Linux Docker Root Directory Mount +id: aa049566-f76a-43b9-908c-3c27e079fd43 +version: 1 +date: '2026-02-03' +author: Emil Elsetrønning +status: production +type: TTP +description: | + This detection identifies Docker containers that mount the host’s root directory into the container filesystem. Mounting the entire host root directory into a container effectively grants the container visibility and potential write access to all files on the host system. If the container is running as root or with elevated capabilities (e.g., --privileged), the risk is significantly increased. +data_source: +- Sysmon for Linux EventID 1 +search: | + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes + where Processes.process_name=docker* Processes.process IN ("* -v *", "* --volume *") Processes.process="* /:/*" + by Processes.action + Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name + Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name + Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_docker_root_directory_mount_filter` +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives are present based on automated tooling or system + administrative usage. Filter as needed. +references: +- https://gtfobins.github.io/gtfobins/docker/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of $process_name$ spawned by $user$ on endpoint $dest$, spawned with a root directory mounted + risk_objects: + - field: dest + type: system + score: 5 + - field: user + type: user + score: 5 + threat_objects: + - field: process + type: process +tags: + analytic_story: + - Linux Privilege Escalation + - Linux Living Off The Land + asset_type: Endpoint + mitre_attack_id: + - T1611 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log + source: Syslog:Linux-Sysmon/Operational + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_docker_shell_execution.yml b/detections/endpoint/linux_docker_shell_execution.yml new file mode 100644 index 0000000000..20d6893cd1 --- /dev/null +++ b/detections/endpoint/linux_docker_shell_execution.yml @@ -0,0 +1,83 @@ +name: Linux Docker Shell Execution +id: 03b2b286-fa86-4ec9-b1a1-ec19d314bdf7 +version: 1 +date: '2026-02-03' +author: Emil Elsetrønning +status: production +type: Anomaly +description: | + This detection identifies shell execution activity associated with Docker containers on Linux systems. Specifically, it monitors for interactive or non-interactive shell processes (e.g., `/bin/bash`, `/bin/sh`, `/bin/zsh`) launched via Docker commands such as `docker exec`, or through container entrypoint overrides. + Shell execution inside a container may indicate administrative troubleshooting activity. However, it can also represent post-exploitation behavior, where an attacker gains access to a container and spawns a shell to execute arbitrary commands, establish persistence, or pivot to the host. +data_source: +- Sysmon for Linux EventID 1 +search: | + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes + where Processes.process_name=docker* Processes.process="* exec *" Processes.process IN ("* bash *","* sh *", "* zsh *", "* /bin/bash *", "* /bin/sh *", "* /bin/zsh *") + by Processes.action + Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name + Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name + Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_docker_shell_execution_filter` +how_to_implement: The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: False positives are present based on automated tooling or system + administrative usage. Filter as needed. +references: +- https://gtfobins.github.io/gtfobins/docker/ +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: $user$ on endpoint $dest$ spawned a shell in a docker container + risk_objects: + - field: dest + type: system + score: 5 + - field: user + type: user + score: 5 + threat_objects: + - field: process + type: process +tags: + analytic_story: + - Linux Privilege Escalation + - Linux Living Off The Land + asset_type: Endpoint + mitre_attack_id: + - T1059.013 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log + source: Syslog:Linux-Sysmon/Operational + sourcetype: sysmon:linux From 93e6b1b2d21209b4e6852ebf4a7e529b5d137036 Mon Sep 17 00:00:00 2001 From: DipsyTipsy Date: Tue, 3 Mar 2026 08:19:19 +0100 Subject: [PATCH 2/4] Adding back original author, removing trailing whitespace --- detections/endpoint/linux_docker_root_directory_mount.yml | 6 +++--- detections/endpoint/linux_docker_shell_execution.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/detections/endpoint/linux_docker_root_directory_mount.yml b/detections/endpoint/linux_docker_root_directory_mount.yml index 8f1bdc1342..767fe91c72 100644 --- a/detections/endpoint/linux_docker_root_directory_mount.yml +++ b/detections/endpoint/linux_docker_root_directory_mount.yml @@ -2,7 +2,7 @@ name: Linux Docker Root Directory Mount id: aa049566-f76a-43b9-908c-3c27e079fd43 version: 1 date: '2026-02-03' -author: Emil Elsetrønning +author: Gowthamaraj Rajendran, Splunk, Emil Elsetrønning status: production type: TTP description: | @@ -11,7 +11,7 @@ data_source: - Sysmon for Linux EventID 1 search: | | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=docker* Processes.process IN ("* -v *", "* --volume *") Processes.process="* /:/*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec @@ -20,7 +20,7 @@ search: | Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_docker_root_directory_mount_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection diff --git a/detections/endpoint/linux_docker_shell_execution.yml b/detections/endpoint/linux_docker_shell_execution.yml index 20d6893cd1..8315f2b405 100644 --- a/detections/endpoint/linux_docker_shell_execution.yml +++ b/detections/endpoint/linux_docker_shell_execution.yml @@ -2,7 +2,7 @@ name: Linux Docker Shell Execution id: 03b2b286-fa86-4ec9-b1a1-ec19d314bdf7 version: 1 date: '2026-02-03' -author: Emil Elsetrønning +author: Gowthamaraj Rajendran, Splunk, Emil Elsetrønning status: production type: Anomaly description: | @@ -12,7 +12,7 @@ data_source: - Sysmon for Linux EventID 1 search: | | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=docker* Processes.process="* exec *" Processes.process IN ("* bash *","* sh *", "* zsh *", "* /bin/bash *", "* /bin/sh *", "* /bin/zsh *") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec @@ -21,7 +21,7 @@ search: | Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_docker_shell_execution_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection From 11c39a4d6944a9a299ee314f08db5e217da42cd3 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Tue, 3 Mar 2026 15:52:43 +0100 Subject: [PATCH 3/4] deprecate and update metadata --- .../linux_docker_privilege_escalation.yml | 6 +- .../linux_docker_root_directory_mount.yml | 135 ++++++++-------- .../endpoint/linux_docker_shell_execution.yml | 150 ++++++++++-------- removed/deprecation_mapping.YML | 6 + 4 files changed, 157 insertions(+), 140 deletions(-) rename detections/{endpoint => deprecated}/linux_docker_privilege_escalation.yml (98%) diff --git a/detections/endpoint/linux_docker_privilege_escalation.yml b/detections/deprecated/linux_docker_privilege_escalation.yml similarity index 98% rename from detections/endpoint/linux_docker_privilege_escalation.yml rename to detections/deprecated/linux_docker_privilege_escalation.yml index 6af1be1e31..4fc496d0d9 100644 --- a/detections/endpoint/linux_docker_privilege_escalation.yml +++ b/detections/deprecated/linux_docker_privilege_escalation.yml @@ -1,9 +1,9 @@ name: Linux Docker Privilege Escalation id: 2e7bfb78-85f6-47b5-bc2f-15813a4ef2b3 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-03-03' author: Gowthamaraj Rajendran, Splunk -status: production +status: deprecated type: Anomaly description: The following analytic detects attempts to escalate privileges on a Linux system using Docker. It identifies processes where Docker commands are used to mount the root directory or execute shell commands within a container. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names, command-line arguments, and parent processes. This activity is significant because it can allow an attacker with Docker privileges to modify critical system files, such as /etc/passwd, to create a superuser. If confirmed malicious, this could lead to full system compromise and persistent unauthorized access. data_source: diff --git a/detections/endpoint/linux_docker_root_directory_mount.yml b/detections/endpoint/linux_docker_root_directory_mount.yml index 767fe91c72..77ec7ab469 100644 --- a/detections/endpoint/linux_docker_root_directory_mount.yml +++ b/detections/endpoint/linux_docker_root_directory_mount.yml @@ -6,77 +6,76 @@ author: Gowthamaraj Rajendran, Splunk, Emil Elsetrønning status: production type: TTP description: | - This detection identifies Docker containers that mount the host’s root directory into the container filesystem. Mounting the entire host root directory into a container effectively grants the container visibility and potential write access to all files on the host system. If the container is running as root or with elevated capabilities (e.g., --privileged), the risk is significantly increased. + This detection identifies Docker containers that mount the host's root directory into the container filesystem. + Mounting the entire host root directory into a container effectively grants the container visibility and potential write access to all files on the host system. + If the container is running as root or with elevated capabilities (e.g., --privileged), the risk is significantly increased. data_source: -- Sysmon for Linux EventID 1 -search: | - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes - where Processes.process_name=docker* Processes.process IN ("* -v *", "* --volume *") Processes.process="* /:/*" - by Processes.action - Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec - Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name - Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name - Processes.process_path Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `linux_docker_root_directory_mount_filter` -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives are present based on automated tooling or system - administrative usage. Filter as needed. + - Sysmon for Linux EventID 1 +search: |- + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + from datamodel=Endpoint.Processes where + Processes.process_name=docker* + Processes.process IN ( + "* -v *", + "* --volume *" + ) + Processes.process="* /:/*" + by Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id + Processes.process_integrity_level Processes.process_name + Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_docker_root_directory_mount_filter` +how_to_implement: | + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed. references: -- https://gtfobins.github.io/gtfobins/docker/ + - https://docs.docker.com/engine/storage/volumes/ + - https://gtfobins.github.io/gtfobins/docker/ drilldown_searches: -- name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") - starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime - values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) - as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) - as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: - message: An instance of $process_name$ spawned by $user$ on endpoint $dest$, spawned with a root directory mounted - risk_objects: - - field: dest - type: system - score: 5 - - field: user - type: user - score: 5 - threat_objects: - - field: process - type: process + message: An instance of $process_name$ spawned by $user$ on endpoint $dest$, tried to mount the root directory via the command $process$ + risk_objects: + - field: dest + type: system + score: 50 + - field: user + type: user + score: 50 + threat_objects: + - field: process + type: process tags: - analytic_story: - - Linux Privilege Escalation - - Linux Living Off The Land - asset_type: Endpoint - mitre_attack_id: - - T1611 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: endpoint + analytic_story: + - Linux Privilege Escalation + - Linux Living Off The Land + asset_type: Endpoint + mitre_attack_id: + - T1611 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log - source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon:linux + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log + source: Syslog:Linux-Sysmon/Operational + sourcetype: sysmon:linux diff --git a/detections/endpoint/linux_docker_shell_execution.yml b/detections/endpoint/linux_docker_shell_execution.yml index 8315f2b405..34a66bfc4f 100644 --- a/detections/endpoint/linux_docker_shell_execution.yml +++ b/detections/endpoint/linux_docker_shell_execution.yml @@ -6,78 +6,90 @@ author: Gowthamaraj Rajendran, Splunk, Emil Elsetrønning status: production type: Anomaly description: | - This detection identifies shell execution activity associated with Docker containers on Linux systems. Specifically, it monitors for interactive or non-interactive shell processes (e.g., `/bin/bash`, `/bin/sh`, `/bin/zsh`) launched via Docker commands such as `docker exec`, or through container entrypoint overrides. - Shell execution inside a container may indicate administrative troubleshooting activity. However, it can also represent post-exploitation behavior, where an attacker gains access to a container and spawns a shell to execute arbitrary commands, establish persistence, or pivot to the host. + This detection identifies shell execution activity associated with Docker containers on Linux systems. + Specifically, it monitors for interactive or non-interactive shell processes (e.g., `/bin/bash`, `/bin/sh`, `/bin/zsh`) launched via Docker commands such as `docker exec`, or through container entrypoint overrides. + Shell execution inside a container may indicate administrative troubleshooting activity. + However, it can also represent post-exploitation behavior, where an attacker gains access to a container and spawns a shell to execute arbitrary commands, establish persistence, or pivot to the host. data_source: -- Sysmon for Linux EventID 1 -search: | - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes - where Processes.process_name=docker* Processes.process="* exec *" Processes.process IN ("* bash *","* sh *", "* zsh *", "* /bin/bash *", "* /bin/sh *", "* /bin/zsh *") - by Processes.action - Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec - Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name - Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name - Processes.process_path Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `linux_docker_shell_execution_filter` -how_to_implement: The detection is based on data that originates from Endpoint Detection - and Response (EDR) agents. These agents are designed to provide security-related - telemetry from the endpoints where the agent is installed. To implement this search, - you must ingest logs that contain the process GUID, process name, and parent process. - Additionally, you must ingest complete command-line executions. These logs must - be processed using the appropriate Splunk Technology Add-ons that are specific to - the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` - data model. Use the Splunk Common Information Model (CIM) to normalize the field - names and speed up the data modeling process. -known_false_positives: False positives are present based on automated tooling or system - administrative usage. Filter as needed. + - Sysmon for Linux EventID 1 +search: |- + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + from datamodel=Endpoint.Processes where + Processes.process_name=docker* + Processes.process="* exec *" + Processes.process IN ( + "* /bin/bash *", + "* /bin/sh *", + "* /bin/zsh *" + "* bash *", + "* sh *", + "* zsh *", + ) + by Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id + Processes.process_integrity_level Processes.process_name + Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_docker_shell_execution_filter` +how_to_implement: | + The detection is based on data that originates from Endpoint Detection + and Response (EDR) agents. These agents are designed to provide security-related + telemetry from the endpoints where the agent is installed. To implement this search, + you must ingest logs that contain the process GUID, process name, and parent process. + Additionally, you must ingest complete command-line executions. These logs must + be processed using the appropriate Splunk Technology Add-ons that are specific to + the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` + data model. Use the Splunk Common Information Model (CIM) to normalize the field + names and speed up the data modeling process. +known_false_positives: | + False positives are present based on automated tooling or system administrative usage. Filter as needed. references: -- https://gtfobins.github.io/gtfobins/docker/ + - https://docs.docker.com/reference/cli/docker/container/exec/ + - https://gtfobins.github.io/gtfobins/docker/ drilldown_searches: -- name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") - starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime - values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) - as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) - as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: - message: $user$ on endpoint $dest$ spawned a shell in a docker container - risk_objects: - - field: dest - type: system - score: 5 - - field: user - type: user - score: 5 - threat_objects: - - field: process - type: process + message: $user$ on endpoint $dest$ spawned a shell in a docker container via the commandline $process$ + risk_objects: + - field: dest + type: system + score: 20 + - field: user + type: user + score: 20 + threat_objects: + - field: process + type: process tags: - analytic_story: - - Linux Privilege Escalation - - Linux Living Off The Land - asset_type: Endpoint - mitre_attack_id: - - T1059.013 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: endpoint + analytic_story: + - Linux Privilege Escalation + - Linux Living Off The Land + asset_type: Endpoint + mitre_attack_id: + - T1059.013 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log - source: Syslog:Linux-Sysmon/Operational - sourcetype: sysmon:linux + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log + source: Syslog:Linux-Sysmon/Operational + sourcetype: sysmon:linux diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index 2ad27b0c34..d468159821 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -1,4 +1,10 @@ detections: + - content: Linux Docker Privilege Escalation + removed_in_version: 5.26.0 + reason: Detection has been deprecated in favor of two scoped detections that aims to reduce overhead and ease management + replacement_content: + - Linux Docker Root Directory Mount + - Linux Docker Shell Execution - content: Linux apt-get Privilege Escalation removed_in_version: 5.24.0 reason: Detection has been deprecated in favor of a more broad and generic logic that aims to reduce overhead and increase coverage. From 91a87a081a46bea9c70c8696a3ceefbc92b2ab41 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Tue, 3 Mar 2026 15:58:17 +0100 Subject: [PATCH 4/4] Update linux_docker_shell_execution.yml --- detections/endpoint/linux_docker_shell_execution.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/detections/endpoint/linux_docker_shell_execution.yml b/detections/endpoint/linux_docker_shell_execution.yml index 34a66bfc4f..09cd850bac 100644 --- a/detections/endpoint/linux_docker_shell_execution.yml +++ b/detections/endpoint/linux_docker_shell_execution.yml @@ -21,11 +21,17 @@ search: |- Processes.process="* exec *" Processes.process IN ( "* /bin/bash *", + "* /bin/dash *", "* /bin/sh *", - "* /bin/zsh *" + "* /bin/zsh *", "* bash *", + "* bash", + "* dash *", + "* dash", "* sh *", + "* sh", "* zsh *", + "* zsh" ) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec