splunk · DipsyTipsy · Mar 2, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026
@@ -1,9 +1,9 @@
 name: Linux Docker Privilege Escalation
 id: 2e7bfb78-85f6-47b5-bc2f-15813a4ef2b3
-version: 10
-date: '2026-02-25'
+version: 11
+date: '2026-03-03'
 author: Gowthamaraj Rajendran, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: The following analytic detects attempts to escalate privileges on a Linux system using Docker. It identifies processes where Docker commands are used to mount the root directory or execute shell commands within a container. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names, command-line arguments, and parent processes. This activity is significant because it can allow an attacker with Docker privileges to modify critical system files, such as /etc/passwd, to create a superuser. If confirmed malicious, this could lead to full system compromise and persistent unauthorized access.
 data_source:

@@ -0,0 +1,81 @@
+name: Linux Docker Root Directory Mount
+id: aa049566-f76a-43b9-908c-3c27e079fd43
+version: 1
+date: '2026-02-03'
+author: Gowthamaraj Rajendran, Splunk, Emil Elsetrønning
+status: production
+type: TTP
+description: |
+    This detection identifies Docker containers that mount the host's root directory into the container filesystem.
+    Mounting the entire host root directory into a container effectively grants the container visibility and potential write access to all files on the host system.
+    If the container is running as root or with elevated capabilities (e.g., --privileged), the risk is significantly increased.
+data_source:
+    - Sysmon for Linux EventID 1
+search: |-
+    | tstats `security_content_summariesonly`
+      count min(_time) as firstTime
+            max(_time) as lastTime
+    from datamodel=Endpoint.Processes where
+    Processes.process_name=docker*
+    Processes.process IN (
+      "* -v *",
+      "* --volume *"
+    )
+    Processes.process="* /:/*"
+    by Processes.action Processes.dest Processes.original_file_name
+       Processes.parent_process Processes.parent_process_exec
+       Processes.parent_process_guid Processes.parent_process_id
+       Processes.parent_process_name Processes.parent_process_path
+       Processes.process Processes.process_exec Processes.process_guid
+       Processes.process_hash Processes.process_id
+       Processes.process_integrity_level Processes.process_name
+       Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+    | `drop_dm_object_name(Processes)`
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `linux_docker_root_directory_mount_filter`
+how_to_implement: |
+    The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: False positives are present based on automated tooling or system administrative usage. Filter as needed.
+references:
+    - https://docs.docker.com/engine/storage/volumes/
+    - https://gtfobins.github.io/gtfobins/docker/
+drilldown_searches:
+    - name: View the detection results for - "$dest$"
+      search: '%original_detection_search% | search  dest = "$dest$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+rba:
+    message: An instance of $process_name$ spawned by $user$ on endpoint $dest$, tried to mount the root directory via the command $process$
+    risk_objects:
+        - field: dest
+          type: system
+          score: 50
+        - field: user
+          type: user
+          score: 50
+    threat_objects:
+        - field: process
+          type: process
+tags:
+    analytic_story:
+        - Linux Privilege Escalation
+        - Linux Living Off The Land
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1611
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log
+          source: Syslog:Linux-Sysmon/Operational
+          sourcetype: sysmon:linux
@@ -0,0 +1,101 @@
+name: Linux Docker Shell Execution
+id: 03b2b286-fa86-4ec9-b1a1-ec19d314bdf7
+version: 1
+date: '2026-02-03'
+author: Gowthamaraj Rajendran, Splunk, Emil Elsetrønning
+status: production
+type: Anomaly
+description: |
+    This detection identifies shell execution activity associated with Docker containers on Linux systems.
+    Specifically, it monitors for interactive or non-interactive shell processes (e.g., `/bin/bash`, `/bin/sh`, `/bin/zsh`) launched via Docker commands such as `docker exec`,  or through container entrypoint overrides.
+    Shell execution inside a container may indicate administrative troubleshooting activity.
+    However, it can also represent post-exploitation behavior, where an attacker gains access to a container and spawns a shell to execute arbitrary commands, establish persistence, or pivot to the host.
+data_source:
+    - Sysmon for Linux EventID 1
+search: |-
+    | tstats `security_content_summariesonly`
+      count min(_time) as firstTime
+            max(_time) as lastTime
+    from datamodel=Endpoint.Processes where
+    Processes.process_name=docker*
+    Processes.process="* exec *"
+    Processes.process IN (
+      "* /bin/bash *",
+      "* /bin/dash *",
+      "* /bin/sh *",
+      "* /bin/zsh *",
+      "* bash *",
+      "* bash",
+      "* dash *",
+      "* dash",
+      "* sh *",
+      "* sh",
+      "* zsh *",
+      "* zsh"
+    )
+    by Processes.action Processes.dest Processes.original_file_name
+       Processes.parent_process Processes.parent_process_exec
+       Processes.parent_process_guid Processes.parent_process_id
+       Processes.parent_process_name Processes.parent_process_path
+       Processes.process Processes.process_exec Processes.process_guid
+       Processes.process_hash Processes.process_id
+       Processes.process_integrity_level Processes.process_name
+       Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+    | `drop_dm_object_name(Processes)`
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `linux_docker_shell_execution_filter`
+how_to_implement: |
+    The detection is based on data that originates from Endpoint Detection
+    and Response (EDR) agents. These agents are designed to provide security-related
+    telemetry from the endpoints where the agent is installed. To implement this search,
+    you must ingest logs that contain the process GUID, process name, and parent process.
+    Additionally, you must ingest complete command-line executions. These logs must
+    be processed using the appropriate Splunk Technology Add-ons that are specific to
+    the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+    data model. Use the Splunk Common Information Model (CIM) to normalize the field
+    names and speed up the data modeling process.
+known_false_positives: |
+    False positives are present based on automated tooling or system administrative usage. Filter as needed.
+references:
+    - https://docs.docker.com/reference/cli/docker/container/exec/
+    - https://gtfobins.github.io/gtfobins/docker/
+drilldown_searches:
+    - name: View the detection results for - "$dest$"
+      search: '%original_detection_search% | search  dest = "$dest$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+rba:
+    message: $user$ on endpoint $dest$ spawned a shell in a docker container via the commandline $process$
+    risk_objects:
+        - field: dest
+          type: system
+          score: 20
+        - field: user
+          type: user
+          score: 20
+    threat_objects:
+        - field: process
+          type: process
+tags:
+    analytic_story:
+        - Linux Privilege Escalation
+        - Linux Living Off The Land
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1059.013
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log
+          source: Syslog:Linux-Sysmon/Operational
+          sourcetype: sysmon:linux
@@ -1,4 +1,10 @@
 detections:
+  - content: Linux Docker Privilege Escalation
+    removed_in_version: 5.26.0
+    reason: Detection has been deprecated in favor of two scoped detections that aims to reduce overhead and ease management
+    replacement_content:
+      - Linux Docker Root Directory Mount
+      - Linux Docker Shell Execution
   - content: Linux apt-get Privilege Escalation
     removed_in_version: 5.24.0
     reason: Detection has been deprecated in favor of a more broad and generic logic that aims to reduce overhead and increase coverage.