Techniques
Sample rules
Cisco Isovalent - Nsenter Usage in Kubernetes Pod
- source: splunk
- technicques:
- T1543
Description
This analytic detects the execution of the nsenter utility from within a container, a technique often used for exploitation and container escape. Nsenter allows an attacker to enter the namespaces of another process—such as the host’s init process (PID 1)—and execute a shell or other binaries with elevated privileges. For example, an attacker may use docker exec to gain a shell in a container, enumerate the PID of a target container or the host, and then use nsenter to access all namespaces (mount, UTS, IPC, net, pid) of the host or another container. Example to escape to the host: nsenter --target 1 --mount --uts --ipc --net --pid -- bash. The WorkloadAncestorsBinary field is used to track the ancestry of the process, this is useful to understand the context of the nsenter usage.
The options -m -u -n -i -p correspond to the various Linux namespaces. Adversaries exploit nsenter when pods are misconfigured with excessive privileges (e.g., privileged, hostPID, or broad hostPath mounts), enabling them to interact with the underlying node filesystem and processes. This can be an indicator of a container escape attempt or privilege escalation. Security teams should pay close attention to any nsenter invocation from within containers, especially outside of normal maintenance activity or in workloads with elevated privileges.
Detection logic
`cisco_isovalent_process_exec` process_name="nsenter"
| eval WorkloadAncestorsBinary=mvjoin(parent_process_name, " <- ")
| stats count
min(_time) as firstTime
max(_time) as lastTime
values(process) as process
values(WorkloadAncestorsBinary) as WorkloadAncestorsBinary
by cluster_name container_id pod_name pod_namespace pod_image_name parent_process_name process_name process_exec process_id node_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___nsenter_usage_in_kubernetes_pod_filter`