platform engineers may nsenter into pid 1 namespaces during deep node debugging; correlate with tickets and bastion sessions before escalating.

t1611
linux
elastic

Techniques

T1611

Sample rules

Nsenter to PID Namespace via Auditd

source: elastic
technicques:
- T1611

Description

Detects nsenter executions that target PID with a namespace target flag, a pattern commonly used to attach to the host init namespace from a container or session and run with host context.

Detection logic

host.os.type:linux and 
event.category:process and event.action:(executed or exec) and 
(process.name:nsenter or process.args:nsenter) and 
process.args:((--target* or -t) and not --net=/run/netns/* and not (--assertion and snap) and not (is-active and snap.*))