Techniques
Sample rules
Cisco Isovalent - Potential Escape to Host
- source: splunk
- technicques:
- T1611
Description
This analytic detects potential container escape or reconnaissance attempts by monitoring for the rapid execution of multiple suspicious Linux commands (nsenter, mount, ps aux, and ls) within a short time window. The search aggregates process execution logs into 5-minute buckets and identifies when two or more distinct commands occur in quick succession. This behavior is noteworthy because attackers often chain these commands together to pivot from a container into the host, enumerate processes, or browse filesystems. For a SOC, catching these clustered command executions is important because it highlights possible adversary activity attempting to break isolation and escalate privileges inside a Kubernetes environment.
Detection logic
`cisco_isovalent_process_exec`
(
process_name IN ("nsenter","mount","ps","ls")
OR
process IN ("*nsenter*", "*mount*", "*ps aux*", "*ps -ef*")
)
| bin _time span=5m
| stats
count AS total_events
dc(process_name) AS distinct_cmds
min(_time) AS firstTime
max(_time) AS lastTime
values(process) AS process
values(process_name) AS process_name
BY cluster_name node_name pod_name _time
| eval duration_s = round(lastTime - firstTime, 0)
| where distinct_cmds >= 2 AND duration_s <= 120
| table _time cluster_name node_name pod_name total_events distinct_cmds duration_s firstTime lastTime process process_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___potential_escape_to_host_filter`