Techniques
Sample rules
Container With A hostPath Mount Created
- source: sigma
- technicques:
- t1611
Description
Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
Detection logic
condition: selection
selection:
hostPath: '*'
objectRef.resource: pods
verb: create