Writeable Hostpath Mount (kubernetes)
| Platform | Author | Last Update |
|---|---|---|
| kubernetes | Leo Tsaousis | 2024-12-02 |
Create a container with a writeable hostPath mount
A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
This test case simulates the first step of this attack, by creating a pod with a hostPath mount.
MITRE IDs
Scope
This test case does not need Cluster-wide permissions
Required Permissions
- apiGroups: - '' namespaced: true resources: - pods verbs: - create - getRequired Parameters
None
Attacker Action
kubectl -f /tmp/custom.yml applyDetection Case
ELK query
When logs are ingested into ELK, the following query can be used to identify relevant events.
verb:create AND resource:pods AND hostPath:*Sigma Definition
---title: Writeable hostPath Mountid: 402b955c-8fe0-4a8c-b635-622b4ac5f902status: experimentalauthor: Leo Tsaousisdate: 2024-12-02description: | Create a container with a writeable hostPath mount
A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
This test case simulates the first step of this attack, by creating a pod with a hostPath mount.logsource: product: kubernetes service: auditdetection: selection: verb: create
resource: pods hostPath: "*" condition: selectionlevel: lowtags:- attack.T611references:- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/- https://kubenomicon.com/Persistence/Writable_hostPath_mount.htmlfalsepositives:- Various legitimate reasons exist for using hostPath mounts, such as running containers that need node-level access to e.g. transfer logs to a central location, or exposing host configuration files to static pods