Namespace Manipulation Using Unshareedit

Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Privilege Escalation

Version: 1

Added (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule queryedit

process where event.type == "start" and event.action == "exec" and
process.executable: "/usr/bin/unshare" and not
process.parent.executable: ("/usr/bin/udevadm",
"*/lib/systemd/systemd-udevd", "/usr/bin/unshare") and not
process.args : "/usr/bin/snap"

Threat mappingedit

Framework: MITRE ATT&CKTM