Docker Release File Creation

A newer version is available. Check out the latest documentation.

Docker Release File Creation

This rule detects the creation of files named release_agent or notify_on_release, which are commonly associated with the abuse of Linux cgroup release mechanisms. In Docker or containerized environments, this behavior may indicate an attempt to exploit privilege escalation vulnerabilities such as CVE-2022-0492, where attackers use the release_agent feature to execute code on the host from within a container.

Rule type: eql

Rule indices:

logs-endpoint.events.file*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/

Tags:

Domain: Endpoint
Domain: Container
OS: Linux
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

file where host.os.type == "linux" and event.type == "creation" and file.name in ("release_agent", "notify_on_release")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Escape to Host
- ID: T1611
- Reference URL: https://attack.mitre.org/techniques/T1611/

« Docker Escape via Nsenter Docker Socket Enumeration »