« Potential Root Effective Shell from Non-Standard Path via Auditd Chroot Execution in Container Context on Linux »
Elastic Docs Elastic Security [8.19] Downloadable rule update v8.19.23

Nsenter to PID Namespace via Auditd

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Nsenter to PID Namespace via Auditd

edit

Detects nsenter executions that target PID with a namespace target flag, a pattern commonly used to attach to the host init namespace from a container or session and run with host context.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-auditd_manager.auditd-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • Domain: Container
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Privilege Escalation
  • Data Source: Auditd Manager
  • Resources: Investigation Guide

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Nsenter to PID Namespace via Auditd

Review process.args for the full nsenter invocation (target PID, mount, UTS, IPC, net, user namespaces), parent process, user identity, and host. PID targeting is a strong escape or host-administration signal when unexpected for the actor.

Possible investigation steps

  • Confirm whether the session originated from a container, SSH session, or automation agent.
  • Pivot on the same host for subsequent writes under /etc, docker.sock access, or new systemd units.

False positive analysis

  • Some CNI or snap workflows can resemble nsenter; rely on the built-in exclusions first, then tune by parent command or service account.

Response and remediation

  • If malicious, isolate the host, revoke credentials, inspect for persistence, and re-image if integrity cannot be proven.

Setup

edit

Setup

Deploy the Auditd Manager integration on Linux hosts that should emit process execution telemetry (Fleet, Integrations, Auditd Manager, attach to an agent policy).

Ensure syscall rules capture execve for utilities such as nsenter so event.category process and event.action executed populate with process.name and process.args.

See https://docs.elastic.co/integrations/auditd_manager for integration details.

Rule query

edit
host.os.type:linux and
event.category:process and event.action:(executed or exec) and
(process.name:nsenter or process.args:nsenter) and
process.args:((--target* or -t) and not --net=/run/netns/* and not (--assertion and snap) and not (is-active and snap.*))

Framework: MITRE ATT&CKTM

« Potential Root Effective Shell from Non-Standard Path via Auditd Chroot Execution in Container Context on Linux »