You are looking at preliminary documentation for a future release. Not what you want? See the current release documentation.
Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges.
Rule type: eql
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also
Additional look-back time)
Maximum alerts per execution: 100
- Threat Detection
- Privilege Escalation
Added (Elastic Stack release): 8.5.0
Rule authors: Elastic
Rule license: Elastic License v2
process where event.type == "start" and event.action == "exec" and process.executable: "/usr/bin/unshare" and not process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd", "/usr/bin/unshare") and not process.args : "/usr/bin/snap"
Framework: MITRE ATT&CKTM
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
Intro to Kibana
ELK for Logs & Metrics