Docker Release File Creation

This rule detects the creation of files named release_agent or notify_on_release, which are commonly associated with the abuse of Linux cgroup release mechanisms. In Docker or containerized environments, this behavior may indicate an attempt to exploit privilege escalation vulnerabilities such as CVE-2022-0492, where attackers use the release_agent feature to execute code on the host from within a container.

Rule type: eql
Rule indices:

• logs-endpoint.events.file*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:

• https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/

Tags:

• Domain: Endpoint
• Domain: Container
• OS: Linux
• Use Case: Threat Detection
• Tactic: Privilege Escalation
• Data Source: Elastic Defend

Version: ?
Rule authors:

• Elastic

Rule license: Elastic License v2

file where host.os.type == "linux" and event.type == "creation" and file.name in ("release_agent", "notify_on_release")

Framework: MITRE ATT&CK

• Tactic:

  • Name: Privilege Escalation
  • Id: TA0004
  • Reference URL: https://attack.mitre.org/tactics/TA0004/

• Technique:

  • Name: Escape to Host
  • Id: T1611
  • Reference URL: https://attack.mitre.org/techniques/T1611/