creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 06:34:57 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-container-escape-attempts/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.2 KiB
Raw Blame History

API Reference: Detecting Container Escape Attempts

Common Escape Vectors (MITRE ATT&CK)

Vector Technique MITRE ID
Privileged container Mount host FS, load modules T1611
Docker socket mount Create privileged container T1610
Kernel exploits CVE-2022-0185, Dirty Pipe T1068
Capability abuse SYS_ADMIN, SYS_PTRACE T1548
Sensitive mounts /proc/sysrq-trigger, cgroup release_agent T1611
Namespace escape nsenter, unshare T1611

Docker CLI Inspection

# Check if container is privileged
docker inspect --format='{{.HostConfig.Privileged}}' <container>

# Check added capabilities
docker inspect --format='{{.HostConfig.CapAdd}}' <container>

# Check PID namespace mode
docker inspect --format='{{.HostConfig.PidMode}}' <container>

# Check volume mounts
docker inspect --format='{{range .Mounts}}{{.Source}}:{{.Destination}} {{end}}' <container>

Falco JSON Alert Format

{
  "time": "2024-01-15T10:30:00.000Z",
  "rule": "Container Escape via Privileged Mode",
  "priority": "Critical",
  "output": "Container escape attempt...",
  "output_fields": {
    "container.name": "attacker-pod",
    "container.image.repository": "alpine",
    "proc.cmdline": "nsenter -t 1 -m -u -i -n"
  },
  "tags": ["container", "escape", "T1611"]
}

Linux Audit Rules for Escape Detection

# /etc/audit/rules.d/container-escape.rules
-a always,exit -F arch=b64 -S setns -S unshare -k container_escape
-a always,exit -F arch=b64 -S mount -S umount2 -k container_mount
-a always,exit -F arch=b64 -S init_module -S finit_module -k kernel_module
-w /var/run/docker.sock -p rwxa -k docker_socket

Dangerous Linux Capabilities

Capability Escape Risk
CAP_SYS_ADMIN Mount filesystems, manage cgroups
CAP_SYS_PTRACE Trace/debug any process
CAP_NET_ADMIN Network namespace manipulation
CAP_SYS_MODULE Load/unload kernel modules
CAP_DAC_READ_SEARCH Bypass file read permissions

CLI Usage

python agent.py --falco-log /var/log/falco/events.json
python agent.py --audit-log /var/log/audit/audit.log
python agent.py --check-containers
python agent.py --container-id abc123
Reference in New Issue View Git Blame Copy Permalink