mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 22:24:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
75 lines
2.2 KiB
Markdown
75 lines
2.2 KiB
Markdown
# API Reference: Detecting Container Escape Attempts
|
|
|
|
## Common Escape Vectors (MITRE ATT&CK)
|
|
|
|
| Vector | Technique | MITRE ID |
|
|
|--------|-----------|----------|
|
|
| Privileged container | Mount host FS, load modules | T1611 |
|
|
| Docker socket mount | Create privileged container | T1610 |
|
|
| Kernel exploits | CVE-2022-0185, Dirty Pipe | T1068 |
|
|
| Capability abuse | SYS_ADMIN, SYS_PTRACE | T1548 |
|
|
| Sensitive mounts | /proc/sysrq-trigger, cgroup release_agent | T1611 |
|
|
| Namespace escape | nsenter, unshare | T1611 |
|
|
|
|
## Docker CLI Inspection
|
|
|
|
```bash
|
|
# Check if container is privileged
|
|
docker inspect --format='{{.HostConfig.Privileged}}' <container>
|
|
|
|
# Check added capabilities
|
|
docker inspect --format='{{.HostConfig.CapAdd}}' <container>
|
|
|
|
# Check PID namespace mode
|
|
docker inspect --format='{{.HostConfig.PidMode}}' <container>
|
|
|
|
# Check volume mounts
|
|
docker inspect --format='{{range .Mounts}}{{.Source}}:{{.Destination}} {{end}}' <container>
|
|
```
|
|
|
|
## Falco JSON Alert Format
|
|
|
|
```json
|
|
{
|
|
"time": "2024-01-15T10:30:00.000Z",
|
|
"rule": "Container Escape via Privileged Mode",
|
|
"priority": "Critical",
|
|
"output": "Container escape attempt...",
|
|
"output_fields": {
|
|
"container.name": "attacker-pod",
|
|
"container.image.repository": "alpine",
|
|
"proc.cmdline": "nsenter -t 1 -m -u -i -n"
|
|
},
|
|
"tags": ["container", "escape", "T1611"]
|
|
}
|
|
```
|
|
|
|
## Linux Audit Rules for Escape Detection
|
|
|
|
```bash
|
|
# /etc/audit/rules.d/container-escape.rules
|
|
-a always,exit -F arch=b64 -S setns -S unshare -k container_escape
|
|
-a always,exit -F arch=b64 -S mount -S umount2 -k container_mount
|
|
-a always,exit -F arch=b64 -S init_module -S finit_module -k kernel_module
|
|
-w /var/run/docker.sock -p rwxa -k docker_socket
|
|
```
|
|
|
|
## Dangerous Linux Capabilities
|
|
|
|
| Capability | Escape Risk |
|
|
|------------|-------------|
|
|
| CAP_SYS_ADMIN | Mount filesystems, manage cgroups |
|
|
| CAP_SYS_PTRACE | Trace/debug any process |
|
|
| CAP_NET_ADMIN | Network namespace manipulation |
|
|
| CAP_SYS_MODULE | Load/unload kernel modules |
|
|
| CAP_DAC_READ_SEARCH | Bypass file read permissions |
|
|
|
|
## CLI Usage
|
|
|
|
```bash
|
|
python agent.py --falco-log /var/log/falco/events.json
|
|
python agent.py --audit-log /var/log/audit/audit.log
|
|
python agent.py --check-containers
|
|
python agent.py --container-id abc123
|
|
```
|