Escape to Host (T1611)

Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview) There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host, or utilizing a privileged container to run commands on the underlying host.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20) Adversaries may also escape via Exploitation for Privilege Escalation, such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open) Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.

Source: https://github.com/mitre/cti
Related Prelude attack chains
Release Date (Newest)
Filterfilter
Search for chains, TTPs, themes, and text

Browse By:

Platforms

  • All
  • Windows
  • Linux
  • Global
  • Darwin
  • Android

Themes

Tags

Licenses

Is my Kubernetes pod protected against host mounting?

2022-11-29

/static/assets/linux-logo.svg
Escape Kubernetes Pod via host filesystem mounting.
Is my Docker daemon vulnerable to privilege escalation?

2022-11-15

/static/assets/linux-logo.svg
Privilege escalation through exposed Docker daemon.
Is my Docker container vulnerable to cgroup controller escapes?

2022-11-08

/static/assets/linux-logo.svg
Escape Docker container via cgroup controller.
Is my Docker container vulnerable to host filesystem mounting?

2022-11-01

/static/assets/linux-logo.svg/static/assets/apple-logo.svg
Escape Docker container by mounting host filesystem.
Is my Docker container vulnerable to a Docker socket escape?

2022-10-25

/static/assets/linux-logo.svg
Escape a Docker container that has the Docker socket mounted.