Containers that are running in privileged mode and have the hostPID flag enabled are vulnerable to a privilege escalation and container escape to the host system. This TTP attempts to use nsenter to enter the namespace of the init system process (PID 1) on the host to spawn a root shell. It is important that containers are not running in privileged mode, as adversaries may establish persistence by modifying mounted files, elevate privileges, and escape the container.
View Command
To view this TTPs command, you must be logged in with a professional or enterprise license.