Nsenter to PID Namespace via Auditd

Last updated 6 days ago on 2026-04-27

Created 6 days ago on 2026-04-27

About

Detects nsenter executions that target PID with a namespace target flag, a pattern commonly used to attach to the host init namespace from a container or session and run with host context.

Tags

Domain: EndpointDomain: ContainerOS: LinuxUse Case: Threat DetectionTactic: Privilege EscalationData Source: Auditd ManagerLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

↳ Escape to Host (T1611)(external, opens in a new tab or window)

False Positive Examples

Platform engineers may nsenter into PID 1 namespaces during deep node debugging; correlate with tickets and bastion sessions before escalating.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: auditbeat-*logs-auditd_manager.auditd-*
Related Integrations: auditd_manager(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗host.os.type:linux and 
event.category:process and event.action:(executed or exec) and 
(process.name:nsenter or process.args:nsenter) and 
process.args:((--target* or -t) and not --net=/run/netns/* and not (--assertion and snap) and not (is-active and snap.*))

Install detection rules in Elastic Security

Detect Nsenter to PID Namespace via Auditd in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).