Mount Launched Inside a Container

Last updated 5 months ago on 2025-03-12

Created 5 months ago on 2025-03-12

About

This rule detects the use of the mount utility from inside a container. The mount command is used to make a device or file system accessible to the system, and then to connect its root directory to a specified mount point on the local file system. When launched inside a privileged container--a container deployed with all the capabilities of the host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine. Any usage of mount inside a running privileged container should be further investigated.

Tags

Domain: ContainerOS: LinuxUse Case: Threat DetectionTactic: Privilege EscalationData Source: Elastic DefendLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

↳ Escape to Host (T1611)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.process*
Related Integrations: endpoint(opens in a new tab or window)
Query

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.entry_leader.entry_meta.type == "container" and process.name == "mount"

Install detection rules in Elastic Security

Detect Mount Launched Inside a Container in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).