Detection: Cisco Isovalent - Nsenter Usage in Kubernetes Pod

Description

This analytic detects the execution of the nsenter utility from within a container, a technique often used for exploitation and container escape. Nsenter allows an attacker to enter the namespaces of another process—such as the host's init process (PID 1)—and execute a shell or other binaries with elevated privileges. For example, an attacker may use docker exec to gain a shell in a container, enumerate the PID of a target container or the host, and then use nsenter to access all namespaces (mount, UTS, IPC, net, pid) of the host or another container. Example to escape to the host: nsenter --target 1 --mount --uts --ipc --net --pid -- bash. The WorkloadAncestorsBinary field is used to track the ancestry of the process, this is useful to understand the context of the nsenter usage.

The options -m -u -n -i -p correspond to the various Linux namespaces. Adversaries exploit nsenter when pods are misconfigured with excessive privileges (e.g., privileged, hostPID, or broad hostPath mounts), enabling them to interact with the underlying node filesystem and processes. This can be an indicator of a container escape attempt or privilege escalation. Security teams should pay close attention to any nsenter invocation from within containers, especially outside of normal maintenance activity or in workloads with elevated privileges.

Search

 1`cisco_isovalent_process_exec` process_name="nsenter" 
 2
 3| eval WorkloadAncestorsBinary=mvjoin(parent_process_name, " <- ")
 4
 5| stats count 
 6        min(_time) as firstTime 
 7        max(_time) as lastTime 
 8        values(process) as process
 9        values(WorkloadAncestorsBinary) as WorkloadAncestorsBinary
10    by cluster_name container_id pod_name pod_namespace pod_image_name parent_process_name process_name process_exec process_id node_name
11
12| `security_content_ctime(firstTime)`
13
14| `security_content_ctime(lastTime)`
15
16| `cisco_isovalent___nsenter_usage_in_kubernetes_pod_filter`

Data Source

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior.

Known False Positives

It is highly unlikely that nsenter will be used in a legitimate way, investigate the alert in context to rule out benign operations.

Associated Analytic Story

• Cisco Isovalent Suspicious Activity

Risk Based Analytics (RBA)

Risk Message:

An nsenter escape attempt has been detected by user on container pod - [$pod_name$]

References

• https://isovalent.com/blog/post/2021-11-container-escape/

• https://kubehound.io/reference/attacks/CE_NSENTER/

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1