Escape to Host (T1611)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Escape to Host

Associated Tactics

  • Privilege Escalation

Privilege Escalation (TA0004)

The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: * SYSTEM/root level * local administrator * user account with admin-like access * user accounts with access to specific system or perform specific function These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.

View on ATT&CK

Procedure Examples

Description Source(s)
0xn3va. (n.d.). Escaping. Retrieved May 27, 2022. Container Escape
Daniel Prizmant. (2020, July 15). Windows Server Containers Are Open, and Here's How You Can Break Out. Retrieved October 1, 2021. Windows Server Containers Are Open
Docker. (n.d.). Docker Overview. Retrieved March 30, 2021. Docker Overview
Docker. (n.d.). Use Bind Mounts. Retrieved March 30, 2021. Docker Bind Mounts
Fiser, D., Oliveira, A.. (2019, December 20). Why a Privileged Container in Docker is a Bad Idea. Retrieved March 30, 2021. Trend Micro Privileged Container
Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021. Intezer Doki July 20
Manoj Ahuje. (2022, January 31). CVE-2022-0185: Kubernetes Container Escape Using Linux Kernel Exploit. Retrieved July 6, 2022. Crowdstrike Kubernetes Container Escape
Mark Manning. (2020, July 23). Keyctl-unmask: "Going Florida" on The State Of Containerizing Linux Keyrings. Retrieved July 6, 2022. Keyctl-unmask