- id: CTR-001 name: "Container image ships setuid/setgid GTFOBins execution primitive" description: "Known GTFOBins execution helpers become materially riskier when the image keeps the binary setuid or setgid." severity: critical category: container-risk dry-run-support: full condition: | components[ $prop($, 'cdx:gtfobins:matched') = 'true' and ( $listContains($prop($, 'cdx:gtfobins:functions'), 'shell') or $listContains($prop($, 'cdx:gtfobins:functions'), 'command') or $listContains($prop($, 'cdx:gtfobins:functions'), 'reverse-shell') or $listContains($prop($, 'cdx:gtfobins:functions'), 'bind-shell') ) and ( $prop($, 'internal:has_setuid') = 'true' or $prop($, 'internal:has_setgid') = 'true' ) ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'SrcFile') } message: "Executable '{{ name }}' at '{{ $prop($, 'SrcFile') }}' combines GTFOBins execution features with setuid/setgid permissions" mitigation: "Remove the setuid/setgid bit, replace the image with a slimmer base, and keep container privilege boundaries strict (no host mounts, no privileged mode, no extra capabilities)." attack: tactics: [TA0004] techniques: [T1548, T1611] evidence: | { "canonicalName": $prop($, 'cdx:gtfobins:name'), "functions": $prop($, 'cdx:gtfobins:functions'), "contexts": $prop($, 'cdx:gtfobins:contexts'), "riskTags": $prop($, 'cdx:gtfobins:riskTags'), "srcFile": $prop($, 'SrcFile'), "reference": $prop($, 'cdx:gtfobins:reference') } - id: CTR-002 name: "Container image includes privileged container-escape helper" description: "Container runtime or namespace-management helpers that are already classified as GTFOBins can accelerate container breakout when runtime isolation is weakened." severity: critical category: container-risk dry-run-support: full condition: | components[ $prop($, 'cdx:gtfobins:matched') = 'true' and $listContains($prop($, 'cdx:gtfobins:riskTags'), 'container-escape') and ( $prop($, 'internal:has_setuid') = 'true' or $prop($, 'internal:has_setgid') = 'true' or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'capabilities') ) ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'SrcFile') } message: "Container-escape helper '{{ name }}' is present at '{{ $prop($, 'SrcFile') }}' with elevated execution semantics" mitigation: "Remove container runtime and namespace-management tooling from application images, avoid CAP_SYS_ADMIN-like capability grants, and block access to the Docker/containerd sockets." attack: tactics: [TA0004] techniques: [T1611] evidence: | { "canonicalName": $prop($, 'cdx:gtfobins:name'), "privilegedContexts": $prop($, 'cdx:gtfobins:privilegedContexts'), "riskTags": $prop($, 'cdx:gtfobins:riskTags'), "srcFile": $prop($, 'SrcFile') } - id: CTR-003 name: "Container image includes privileged GTFOBins library-load or escalation primitive" description: "GTFOBins entries that can load attacker-controlled shared libraries or directly escalate privileges are strong hardening failures in container images." severity: high category: container-risk dry-run-support: full condition: | components[ $prop($, 'cdx:gtfobins:matched') = 'true' and ( $listContains($prop($, 'cdx:gtfobins:functions'), 'library-load') or $listContains($prop($, 'cdx:gtfobins:functions'), 'privilege-escalation') ) and ( $prop($, 'internal:has_setuid') = 'true' or $prop($, 'internal:has_setgid') = 'true' or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'sudo') or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'suid') or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'capabilities') ) ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'SrcFile') } message: "Binary '{{ name }}' exposes GTFOBins privilege-escalation or library-load behavior in a privileged execution context" mitigation: "Remove the helper from the image where possible, strip privileged bits/capabilities, and keep writable mounts away from privileged processes." attack: tactics: [TA0002, TA0004, TA0005] techniques: [T1574, T1548] evidence: | { "canonicalName": $prop($, 'cdx:gtfobins:name'), "functions": $prop($, 'cdx:gtfobins:functions'), "privilegedContexts": $prop($, 'cdx:gtfobins:privilegedContexts'), "srcFile": $prop($, 'SrcFile') } - id: CTR-004 name: "Container image retains privileged GTFOBins exfiltration primitive" description: "A GTFOBins helper that can read local files or upload data becomes especially dangerous when it also runs with setuid/setgid or other elevated contexts." severity: high category: container-risk dry-run-support: full condition: | components[ $prop($, 'cdx:gtfobins:matched') = 'true' and ( $listContains($prop($, 'cdx:gtfobins:riskTags'), 'data-exfiltration') or $listContains($prop($, 'cdx:gtfobins:functions'), 'upload') ) and ( $prop($, 'internal:has_setuid') = 'true' or $prop($, 'internal:has_setgid') = 'true' or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'sudo') or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'suid') or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'capabilities') ) ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'SrcFile') } message: "Binary '{{ name }}' can read or exfiltrate local data from a privileged execution path" mitigation: "Drop privileged bits, keep secrets off the image filesystem, and remove unnecessary upload/file-read helpers from runtime images." attack: tactics: [TA0009, TA0010] techniques: [T1005, T1041] evidence: | { "canonicalName": $prop($, 'cdx:gtfobins:name'), "functions": $prop($, 'cdx:gtfobins:functions'), "privilegedContexts": $prop($, 'cdx:gtfobins:privilegedContexts'), "srcFile": $prop($, 'SrcFile') } - id: CTR-005 name: "Container image includes mutable-path GTFOBins remote-execution helper" description: "Remote-execution-capable GTFOBins helpers under mutable or non-standard image paths often indicate an avoidable attack toolkit or image tampering." severity: medium category: container-risk dry-run-support: full condition: | components[ $prop($, 'cdx:gtfobins:matched') = 'true' and ( $listContains($prop($, 'cdx:gtfobins:functions'), 'reverse-shell') or $listContains($prop($, 'cdx:gtfobins:functions'), 'bind-shell') or ( ( $listContains($prop($, 'cdx:gtfobins:functions'), 'shell') or $listContains($prop($, 'cdx:gtfobins:functions'), 'command') ) and ( $listContains($prop($, 'cdx:gtfobins:functions'), 'upload') or $listContains($prop($, 'cdx:gtfobins:functions'), 'download') ) ) ) and ( $startsWith($prop($, 'SrcFile'), '/usr/local/') or $startsWith($prop($, 'SrcFile'), '/opt/') or $startsWith($prop($, 'SrcFile'), '/app/') or $startsWith($prop($, 'SrcFile'), '/tmp/') or $startsWith($prop($, 'SrcFile'), '/var/tmp/') or $startsWith($prop($, 'SrcFile'), '/root/') or $startsWith($prop($, 'SrcFile'), '/home/') ) ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'SrcFile') } message: "GTFOBins remote-execution helper '{{ name }}' is present in mutable image path '{{ $prop($, 'SrcFile') }}'" mitigation: "Keep runtime images immutable and minimal, move administrative tooling to separate debug images, and investigate how the helper entered the image." attack: tactics: [TA0008, TA0011] techniques: [T1105, T1570] evidence: | { "canonicalName": $prop($, 'cdx:gtfobins:name'), "functions": $prop($, 'cdx:gtfobins:functions'), "riskTags": $prop($, 'cdx:gtfobins:riskTags'), "srcFile": $prop($, 'SrcFile') } - id: CTR-006 name: "Container image ships dedicated offensive container toolkit" description: "Dedicated container or Kubernetes intrusion toolkits such as Peirates, CDK, or DEEPCE should not ship inside production runtime images." severity: high category: container-risk dry-run-support: full condition: | components[ $prop($, 'cdx:container:matched') = 'true' and $listContains($prop($, 'cdx:container:riskTags'), 'offensive-toolkit') ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'SrcFile') } message: "Dedicated offensive toolkit '{{ name }}' is present at '{{ $prop($, 'SrcFile') }}'" mitigation: "Remove offensive testing binaries from runtime images, rebuild from a minimal trusted base, and keep container debugging or red-team tooling in separate break-glass images." attack: tactics: [TA0002, TA0004, TA0006, TA0007] techniques: [T1552.007, T1609, T1611, T1613] evidence: | { "canonicalName": $prop($, 'cdx:container:name'), "offenseTools": $prop($, 'cdx:container:offenseTools'), "riskTags": $prop($, 'cdx:container:riskTags'), "attackTechniques": $prop($, 'cdx:container:attackTechniques'), "knowledgeSources": $prop($, 'cdx:container:knowledgeSources'), "srcFile": $prop($, 'SrcFile') } - id: CTR-007 name: "Container image includes seccomp-sensitive namespace escape helper" description: "Helpers that rely on syscalls blocked by Docker's default seccomp profile become materially riskier when operators use `seccomp=unconfined` or permissive custom profiles." severity: medium category: container-risk dry-run-support: full condition: | components[ $prop($, 'cdx:container:matched') = 'true' and $prop($, 'cdx:container:seccompProfile') = 'docker-default' and $prop($, 'cdx:container:seccompBlockedSyscalls') != '' and ( $listContains($prop($, 'cdx:container:riskTags'), 'container-escape') or $listContains($prop($, 'cdx:container:riskTags'), 'namespace-escape') ) ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'SrcFile') } message: "Seccomp-sensitive escape helper '{{ name }}' is present at '{{ $prop($, 'SrcFile') }}' and depends on syscalls blocked by the Docker default seccomp profile" mitigation: "Keep Docker or OCI runtimes on the default seccomp profile, never use `seccomp=unconfined` for app workloads, and review custom profiles so they do not allow namespace or host-escape syscalls without a clear need." attack: tactics: [TA0004] techniques: [T1611] evidence: | { "canonicalName": $prop($, 'cdx:container:name'), "offenseTools": $prop($, 'cdx:container:offenseTools'), "riskTags": $prop($, 'cdx:container:riskTags'), "seccompProfile": $prop($, 'cdx:container:seccompProfile'), "seccompBlockedSyscalls": $prop($, 'cdx:container:seccompBlockedSyscalls'), "knowledgeSources": $prop($, 'cdx:container:knowledgeSources'), "srcFile": $prop($, 'SrcFile') }