T1059.013 Container CLI/API Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousCommands = dynamic([
  "docker exec", "docker run",
  "docker pull", "docker build",
  "docker cp", "docker inspect",
  "docker ps", "docker images",
  "--privileged", "--cap-add=SYS_ADMIN",
  "--net=host", "--pid=host",
  "-v /:/host", "-v /etc:/", "-v /var/run/docker.sock",
  "kubectl exec", "kubectl run",
  "kubectl apply", "kubectl create",
  "kubectl get secrets", "kubectl get configmaps",
  "kubectl port-forward", "kubectl proxy",
  "crictl exec", "ctr run"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("docker", "kubectl", "crictl", "ctr", "podman", "nerdctl")
| where ProcessCommandLine has_any (SuspiciousCommands)
| extend PrivilegedContainer = ProcessCommandLine has_any ("--privileged", "--cap-add=SYS_ADMIN", "--net=host", "--pid=host")
| extend HostMount = ProcessCommandLine has_any ("-v /:/host", "-v /etc:/", "-v /var/run/docker.sock")
| extend ContainerExec = ProcessCommandLine has_any ("docker exec", "kubectl exec", "crictl exec")
| extend SecretsAccess = ProcessCommandLine has_any ("get secrets", "get configmaps")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         PrivilegedContainer, HostMount, ContainerExec, SecretsAccess
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Container: Container Creation

Required Tables

DeviceProcessEvents

False Positives

DevOps engineers and SREs using kubectl and docker for routine container management
CI/CD pipelines building and deploying container images
Container orchestration systems performing scheduled container operations

Splunk

spl

index=linux sourcetype="linux:auditd" OR sourcetype="syslog"
  ("docker exec" OR "docker run" OR "docker pull" OR "kubectl exec" OR "kubectl run" OR "kubectl get secrets" OR "kubectl apply" OR "crictl exec" OR "--privileged" OR "--net=host" OR "-v /:/host" OR "docker.sock")
| eval PrivilegedContainer=if(match(_raw, "(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host)"), 1, 0)
| eval HostMount=if(match(_raw, "(-v /:/host|-v /etc:/|-v /var/run/docker\.sock)"), 1, 0)
| eval ContainerExec=if(match(_raw, "(docker exec|kubectl exec|crictl exec)"), 1, 0)
| eval SecretsAccess=if(match(_raw, "(get secrets|get configmaps)"), 1, 0)
| eval ContainerEscape=if(match(_raw, "(nsenter|chroot /host)"), 1, 0)
| eval SuspicionScore=PrivilegedContainer*3 + HostMount*3 + ContainerExec + SecretsAccess*2 + ContainerEscape*3
| where SuspicionScore > 0
| table _time, host, user, _raw, PrivilegedContainer, HostMount, ContainerExec, SecretsAccess, ContainerEscape, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Container: Container Creation Linux auditd

Required Sourcetypes

linux:auditd syslog

False Positives

DevOps engineers using kubectl and docker for routine container management
CI/CD pipelines building and deploying container images
Container orchestration systems performing scheduled operations

Elastic Security (EQL)

eql

sequence by host.name, user.name with maxspan=5m
  [process where event.type == "start" and
   process.name in ("docker", "kubectl", "crictl", "ctr", "podman", "nerdctl") and
   (
     process.args : ("exec", "run", "pull", "build", "cp", "inspect", "apply", "create", "proxy", "port-forward") or
     process.args : ("--privileged", "--cap-add=SYS_ADMIN", "--net=host", "--pid=host") or
     process.args : ("-v", "/:/host", "/var/run/docker.sock", "/etc:/") or
     process.args : ("get", "secrets", "configmaps")
   )
  ] by process.pid
| where
  (
    process.args_count > 1 and
    (
      (process.name == "docker" and process.args : ("exec", "run", "--privileged", "--net=host", "--pid=host", "/var/run/docker.sock")) or
      (process.name == "kubectl" and process.args : ("exec", "run", "apply", "create", "get", "port-forward", "proxy")) or
      (process.name in ("crictl", "ctr") and process.args : ("exec", "run"))
    )
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat (Linux process events) Filebeat with auditd module

Required Tables

logs-endpoint.events.process-* auditbeat-*

False Positives

Legitimate DevOps engineers or CI/CD pipelines (Jenkins, GitLab CI, GitHub Actions runners) routinely execute docker build, docker run, and kubectl apply as part of automated deployment workflows.
Kubernetes cluster administrators and SREs frequently use kubectl exec for debugging running pods, kubectl get secrets for application configuration retrieval, and kubectl port-forward for local service access.
Container security scanning tools (Trivy, Anchore, Sysdig Falco setup) may invoke docker pull, docker inspect, and crictl exec during scheduled vulnerability scans or runtime policy enforcement.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  hostname,
  "Command" AS command_line,
  CATEGORYNAME(category) AS event_category,
  LOGSOURCENAME(logsourceid) AS log_source,
  CASE
    WHEN "Command" IMATCHES '.*(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host).*' THEN 3
    ELSE 0
  END +
  CASE
    WHEN "Command" IMATCHES '.*(-v /:/host|-v /etc:/|-v /var/run/docker\.sock).*' THEN 3
    ELSE 0
  END +
  CASE
    WHEN "Command" IMATCHES '.*(docker exec|kubectl exec|crictl exec).*' THEN 1
    ELSE 0
  END +
  CASE
    WHEN "Command" IMATCHES '.*(get secrets|get configmaps).*' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "Command" IMATCHES '.*(nsenter|chroot /host).*' THEN 3
    ELSE 0
  END AS suspicion_score,
  CASE WHEN "Command" IMATCHES '.*(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host).*' THEN 'YES' ELSE 'NO' END AS privileged_container,
  CASE WHEN "Command" IMATCHES '.*(-v /:/host|-v /etc:/|-v /var/run/docker\.sock).*' THEN 'YES' ELSE 'NO' END AS host_mount,
  CASE WHEN "Command" IMATCHES '.*(docker exec|kubectl exec|crictl exec).*' THEN 'YES' ELSE 'NO' END AS container_exec,
  CASE WHEN "Command" IMATCHES '.*(get secrets|get configmaps).*' THEN 'YES' ELSE 'NO' END AS secrets_access
FROM events
WHERE
  starttime > NOW() - 86400000 AND
  (
    "Process Name" IMATCHES '.*(docker|kubectl|crictl|ctr|podman|nerdctl).*' OR
    "Command" IMATCHES '.*(docker exec|docker run|docker pull|docker build|kubectl exec|kubectl run|kubectl apply|kubectl get secrets|crictl exec|ctr run|--privileged|--net=host|-v /:/host|docker\.sock).*'
  ) AND
  (
    CASE
      WHEN "Command" IMATCHES '.*(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host).*' THEN 3 ELSE 0 END +
    CASE
      WHEN "Command" IMATCHES '.*(-v /:/host|-v /etc:/|-v /var/run/docker\.sock).*' THEN 3 ELSE 0 END +
    CASE
      WHEN "Command" IMATCHES '.*(docker exec|kubectl exec|crictl exec).*' THEN 1 ELSE 0 END +
    CASE
      WHEN "Command" IMATCHES '.*(get secrets|get configmaps).*' THEN 2 ELSE 0 END +
    CASE
      WHEN "Command" IMATCHES '.*(nsenter|chroot /host).*' THEN 3 ELSE 0 END
  ) > 0
ORDER BY suspicion_score DESC, starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Linux audit logs (auditd via QRadar DSM) Syslog forwarded to QRadar

Required Tables

events

False Positives

Automated CI/CD systems running in the same environment as monitored hosts will generate high volumes of docker run and kubectl apply events during legitimate build and deployment cycles.
Kubernetes operators and platform engineering teams use kubectl get secrets and kubectl get configmaps routinely during application troubleshooting and secret rotation procedures.
Container orchestration health checks and monitoring agents (Datadog Agent, Prometheus node exporter sidecar containers) may mount /var/run/docker.sock or use privileged mode as part of their legitimate configuration.

Sumo Logic CSE

sql

_sourceCategory=linux/auditd OR _sourceCategory=linux/syslog OR _sourceCategory=endpoint/process
| where (%"process.name" in ("docker", "kubectl", "crictl", "ctr", "podman", "nerdctl") or
         %"process.executable" matches /\/(docker|kubectl|crictl|ctr|podman|nerdctl)$/)
| where %"process.args" matches /(?i)(docker exec|docker run|docker pull|docker build|docker cp|kubectl exec|kubectl run|kubectl apply|kubectl create|kubectl get secrets|kubectl get configmaps|kubectl port-forward|kubectl proxy|crictl exec|ctr run|--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host|-v \/:\/host|-v \/etc:\/|-v \/var\/run\/docker\.sock)/
| if(%"process.args" matches /(?i)(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host)/, 3, 0) as priv_score
| if(%"process.args" matches /(?i)(-v \/:\/host|-v \/etc:\/|-v \/var\/run\/docker\.sock)/, 3, 0) as mount_score
| if(%"process.args" matches /(?i)(docker exec|kubectl exec|crictl exec)/, 1, 0) as exec_score
| if(%"process.args" matches /(?i)(get secrets|get configmaps)/, 2, 0) as secrets_score
| if(%"process.args" matches /(?i)(nsenter|chroot \/host)/, 3, 0) as escape_score
| toInt(priv_score) + toInt(mount_score) + toInt(exec_score) + toInt(secrets_score) + toInt(escape_score) as suspicion_score
| where suspicion_score > 0
| if(suspicion_score >= 6, "CRITICAL", if(suspicion_score >= 3, "HIGH", "MEDIUM")) as severity
| fields _messageTime, %"host.name", %"user.name", %"process.name", %"process.args", priv_score, mount_score, exec_score, secrets_score, escape_score, suspicion_score, severity
| sort by suspicion_score desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Linux auditd logs via Sumo Logic Installed Collector Syslog via Sumo Logic Syslog Source

Required Tables

linux/auditd linux/syslog endpoint/process

False Positives

Docker Swarm managers and Kubernetes node admission controllers may issue frequent kubectl apply and docker run commands as part of legitimate workload scheduling and autoscaling operations.
Security-conscious organizations running container escape benchmarks (docker-bench-security, kube-bench) will produce high suspicion scores from intentional privileged container tests against their own environments.
Multi-tenant Kubernetes environments where developers self-service via kubectl may generate significant volumes of kubectl get secrets events as applications retrieve their own configuration data from namespaced secrets.

Google Chronicle / SecOps

yaral

rule container_cli_api_abuse_t1059_013 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1059.013 Container CLI/API abuse via suspicious invocation of docker, kubectl, crictl, ctr, podman, or nerdctl with high-risk argument patterns including privileged container creation, host namespace mounting, socket exposure, and Kubernetes secrets access."
    reference = "https://attack.mitre.org/techniques/T1059/013/"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.013"
    created = "2026-04-16"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /\/(docker|kubectl|crictl|ctr|podman|nerdctl)$/
    (
      $e.principal.process.command_line = /(?i)(docker exec|docker run|docker pull|docker build|docker cp|kubectl exec|kubectl run|kubectl apply|kubectl create|kubectl get secrets|kubectl get configmaps|kubectl port-forward|kubectl proxy|crictl exec|ctr run)/ or
      $e.principal.process.command_line = /(?i)(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host)/ or
      $e.principal.process.command_line = /(-v \/:\/host|-v \/etc:\/|-v \/var\/run\/docker\.sock)/ or
      $e.principal.process.command_line = /(?i)(nsenter|chroot \/host)/
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $privileged_container = if(
      re.regex($e.principal.process.command_line, `(?i)(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host)`),
      true, false
    )
    $host_mount = if(
      re.regex($e.principal.process.command_line, `(-v /:/host|-v /etc:/|-v /var/run/docker\.sock)`),
      true, false
    )
    $container_exec = if(
      re.regex($e.principal.process.command_line, `(?i)(docker exec|kubectl exec|crictl exec)`),
      true, false
    )
    $secrets_access = if(
      re.regex($e.principal.process.command_line, `(?i)(get secrets|get configmaps)`),
      true, false
    )
    $container_escape = if(
      re.regex($e.principal.process.command_line, `(?i)(nsenter|chroot /host)`),
      true, false
    )
    $risk_score = (
      if(re.regex($e.principal.process.command_line, `(?i)(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host)`), 3, 0) +
      if(re.regex($e.principal.process.command_line, `(-v /:/host|-v /etc:/|-v /var/run/docker\.sock)`), 3, 0) +
      if(re.regex($e.principal.process.command_line, `(?i)(docker exec|kubectl exec|crictl exec)`), 1, 0) +
      if(re.regex($e.principal.process.command_line, `(?i)(get secrets|get configmaps)`), 2, 0) +
      if(re.regex($e.principal.process.command_line, `(?i)(nsenter|chroot /host)`), 3, 0)
    )

  condition:
    $e and $risk_score > 0
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Linux endpoint telemetry forwarded to Chronicle GCP Cloud Logging with container audit events

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Google Kubernetes Engine (GKE) node auto-provisioning and cluster autoscaler components issue kubectl commands during node pool scaling operations that may match privileged or system-level argument patterns.
Infrastructure-as-code tools such as Terraform with Kubernetes provider and Pulumi execute kubectl apply and kubectl create commands during legitimate infrastructure provisioning and drift remediation.
Container runtime health probes and liveness checks configured in Kubernetes pods may invoke crictl exec or docker exec as part of application readiness verification in self-healing cluster configurations.

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /\/(docker|kubectl|crictl|ctr|podman|nerdctl)$/i
| CommandLine = /(docker exec|docker run|docker pull|docker build|docker cp|kubectl exec|kubectl run|kubectl apply|kubectl create|kubectl get secrets|kubectl get configmaps|kubectl port-forward|kubectl proxy|crictl exec|ctr run|--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host|-v \/:\/host|-v \/etc:\/|-v \/var\/run\/docker\.sock|nsenter|chroot \/host)/i
| PrivilegedContainer := if(CommandLine = /(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host)/i, "YES", "NO")
| HostMount := if(CommandLine = /(-v \/:\/host|-v \/etc:\/|-v \/var\/run\/docker\.sock)/, "YES", "NO")
| ContainerExec := if(CommandLine = /(docker exec|kubectl exec|crictl exec)/i, "YES", "NO")
| SecretsAccess := if(CommandLine = /(get secrets|get configmaps)/i, "YES", "NO")
| ContainerEscape := if(CommandLine = /(nsenter|chroot \/host)/i, "YES", "NO")
| PrivScore := if(CommandLine = /(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host)/i, 3, 0)
| MountScore := if(CommandLine = /(-v \/:\/host|-v \/etc:\/|-v \/var\/run\/docker\.sock)/, 3, 0)
| ExecScore := if(CommandLine = /(docker exec|kubectl exec|crictl exec)/i, 1, 0)
| SecretsScore := if(CommandLine = /(get secrets|get configmaps)/i, 2, 0)
| EscapeScore := if(CommandLine = /(nsenter|chroot \/host)/i, 3, 0)
| SuspicionScore := PrivScore + MountScore + ExecScore + SecretsScore + EscapeScore
| Severity := if(SuspicionScore >= 6, "CRITICAL", if(SuspicionScore >= 3, "HIGH", "MEDIUM"))
| select([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, PrivilegedContainer, HostMount, ContainerExec, SecretsAccess, ContainerEscape, SuspicionScore, Severity])
| sort(SuspicionScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon sensor ProcessRollup2 events CrowdStrike Falcon LogScale (Humio)

Required Tables

ProcessRollup2

False Positives

CrowdStrike Falcon sensor itself and Falcon Container sensors interact with the Docker socket and container runtime APIs as part of their host-based detection and visibility capabilities, which may generate matching events on monitored Linux hosts.
Rancher, OpenShift CLI (oc), and other Kubernetes distribution management tools wrap kubectl and issue privileged API calls during cluster lifecycle management operations such as node drain, upgrade, and certificate rotation.
Developer workstations with Docker Desktop or local Kubernetes (Minikube, kind, k3d) installed will routinely generate the full spectrum of container CLI invocations — including docker run with host mounts — during local development and testing workflows.

Container CLI/API

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections