Detect Container CLI/API in Google Chronicle
Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments. The Docker CLI manages containers via the dockerd daemon API. Kubernetes kubectl and the Kubernetes API server enable cluster management. Adversaries may leverage Docker CLI/API/SDK to pull images, run containers, execute commands inside containers, and scan for cloud credentials. TeamTNT has extensively targeted misconfigured Docker and Kubernetes environments, using container CLIs to deploy cryptominers, exfiltrate cloud credentials, and spread laterally across clusters.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.013 Container CLI/API
- Canonical reference
- https://attack.mitre.org/techniques/T1059/013/
YARA-L Detection Query
rule container_cli_api_abuse_t1059_013 {
meta:
author = "Argus Detection Engineering"
description = "Detects T1059.013 Container CLI/API abuse via suspicious invocation of docker, kubectl, crictl, ctr, podman, or nerdctl with high-risk argument patterns including privileged container creation, host namespace mounting, socket exposure, and Kubernetes secrets access."
reference = "https://attack.mitre.org/techniques/T1059/013/"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Execution"
mitre_attack_technique = "T1059.013"
created = "2026-04-16"
version = "1.0"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.process.file.full_path = /\/(docker|kubectl|crictl|ctr|podman|nerdctl)$/
(
$e.principal.process.command_line = /(?i)(docker exec|docker run|docker pull|docker build|docker cp|kubectl exec|kubectl run|kubectl apply|kubectl create|kubectl get secrets|kubectl get configmaps|kubectl port-forward|kubectl proxy|crictl exec|ctr run)/ or
$e.principal.process.command_line = /(?i)(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host)/ or
$e.principal.process.command_line = /(-v \/:\/host|-v \/etc:\/|-v \/var\/run\/docker\.sock)/ or
$e.principal.process.command_line = /(?i)(nsenter|chroot \/host)/
)
match:
$e.principal.hostname over 5m
outcome:
$privileged_container = if(
re.regex($e.principal.process.command_line, `(?i)(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host)`),
true, false
)
$host_mount = if(
re.regex($e.principal.process.command_line, `(-v /:/host|-v /etc:/|-v /var/run/docker\.sock)`),
true, false
)
$container_exec = if(
re.regex($e.principal.process.command_line, `(?i)(docker exec|kubectl exec|crictl exec)`),
true, false
)
$secrets_access = if(
re.regex($e.principal.process.command_line, `(?i)(get secrets|get configmaps)`),
true, false
)
$container_escape = if(
re.regex($e.principal.process.command_line, `(?i)(nsenter|chroot /host)`),
true, false
)
$risk_score = (
if(re.regex($e.principal.process.command_line, `(?i)(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host)`), 3, 0) +
if(re.regex($e.principal.process.command_line, `(-v /:/host|-v /etc:/|-v /var/run/docker\.sock)`), 3, 0) +
if(re.regex($e.principal.process.command_line, `(?i)(docker exec|kubectl exec|crictl exec)`), 1, 0) +
if(re.regex($e.principal.process.command_line, `(?i)(get secrets|get configmaps)`), 2, 0) +
if(re.regex($e.principal.process.command_line, `(?i)(nsenter|chroot /host)`), 3, 0)
)
condition:
$e and $risk_score > 0
}Chronicle YARA-L 2.0 rule detecting T1059.013 Container CLI/API abuse. Monitors PROCESS_LAUNCH events for invocations of container management binaries with high-risk argument patterns. Computes a weighted risk score across five dimensions: privileged containers, host mounts, exec sessions, secrets access, and escape techniques. Fires on any event with a non-zero risk score within a 5-minute correlation window.
Data Sources
Required Tables
False Positives & Tuning
- Google Kubernetes Engine (GKE) node auto-provisioning and cluster autoscaler components issue kubectl commands during node pool scaling operations that may match privileged or system-level argument patterns.
- Infrastructure-as-code tools such as Terraform with Kubernetes provider and Pulumi execute kubectl apply and kubectl create commands during legitimate infrastructure provisioning and drift remediation.
- Container runtime health probes and liveness checks configured in Kubernetes pods may invoke crictl exec or docker exec as part of application readiness verification in self-healing cluster configurations.
Other platforms for T1059.013
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Docker Container Execution
Expected signal: Auditd: EXECVE record for docker with 'run' command. Docker daemon logs: container creation event. Container process creation for whoami inside the container.
- Test 2Docker Privileged Container Creation
Expected signal: Auditd: EXECVE record for docker with '--privileged' and '--net=host' flags. Docker daemon logs: privileged container creation.
- Test 3Kubectl Secrets Enumeration
Expected signal: Kubernetes audit log: get secrets API call with user identity and source IP. Auditd: EXECVE record for kubectl with 'get secrets' arguments.
References (6)
- https://attack.mitre.org/techniques/T1059/013/
- https://docs.docker.com/desktop/features/desktop-cli/
- https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/
- https://www.aquasec.com/blog/teamtnt-reemerged-with-new-aggressive-cloud-campaign/
- https://intezer.com/blog/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/
- https://kubernetes.io/docs/reference/kubectl/
Unlock Pro Content
Get the full detection package for T1059.013 including response playbook, investigation guide, and atomic red team tests.