T1059.013 Elastic Security · Elastic

Detect Container CLI/API in Elastic Security

Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments. The Docker CLI manages containers via the dockerd daemon API. Kubernetes kubectl and the Kubernetes API server enable cluster management. Adversaries may leverage Docker CLI/API/SDK to pull images, run containers, execute commands inside containers, and scan for cloud credentials. TeamTNT has extensively targeted misconfigured Docker and Kubernetes environments, using container CLIs to deploy cryptominers, exfiltrate cloud credentials, and spread laterally across clusters.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.013 Container CLI/API
Canonical reference
https://attack.mitre.org/techniques/T1059/013/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name, user.name with maxspan=5m
  [process where event.type == "start" and
   process.name in ("docker", "kubectl", "crictl", "ctr", "podman", "nerdctl") and
   (
     process.args : ("exec", "run", "pull", "build", "cp", "inspect", "apply", "create", "proxy", "port-forward") or
     process.args : ("--privileged", "--cap-add=SYS_ADMIN", "--net=host", "--pid=host") or
     process.args : ("-v", "/:/host", "/var/run/docker.sock", "/etc:/") or
     process.args : ("get", "secrets", "configmaps")
   )
  ] by process.pid
| where
  (
    process.args_count > 1 and
    (
      (process.name == "docker" and process.args : ("exec", "run", "--privileged", "--net=host", "--pid=host", "/var/run/docker.sock")) or
      (process.name == "kubectl" and process.args : ("exec", "run", "apply", "create", "get", "port-forward", "proxy")) or
      (process.name in ("crictl", "ctr") and process.args : ("exec", "run"))
    )
  )
high severity high confidence

Detects abuse of container CLI tools (docker, kubectl, crictl, ctr, podman, nerdctl) via suspicious command patterns including privileged container creation, host namespace mounts, socket exposure, secrets access, and remote execution — indicative of T1059.013 Container CLI/API abuse by adversaries such as TeamTNT.

Data Sources

Elastic Endpoint SecurityAuditbeat (Linux process events)Filebeat with auditd module

Required Tables

logs-endpoint.events.process-*auditbeat-*

False Positives & Tuning

  • Legitimate DevOps engineers or CI/CD pipelines (Jenkins, GitLab CI, GitHub Actions runners) routinely execute docker build, docker run, and kubectl apply as part of automated deployment workflows.
  • Kubernetes cluster administrators and SREs frequently use kubectl exec for debugging running pods, kubectl get secrets for application configuration retrieval, and kubectl port-forward for local service access.
  • Container security scanning tools (Trivy, Anchore, Sysdig Falco setup) may invoke docker pull, docker inspect, and crictl exec during scheduled vulnerability scans or runtime policy enforcement.
Download portable Sigma rule (.yml)

Other platforms for T1059.013

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Docker Container Execution

    Expected signal: Auditd: EXECVE record for docker with 'run' command. Docker daemon logs: container creation event. Container process creation for whoami inside the container.

  2. Test 2Docker Privileged Container Creation

    Expected signal: Auditd: EXECVE record for docker with '--privileged' and '--net=host' flags. Docker daemon logs: privileged container creation.

  3. Test 3Kubectl Secrets Enumeration

    Expected signal: Kubernetes audit log: get secrets API call with user identity and source IP. Auditd: EXECVE record for kubectl with 'get secrets' arguments.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.013 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLI

Related Techniques

T1059Command and Scripting InterpreterT1059.004Unix ShellT1610Deploy ContainerT1609Container Administration CommandT1613Container and Resource DiscoveryT1552.007Container APIT1053.007Container Orchestration JobT1611Escape to Host

Same Tactic: Execution

Popular Detections