Detect Container CLI/API in CrowdStrike LogScale
Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments. The Docker CLI manages containers via the dockerd daemon API. Kubernetes kubectl and the Kubernetes API server enable cluster management. Adversaries may leverage Docker CLI/API/SDK to pull images, run containers, execute commands inside containers, and scan for cloud credentials. TeamTNT has extensively targeted misconfigured Docker and Kubernetes environments, using container CLIs to deploy cryptominers, exfiltrate cloud credentials, and spread laterally across clusters.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.013 Container CLI/API
- Canonical reference
- https://attack.mitre.org/techniques/T1059/013/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /\/(docker|kubectl|crictl|ctr|podman|nerdctl)$/i
| CommandLine = /(docker exec|docker run|docker pull|docker build|docker cp|kubectl exec|kubectl run|kubectl apply|kubectl create|kubectl get secrets|kubectl get configmaps|kubectl port-forward|kubectl proxy|crictl exec|ctr run|--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host|-v \/:\/host|-v \/etc:\/|-v \/var\/run\/docker\.sock|nsenter|chroot \/host)/i
| PrivilegedContainer := if(CommandLine = /(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host)/i, "YES", "NO")
| HostMount := if(CommandLine = /(-v \/:\/host|-v \/etc:\/|-v \/var\/run\/docker\.sock)/, "YES", "NO")
| ContainerExec := if(CommandLine = /(docker exec|kubectl exec|crictl exec)/i, "YES", "NO")
| SecretsAccess := if(CommandLine = /(get secrets|get configmaps)/i, "YES", "NO")
| ContainerEscape := if(CommandLine = /(nsenter|chroot \/host)/i, "YES", "NO")
| PrivScore := if(CommandLine = /(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host)/i, 3, 0)
| MountScore := if(CommandLine = /(-v \/:\/host|-v \/etc:\/|-v \/var\/run\/docker\.sock)/, 3, 0)
| ExecScore := if(CommandLine = /(docker exec|kubectl exec|crictl exec)/i, 1, 0)
| SecretsScore := if(CommandLine = /(get secrets|get configmaps)/i, 2, 0)
| EscapeScore := if(CommandLine = /(nsenter|chroot \/host)/i, 3, 0)
| SuspicionScore := PrivScore + MountScore + ExecScore + SecretsScore + EscapeScore
| Severity := if(SuspicionScore >= 6, "CRITICAL", if(SuspicionScore >= 3, "HIGH", "MEDIUM"))
| select([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, PrivilegedContainer, HostMount, ContainerExec, SecretsAccess, ContainerEscape, SuspicionScore, Severity])
| sort(SuspicionScore, order=desc)CrowdStrike LogScale (Falcon) CQL query detecting T1059.013 Container CLI/API abuse by monitoring ProcessRollup2 events for suspicious invocations of container management binaries. Implements weighted suspicion scoring across five risk dimensions matching the SPL baseline: privileged container flags, host filesystem mounts, container exec sessions, Kubernetes secrets access, and container escape techniques.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor itself and Falcon Container sensors interact with the Docker socket and container runtime APIs as part of their host-based detection and visibility capabilities, which may generate matching events on monitored Linux hosts.
- Rancher, OpenShift CLI (oc), and other Kubernetes distribution management tools wrap kubectl and issue privileged API calls during cluster lifecycle management operations such as node drain, upgrade, and certificate rotation.
- Developer workstations with Docker Desktop or local Kubernetes (Minikube, kind, k3d) installed will routinely generate the full spectrum of container CLI invocations — including docker run with host mounts — during local development and testing workflows.
Other platforms for T1059.013
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Docker Container Execution
Expected signal: Auditd: EXECVE record for docker with 'run' command. Docker daemon logs: container creation event. Container process creation for whoami inside the container.
- Test 2Docker Privileged Container Creation
Expected signal: Auditd: EXECVE record for docker with '--privileged' and '--net=host' flags. Docker daemon logs: privileged container creation.
- Test 3Kubectl Secrets Enumeration
Expected signal: Kubernetes audit log: get secrets API call with user identity and source IP. Auditd: EXECVE record for kubectl with 'get secrets' arguments.
References (6)
- https://attack.mitre.org/techniques/T1059/013/
- https://docs.docker.com/desktop/features/desktop-cli/
- https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/
- https://www.aquasec.com/blog/teamtnt-reemerged-with-new-aggressive-cloud-campaign/
- https://intezer.com/blog/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/
- https://kubernetes.io/docs/reference/kubectl/
Unlock Pro Content
Get the full detection package for T1059.013 including response playbook, investigation guide, and atomic red team tests.