Detect Container CLI/API in IBM QRadar
Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments. The Docker CLI manages containers via the dockerd daemon API. Kubernetes kubectl and the Kubernetes API server enable cluster management. Adversaries may leverage Docker CLI/API/SDK to pull images, run containers, execute commands inside containers, and scan for cloud credentials. TeamTNT has extensively targeted misconfigured Docker and Kubernetes environments, using container CLIs to deploy cryptominers, exfiltrate cloud credentials, and spread laterally across clusters.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.013 Container CLI/API
- Canonical reference
- https://attack.mitre.org/techniques/T1059/013/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
hostname,
"Command" AS command_line,
CATEGORYNAME(category) AS event_category,
LOGSOURCENAME(logsourceid) AS log_source,
CASE
WHEN "Command" IMATCHES '.*(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host).*' THEN 3
ELSE 0
END +
CASE
WHEN "Command" IMATCHES '.*(-v /:/host|-v /etc:/|-v /var/run/docker\.sock).*' THEN 3
ELSE 0
END +
CASE
WHEN "Command" IMATCHES '.*(docker exec|kubectl exec|crictl exec).*' THEN 1
ELSE 0
END +
CASE
WHEN "Command" IMATCHES '.*(get secrets|get configmaps).*' THEN 2
ELSE 0
END +
CASE
WHEN "Command" IMATCHES '.*(nsenter|chroot /host).*' THEN 3
ELSE 0
END AS suspicion_score,
CASE WHEN "Command" IMATCHES '.*(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host).*' THEN 'YES' ELSE 'NO' END AS privileged_container,
CASE WHEN "Command" IMATCHES '.*(-v /:/host|-v /etc:/|-v /var/run/docker\.sock).*' THEN 'YES' ELSE 'NO' END AS host_mount,
CASE WHEN "Command" IMATCHES '.*(docker exec|kubectl exec|crictl exec).*' THEN 'YES' ELSE 'NO' END AS container_exec,
CASE WHEN "Command" IMATCHES '.*(get secrets|get configmaps).*' THEN 'YES' ELSE 'NO' END AS secrets_access
FROM events
WHERE
starttime > NOW() - 86400000 AND
(
"Process Name" IMATCHES '.*(docker|kubectl|crictl|ctr|podman|nerdctl).*' OR
"Command" IMATCHES '.*(docker exec|docker run|docker pull|docker build|kubectl exec|kubectl run|kubectl apply|kubectl get secrets|crictl exec|ctr run|--privileged|--net=host|-v /:/host|docker\.sock).*'
) AND
(
CASE
WHEN "Command" IMATCHES '.*(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host).*' THEN 3 ELSE 0 END +
CASE
WHEN "Command" IMATCHES '.*(-v /:/host|-v /etc:/|-v /var/run/docker\.sock).*' THEN 3 ELSE 0 END +
CASE
WHEN "Command" IMATCHES '.*(docker exec|kubectl exec|crictl exec).*' THEN 1 ELSE 0 END +
CASE
WHEN "Command" IMATCHES '.*(get secrets|get configmaps).*' THEN 2 ELSE 0 END +
CASE
WHEN "Command" IMATCHES '.*(nsenter|chroot /host).*' THEN 3 ELSE 0 END
) > 0
ORDER BY suspicion_score DESC, starttime DESCAQL query for IBM QRadar detecting container CLI/API abuse (T1059.013) by identifying suspicious invocations of docker, kubectl, crictl, ctr, podman, and nerdctl with a weighted suspicion scoring model. Flags privileged containers, host filesystem mounts, container exec sessions, secrets access, and container escape patterns.
Data Sources
Required Tables
False Positives & Tuning
- Automated CI/CD systems running in the same environment as monitored hosts will generate high volumes of docker run and kubectl apply events during legitimate build and deployment cycles.
- Kubernetes operators and platform engineering teams use kubectl get secrets and kubectl get configmaps routinely during application troubleshooting and secret rotation procedures.
- Container orchestration health checks and monitoring agents (Datadog Agent, Prometheus node exporter sidecar containers) may mount /var/run/docker.sock or use privileged mode as part of their legitimate configuration.
Other platforms for T1059.013
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Docker Container Execution
Expected signal: Auditd: EXECVE record for docker with 'run' command. Docker daemon logs: container creation event. Container process creation for whoami inside the container.
- Test 2Docker Privileged Container Creation
Expected signal: Auditd: EXECVE record for docker with '--privileged' and '--net=host' flags. Docker daemon logs: privileged container creation.
- Test 3Kubectl Secrets Enumeration
Expected signal: Kubernetes audit log: get secrets API call with user identity and source IP. Auditd: EXECVE record for kubectl with 'get secrets' arguments.
References (6)
- https://attack.mitre.org/techniques/T1059/013/
- https://docs.docker.com/desktop/features/desktop-cli/
- https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/
- https://www.aquasec.com/blog/teamtnt-reemerged-with-new-aggressive-cloud-campaign/
- https://intezer.com/blog/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/
- https://kubernetes.io/docs/reference/kubectl/
Unlock Pro Content
Get the full detection package for T1059.013 including response playbook, investigation guide, and atomic red team tests.