Detect Container CLI/API in Microsoft Sentinel
Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments. The Docker CLI manages containers via the dockerd daemon API. Kubernetes kubectl and the Kubernetes API server enable cluster management. Adversaries may leverage Docker CLI/API/SDK to pull images, run containers, execute commands inside containers, and scan for cloud credentials. TeamTNT has extensively targeted misconfigured Docker and Kubernetes environments, using container CLIs to deploy cryptominers, exfiltrate cloud credentials, and spread laterally across clusters.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.013 Container CLI/API
- Canonical reference
- https://attack.mitre.org/techniques/T1059/013/
KQL Detection Query
let SuspiciousCommands = dynamic([
"docker exec", "docker run",
"docker pull", "docker build",
"docker cp", "docker inspect",
"docker ps", "docker images",
"--privileged", "--cap-add=SYS_ADMIN",
"--net=host", "--pid=host",
"-v /:/host", "-v /etc:/", "-v /var/run/docker.sock",
"kubectl exec", "kubectl run",
"kubectl apply", "kubectl create",
"kubectl get secrets", "kubectl get configmaps",
"kubectl port-forward", "kubectl proxy",
"crictl exec", "ctr run"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("docker", "kubectl", "crictl", "ctr", "podman", "nerdctl")
| where ProcessCommandLine has_any (SuspiciousCommands)
| extend PrivilegedContainer = ProcessCommandLine has_any ("--privileged", "--cap-add=SYS_ADMIN", "--net=host", "--pid=host")
| extend HostMount = ProcessCommandLine has_any ("-v /:/host", "-v /etc:/", "-v /var/run/docker.sock")
| extend ContainerExec = ProcessCommandLine has_any ("docker exec", "kubectl exec", "crictl exec")
| extend SecretsAccess = ProcessCommandLine has_any ("get secrets", "get configmaps")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
PrivilegedContainer, HostMount, ContainerExec, SecretsAccess
| sort by Timestamp descDetects suspicious container CLI usage across Docker, Kubernetes (kubectl), containerd (crictl/ctr), and Podman using MDE. Identifies privileged container creation, host filesystem mounts (container escape), exec into running containers, and secrets enumeration. Covers patterns used by TeamTNT and other cloud-native threat actors.
Data Sources
Required Tables
False Positives & Tuning
- DevOps engineers and SREs using kubectl and docker for routine container management
- CI/CD pipelines building and deploying container images
- Container orchestration systems performing scheduled container operations
Other platforms for T1059.013
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Docker Container Execution
Expected signal: Auditd: EXECVE record for docker with 'run' command. Docker daemon logs: container creation event. Container process creation for whoami inside the container.
- Test 2Docker Privileged Container Creation
Expected signal: Auditd: EXECVE record for docker with '--privileged' and '--net=host' flags. Docker daemon logs: privileged container creation.
- Test 3Kubectl Secrets Enumeration
Expected signal: Kubernetes audit log: get secrets API call with user identity and source IP. Auditd: EXECVE record for kubectl with 'get secrets' arguments.
References (6)
- https://attack.mitre.org/techniques/T1059/013/
- https://docs.docker.com/desktop/features/desktop-cli/
- https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/
- https://www.aquasec.com/blog/teamtnt-reemerged-with-new-aggressive-cloud-campaign/
- https://intezer.com/blog/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/
- https://kubernetes.io/docs/reference/kubectl/
Unlock Pro Content
Get the full detection package for T1059.013 including response playbook, investigation guide, and atomic red team tests.