Detect Container CLI/API in Splunk
Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments. The Docker CLI manages containers via the dockerd daemon API. Kubernetes kubectl and the Kubernetes API server enable cluster management. Adversaries may leverage Docker CLI/API/SDK to pull images, run containers, execute commands inside containers, and scan for cloud credentials. TeamTNT has extensively targeted misconfigured Docker and Kubernetes environments, using container CLIs to deploy cryptominers, exfiltrate cloud credentials, and spread laterally across clusters.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.013 Container CLI/API
- Canonical reference
- https://attack.mitre.org/techniques/T1059/013/
SPL Detection Query
index=linux sourcetype="linux:auditd" OR sourcetype="syslog"
("docker exec" OR "docker run" OR "docker pull" OR "kubectl exec" OR "kubectl run" OR "kubectl get secrets" OR "kubectl apply" OR "crictl exec" OR "--privileged" OR "--net=host" OR "-v /:/host" OR "docker.sock")
| eval PrivilegedContainer=if(match(_raw, "(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host)"), 1, 0)
| eval HostMount=if(match(_raw, "(-v /:/host|-v /etc:/|-v /var/run/docker\.sock)"), 1, 0)
| eval ContainerExec=if(match(_raw, "(docker exec|kubectl exec|crictl exec)"), 1, 0)
| eval SecretsAccess=if(match(_raw, "(get secrets|get configmaps)"), 1, 0)
| eval ContainerEscape=if(match(_raw, "(nsenter|chroot /host)"), 1, 0)
| eval SuspicionScore=PrivilegedContainer*3 + HostMount*3 + ContainerExec + SecretsAccess*2 + ContainerEscape*3
| where SuspicionScore > 0
| table _time, host, user, _raw, PrivilegedContainer, HostMount, ContainerExec, SecretsAccess, ContainerEscape, SuspicionScore
| sort - SuspicionScore, - _timeDetects suspicious container CLI usage from auditd and syslog. Evaluates for privileged container creation, host filesystem mounts, container exec, secrets enumeration, and container escape attempts. Privileged containers and host mounts scored highest (3x) as they enable full host compromise.
Data Sources
Required Sourcetypes
False Positives & Tuning
- DevOps engineers using kubectl and docker for routine container management
- CI/CD pipelines building and deploying container images
- Container orchestration systems performing scheduled operations
Other platforms for T1059.013
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Docker Container Execution
Expected signal: Auditd: EXECVE record for docker with 'run' command. Docker daemon logs: container creation event. Container process creation for whoami inside the container.
- Test 2Docker Privileged Container Creation
Expected signal: Auditd: EXECVE record for docker with '--privileged' and '--net=host' flags. Docker daemon logs: privileged container creation.
- Test 3Kubectl Secrets Enumeration
Expected signal: Kubernetes audit log: get secrets API call with user identity and source IP. Auditd: EXECVE record for kubectl with 'get secrets' arguments.
References (6)
- https://attack.mitre.org/techniques/T1059/013/
- https://docs.docker.com/desktop/features/desktop-cli/
- https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/
- https://www.aquasec.com/blog/teamtnt-reemerged-with-new-aggressive-cloud-campaign/
- https://intezer.com/blog/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/
- https://kubernetes.io/docs/reference/kubectl/
Unlock Pro Content
Get the full detection package for T1059.013 including response playbook, investigation guide, and atomic red team tests.