T1059.013 Sumo Logic CSE · Sumo

Detect Container CLI/API in Sumo Logic CSE

Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments. The Docker CLI manages containers via the dockerd daemon API. Kubernetes kubectl and the Kubernetes API server enable cluster management. Adversaries may leverage Docker CLI/API/SDK to pull images, run containers, execute commands inside containers, and scan for cloud credentials. TeamTNT has extensively targeted misconfigured Docker and Kubernetes environments, using container CLIs to deploy cryptominers, exfiltrate cloud credentials, and spread laterally across clusters.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.013 Container CLI/API
Canonical reference
https://attack.mitre.org/techniques/T1059/013/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=linux/auditd OR _sourceCategory=linux/syslog OR _sourceCategory=endpoint/process
| where (%"process.name" in ("docker", "kubectl", "crictl", "ctr", "podman", "nerdctl") or
         %"process.executable" matches /\/(docker|kubectl|crictl|ctr|podman|nerdctl)$/)
| where %"process.args" matches /(?i)(docker exec|docker run|docker pull|docker build|docker cp|kubectl exec|kubectl run|kubectl apply|kubectl create|kubectl get secrets|kubectl get configmaps|kubectl port-forward|kubectl proxy|crictl exec|ctr run|--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host|-v \/:\/host|-v \/etc:\/|-v \/var\/run\/docker\.sock)/
| if(%"process.args" matches /(?i)(--privileged|--cap-add=SYS_ADMIN|--net=host|--pid=host)/, 3, 0) as priv_score
| if(%"process.args" matches /(?i)(-v \/:\/host|-v \/etc:\/|-v \/var\/run\/docker\.sock)/, 3, 0) as mount_score
| if(%"process.args" matches /(?i)(docker exec|kubectl exec|crictl exec)/, 1, 0) as exec_score
| if(%"process.args" matches /(?i)(get secrets|get configmaps)/, 2, 0) as secrets_score
| if(%"process.args" matches /(?i)(nsenter|chroot \/host)/, 3, 0) as escape_score
| toInt(priv_score) + toInt(mount_score) + toInt(exec_score) + toInt(secrets_score) + toInt(escape_score) as suspicion_score
| where suspicion_score > 0
| if(suspicion_score >= 6, "CRITICAL", if(suspicion_score >= 3, "HIGH", "MEDIUM")) as severity
| fields _messageTime, %"host.name", %"user.name", %"process.name", %"process.args", priv_score, mount_score, exec_score, secrets_score, escape_score, suspicion_score, severity
| sort by suspicion_score desc, _messageTime desc
high severity high confidence

Sumo Logic CSE query detecting T1059.013 Container CLI/API abuse by monitoring Linux audit and syslog sources for suspicious invocations of container management tools. Applies a multi-factor weighted suspicion score to prioritize events by risk — privileged flags, host mounts, exec sessions, secrets access, and escape techniques each contribute to the final severity classification.

Data Sources

Sumo Logic Cloud SIEM EnterpriseLinux auditd logs via Sumo Logic Installed CollectorSyslog via Sumo Logic Syslog Source

Required Tables

linux/auditdlinux/syslogendpoint/process

False Positives & Tuning

  • Docker Swarm managers and Kubernetes node admission controllers may issue frequent kubectl apply and docker run commands as part of legitimate workload scheduling and autoscaling operations.
  • Security-conscious organizations running container escape benchmarks (docker-bench-security, kube-bench) will produce high suspicion scores from intentional privileged container tests against their own environments.
  • Multi-tenant Kubernetes environments where developers self-service via kubectl may generate significant volumes of kubectl get secrets events as applications retrieve their own configuration data from namespaced secrets.
Download portable Sigma rule (.yml)

Other platforms for T1059.013

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Docker Container Execution

    Expected signal: Auditd: EXECVE record for docker with 'run' command. Docker daemon logs: container creation event. Container process creation for whoami inside the container.

  2. Test 2Docker Privileged Container Creation

    Expected signal: Auditd: EXECVE record for docker with '--privileged' and '--net=host' flags. Docker daemon logs: privileged container creation.

  3. Test 3Kubectl Secrets Enumeration

    Expected signal: Kubernetes audit log: get secrets API call with user identity and source IP. Auditd: EXECVE record for kubectl with 'get secrets' arguments.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.013 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLI

Related Techniques

T1059Command and Scripting InterpreterT1059.004Unix ShellT1610Deploy ContainerT1609Container Administration CommandT1613Container and Resource DiscoveryT1552.007Container APIT1053.007Container Orchestration JobT1611Escape to Host

Same Tactic: Execution

Popular Detections