T1543.005

Container Service

Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may achieve persistence or escalate their privileges on a host. Common abuse patterns include using 'docker run' or 'podman run' with the '--restart=always' directive to configure a container to persistently restart after daemon restarts or host reboots, using '--privileged', '--pid=host', or '--net=host' flags to break container isolation and gain access to the underlying host kernel, bind-mounting the root filesystem ('-v /:/') to read or modify host files, and leveraging Kubernetes DaemonSets to deploy malicious containers persistently across all current and future cluster nodes. Threat actor groups including TeamTNT have exploited exposed Docker APIs to deploy cryptomining and backdoor containers with restart=always policies. Privilege escalation via docker group membership is documented in GTFOBins and widely exploited in post-exploitation scenarios.

Microsoft Sentinel / Defender

kusto

let SuspiciousContainerFlags = dynamic([
    "--restart=always", "--restart always",
    "--privileged",
    "--pid=host",
    "--net=host", "--network=host",
    "--cap-add=SYS_ADMIN", "--cap-add SYS_ADMIN",
    "--cap-add ALL", "--cap-add=ALL",
    "-v /:/", "--volume /:/",
    "--device /dev/mem", "--device /dev/kmem"
]);
let ContainerRuntimes = dynamic(["docker", "podman", "nerdctl"]);
// Signal 1: Container run with persistence (restart=always) or privilege escalation flags
let ContainerRunAbuse = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName in~ (ContainerRuntimes)) or (InitiatingProcessFileName in~ (ContainerRuntimes))
| where ProcessCommandLine has "run"
| where ProcessCommandLine has_any (SuspiciousContainerFlags)
| extend PersistenceFlag = ProcessCommandLine has_any ("--restart=always", "--restart always")
| extend PrivilegedFlag = ProcessCommandLine has_any ("--privileged", "--pid=host", "--net=host", "--network=host", "--cap-add=SYS_ADMIN", "--cap-add SYS_ADMIN", "--cap-add ALL", "--cap-add=ALL")
| extend HostMountFlag = ProcessCommandLine has_any ("-v /:/", "--volume /:/", "--device /dev/mem", "--device /dev/kmem")
| extend RiskScore = toint(PersistenceFlag) + toint(PrivilegedFlag) + toint(HostMountFlag)
| extend AttackPattern = case(
    PersistenceFlag and PrivilegedFlag, "CRITICAL: Persistent privileged container — auto-restart with full host kernel access",
    PersistenceFlag and HostMountFlag, "CRITICAL: Persistent container with host root filesystem mount",
    PrivilegedFlag and HostMountFlag, "HIGH: Privileged container with host root filesystem access",
    PersistenceFlag, "MEDIUM: Container persistence via restart=always policy",
    PrivilegedFlag, "HIGH: Container privilege escalation or host escape via capability flags",
    HostMountFlag, "HIGH: Host root filesystem bind mount — full host file read/write",
    "MEDIUM: Suspicious container configuration"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         PersistenceFlag, PrivilegedFlag, HostMountFlag, RiskScore, AttackPattern;
// Signal 2: Docker exec spawning interactive shell (post-exploitation inside container)
let ContainerExecShell = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ContainerRuntimes)
| where ProcessCommandLine has "exec" 
| where ProcessCommandLine has_any ("/bin/bash", "/bin/sh", "/bin/zsh", "bash", "sh -i", "sh -c")
| where not(InitiatingProcessFileName in~ ("containerd", "dockerd", "container-shim"))
| extend PersistenceFlag = false
| extend PrivilegedFlag = false
| extend HostMountFlag = false
| extend RiskScore = 1
| extend AttackPattern = "MEDIUM: Interactive shell exec into running container — potential lateral movement or post-exploitation"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         PersistenceFlag, PrivilegedFlag, HostMountFlag, RiskScore, AttackPattern;
ContainerRunAbuse
| union ContainerExecShell
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint (Linux)

Required Tables

DeviceProcessEvents

False Positives

Legitimate infrastructure-as-code pipelines (Ansible, Terraform, Puppet) deploying containers with specific restart policies in staging and production environments
Platform engineering teams running privileged containers for system-level tooling such as monitoring exporters (node-exporter, Falco), network packet capture tools, or kernel debuggers
Container security tooling (Falco, Sysdig, Tetragon) that require --privileged or specific capabilities to instrument the kernel
Developers using 'docker exec' to debug running containers in development environments
CI/CD systems running Docker-in-Docker (DinD) builds that require privileged containers or socket mounts

Splunk

spl

// T1543.005 — Container Service persistence and privilege escalation
// Primary: Linux auditd EXECVE events for Docker/Podman suspicious flags
(index=linux OR index=os OR index=main) sourcetype="linux_audit" type=EXECVE
| eval arg_list=mvjoin(mvappend(a0,a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12,a13,a14,a15,a16,a17,a18,a19), " ")
| eval full_cmd=coalesce(arg_list, "")
| where (match(full_cmd, "(^|\s)(docker|podman|nerdctl)\s+run"))
| eval PersistenceFlag=if(match(full_cmd, "--restart.{0,3}always"), 1, 0)
| eval PrivilegedFlag=if(match(full_cmd, "--privileged|--pid.host|--net.host|--network.host|--cap-add.{0,1}SYS_ADMIN|--cap-add.{0,1}ALL"), 1, 0)
| eval HostMountFlag=if(match(full_cmd, "-v\s+/[^:]*:/|--volume\s+/[^:]*:/|--device\s+/dev/(mem|kmem)"), 1, 0)
| eval RiskScore=PersistenceFlag+PrivilegedFlag+HostMountFlag
| where RiskScore > 0
| eval AttackPattern=case(
    PersistenceFlag=1 AND PrivilegedFlag=1, "CRITICAL: Persistent privileged container",
    PersistenceFlag=1 AND HostMountFlag=1, "CRITICAL: Persistent container with host filesystem mount",
    PrivilegedFlag=1 AND HostMountFlag=1, "HIGH: Privileged container with root filesystem access",
    PersistenceFlag=1, "MEDIUM: Container persistence via restart=always",
    PrivilegedFlag=1, "HIGH: Privileged container / capability escalation",
    HostMountFlag=1, "HIGH: Host root filesystem bind mount",
    1=1, "MEDIUM: Suspicious container configuration"
)
| eval ContainerRuntime=case(
    match(full_cmd, "^docker"), "docker",
    match(full_cmd, "^podman"), "podman",
    match(full_cmd, "^nerdctl"), "nerdctl",
    1=1, "unknown"
)
| lookup dnslookup clienthost as host OUTPUT clientip
| table _time, host, clientip, full_cmd, ContainerRuntime, PersistenceFlag, PrivilegedFlag, HostMountFlag, RiskScore, AttackPattern
| sort - _time

| append [
    search (index=linux OR index=os OR index=main) sourcetype="linux_audit" type=EXECVE
    | eval arg_list=mvjoin(mvappend(a0,a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12,a13,a14), " ")
    | eval full_cmd=coalesce(arg_list, "")
    | where match(full_cmd, "(^|\s)(docker|podman)\s+exec") AND match(full_cmd, "(/bin/bash|/bin/sh|/bin/zsh|\s-i\s|\ssh\s-c)")
    | eval PersistenceFlag=0, PrivilegedFlag=0, HostMountFlag=0, RiskScore=1
    | eval AttackPattern="MEDIUM: Interactive shell exec into running container"
    | eval ContainerRuntime=if(match(full_cmd,"^docker"),"docker","podman")
    | table _time, host, full_cmd, ContainerRuntime, PersistenceFlag, PrivilegedFlag, HostMountFlag, RiskScore, AttackPattern
]

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Linux Audit Daemon (auditd)

Required Sourcetypes

linux_audit

False Positives

Legitimate platform engineering deployments of monitoring agents (Prometheus node-exporter, Falco, Datadog) that require --privileged to access kernel interfaces
DevOps teams using Docker-in-Docker (DinD) CI/CD pipelines that require privileged mode or socket mounts
Container security tooling (Sysdig, Tetragon, eBPF tracers) that require host PID namespace or capabilities
Infrastructure automation (Ansible playbooks, Terraform apply) using containers with defined restart policies in managed environments
Developer workstations and sandbox environments where privileged containers are commonly used for experimentation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  hostname,
  UTF8(payload) AS raw_payload,
  CASE
    WHEN UTF8(payload) ILIKE '%--restart=always%' OR UTF8(payload) ILIKE '%--restart always%' THEN 1
    ELSE 0
  END AS persistence_flag,
  CASE
    WHEN UTF8(payload) ILIKE '%--privileged%'
      OR UTF8(payload) ILIKE '%--pid=host%'
      OR UTF8(payload) ILIKE '%--net=host%'
      OR UTF8(payload) ILIKE '%--network=host%'
      OR UTF8(payload) ILIKE '%--cap-add=SYS_ADMIN%'
      OR UTF8(payload) ILIKE '%--cap-add SYS_ADMIN%'
      OR UTF8(payload) ILIKE '%--cap-add=ALL%'
      OR UTF8(payload) ILIKE '%--cap-add ALL%' THEN 1
    ELSE 0
  END AS privileged_flag,
  CASE
    WHEN UTF8(payload) ILIKE '%-v /%:/%'
      OR UTF8(payload) ILIKE '%--volume /%:/%'
      OR UTF8(payload) ILIKE '%--device /dev/mem%'
      OR UTF8(payload) ILIKE '%--device /dev/kmem%' THEN 1
    ELSE 0
  END AS host_mount_flag,
  CASE
    WHEN (UTF8(payload) ILIKE '%--restart=always%' OR UTF8(payload) ILIKE '%--restart always%')
      AND (UTF8(payload) ILIKE '%--privileged%' OR UTF8(payload) ILIKE '%--pid=host%' OR UTF8(payload) ILIKE '%--net=host%')
      THEN 'CRITICAL: Persistent privileged container'
    WHEN (UTF8(payload) ILIKE '%--restart=always%' OR UTF8(payload) ILIKE '%--restart always%')
      AND (UTF8(payload) ILIKE '%-v /%:/%' OR UTF8(payload) ILIKE '%--volume /%:/%')
      THEN 'CRITICAL: Persistent container with host filesystem mount'
    WHEN (UTF8(payload) ILIKE '%--privileged%' OR UTF8(payload) ILIKE '%--pid=host%')
      AND (UTF8(payload) ILIKE '%-v /%:/%' OR UTF8(payload) ILIKE '%--volume /%:/%')
      THEN 'HIGH: Privileged container with root filesystem access'
    WHEN UTF8(payload) ILIKE '%--restart=always%' OR UTF8(payload) ILIKE '%--restart always%'
      THEN 'MEDIUM: Container persistence via restart=always'
    WHEN UTF8(payload) ILIKE '%--privileged%' OR UTF8(payload) ILIKE '%--pid=host%'
      THEN 'HIGH: Privileged container or capability escalation'
    WHEN UTF8(payload) ILIKE '%-v /%:/%' OR UTF8(payload) ILIKE '%--volume /%:/%'
      THEN 'HIGH: Host root filesystem bind mount'
    ELSE 'MEDIUM: Suspicious container configuration'
  END AS attack_pattern
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Linux', 'LinuxAudit', 'SyslogNg', 'UniversalDSM')
  AND starttime > NOW() - 86400 SECONDS
  AND (
    (UTF8(payload) ILIKE '%docker run%' OR UTF8(payload) ILIKE '%podman run%' OR UTF8(payload) ILIKE '%nerdctl run%')
    AND (
      UTF8(payload) ILIKE '%--restart=always%' OR
      UTF8(payload) ILIKE '%--restart always%' OR
      UTF8(payload) ILIKE '%--privileged%' OR
      UTF8(payload) ILIKE '%--pid=host%' OR
      UTF8(payload) ILIKE '%--net=host%' OR
      UTF8(payload) ILIKE '%--network=host%' OR
      UTF8(payload) ILIKE '%--cap-add=SYS_ADMIN%' OR
      UTF8(payload) ILIKE '%--cap-add=ALL%' OR
      UTF8(payload) ILIKE '%-v /%:/%' OR
      UTF8(payload) ILIKE '%--device /dev/mem%' OR
      UTF8(payload) ILIKE '%--device /dev/kmem%'
    )
  )
  OR (
    (UTF8(payload) ILIKE '%docker exec%' OR UTF8(payload) ILIKE '%podman exec%')
    AND (UTF8(payload) ILIKE '%/bin/bash%' OR UTF8(payload) ILIKE '%/bin/sh%' OR UTF8(payload) ILIKE '% -i %' OR UTF8(payload) ILIKE '%sh -c%')
  )
ORDER BY starttime DESC
LIMIT 1000

high severity medium confidence

Data Sources

Linux OS log source (syslog/auditd) QRadar Universal DSM for Linux Linux Audit Framework via QRadar agent

Required Tables

events

False Positives

Automated CI/CD pipeline agents (Jenkins, GitLab Runner) that use --privileged for Docker-in-Docker builds in dedicated build infrastructure
Container management platforms (Portainer, Rancher) that perform docker exec operations for legitimate container health checks and log collection
Infrastructure-as-code tools performing container lifecycle management with elevated flags in controlled deployment environments

Sumo Logic CSE

sql

// T1543.005 - Container Service Persistence and Privilege Escalation
(_sourceCategory=*linux* OR _sourceCategory=*audit* OR _sourceCategory=*syslog*)
| where _raw matches /(?i)(docker|podman|nerdctl)\s+run/
| parse regex "(?i)(?P<container_runtime>docker|podman|nerdctl)\s+(?:.*?)run\s+(?P<run_args>.*)" nodrop
| if (matches(run_args, "(?i)--restart.{0,3}always"), 1, 0) as persistence_flag
| if (matches(run_args, "(?i)(--privileged|--pid[=\s]host|--net[=\s]host|--network[=\s]host|--cap-add[=\s](SYS_ADMIN|ALL))"), 1, 0) as privileged_flag
| if (matches(run_args, "(?i)(-v\s+/[^:]*:/|--volume\s+/[^:]*:/|--device\s+/dev/(mem|kmem))"), 1, 0) as host_mount_flag
| host_mount_flag + privileged_flag + persistence_flag as risk_score
| where risk_score > 0
| if (persistence_flag=1 AND privileged_flag=1, "CRITICAL: Persistent privileged container",
    if (persistence_flag=1 AND host_mount_flag=1, "CRITICAL: Persistent container with host filesystem mount",
    if (privileged_flag=1 AND host_mount_flag=1, "HIGH: Privileged container with root filesystem access",
    if (persistence_flag=1, "MEDIUM: Container persistence via restart=always",
    if (privileged_flag=1, "HIGH: Container privilege escalation via capability flags",
    if (host_mount_flag=1, "HIGH: Host root filesystem bind mount",
    "MEDIUM: Suspicious container configuration")))))) as attack_pattern
| fields _messagetime, _sourceHost, _sourceCategory, container_runtime, run_args, persistence_flag, privileged_flag, host_mount_flag, risk_score, attack_pattern
| sort by _messagetime desc

// Append container exec interactive shell detection
| append [
(_sourceCategory=*linux* OR _sourceCategory=*audit* OR _sourceCategory=*syslog*)
| where _raw matches /(?i)(docker|podman|nerdctl)\s+exec/
| where _raw matches /(?i)(\/(bin\/bash|bin\/sh|bin\/zsh)|(\s-i\s)|(sh\s-c))/
| parse regex "(?P<container_runtime>docker|podman|nerdctl)" nodrop
| 0 as persistence_flag | 0 as privileged_flag | 0 as host_mount_flag | 1 as risk_score
| "MEDIUM: Interactive shell exec into running container" as attack_pattern
| fields _messagetime, _sourceHost, _sourceCategory, container_runtime, persistence_flag, privileged_flag, host_mount_flag, risk_score, attack_pattern
]

high severity high confidence

Data Sources

Linux syslog via Sumo Logic Installed Collector Linux Auditd via Sumo Logic Container host OS logs

Required Tables

_sourceCategory=*linux* _sourceCategory=*audit* _sourceCategory=*syslog*

False Positives

Docker-in-Docker CI/CD pipelines on dedicated build servers using --privileged mode (Jenkins agents, GitLab shared runners, GitHub Actions self-hosted runners)
Security and monitoring tools such as Falco, Sysdig, or Datadog Agent that mount host /proc or /sys via volume mounts for system introspection
Container backup and disaster recovery tools that bind-mount host directories for snapshot purposes during scheduled maintenance windows

Google Chronicle / SecOps

yaral

rule T1543_005_Container_Service_Persistence_Escalation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1543.005 container service abuse including persistence via restart=always, privilege escalation via --privileged/--pid=host/--net=host/--cap-add flags, and host filesystem bind mounts"
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1543.005"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-21"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(docker|podman|nerdctl)$/
    (
      (
        $e.principal.process.command_line = /(?i)\srun\s/ and
        (
          $e.principal.process.command_line = /--restart.{0,3}always/ or
          $e.principal.process.command_line = /--privileged/ or
          $e.principal.process.command_line = /--pid[=\s]host/ or
          $e.principal.process.command_line = /--net[=\s]host/ or
          $e.principal.process.command_line = /--network[=\s]host/ or
          $e.principal.process.command_line = /--cap-add[=\s](SYS_ADMIN|ALL)/ or
          $e.principal.process.command_line = /-v\s+\/[^:]*:\/|--volume\s+\/[^:]*:\// or
          $e.principal.process.command_line = /--device\s+\/dev\/(mem|kmem)/
        )
      ) or
      (
        $e.principal.process.command_line = /(?i)\sexec\s/ and
        $e.principal.process.command_line = /(\/bin\/(bash|sh|zsh)|\s-i\s|sh\s-c)/
      )
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if($e.principal.process.command_line = /--restart.{0,3}always/, 1, 0) +
      if($e.principal.process.command_line = /(--privileged|--pid[=\s]host|--net[=\s]host|--network[=\s]host|--cap-add[=\s](SYS_ADMIN|ALL))/, 1, 0) +
      if($e.principal.process.command_line = /(-v\s+\/[^:]*:\/|--volume\s+\/[^:]*:\/|--device\s+\/dev\/(mem|kmem))/, 1, 0)
    )
    $attack_pattern = if(
      $e.principal.process.command_line = /--restart.{0,3}always/ and
      $e.principal.process.command_line = /(--privileged|--pid[=\s]host|--net[=\s]host)/,
      "CRITICAL: Persistent privileged container",
      if(
        $e.principal.process.command_line = /--restart.{0,3}always/ and
        $e.principal.process.command_line = /(-v\s+\/[^:]*:\/|--volume\s+\/[^:]*:\/)/ ,
        "CRITICAL: Persistent container with host filesystem mount",
        if(
          $e.principal.process.command_line = /(--privileged|--pid[=\s]host)/ and
          $e.principal.process.command_line = /(-v\s+\/[^:]*:\/|--volume\s+\/[^:]*:\/)/ ,
          "HIGH: Privileged container with root filesystem access",
          if(
            $e.principal.process.command_line = /--restart.{0,3}always/,
            "MEDIUM: Container persistence via restart=always",
            if(
              $e.principal.process.command_line = /(--privileged|--pid[=\s]host|--net[=\s]host|--cap-add[=\s](SYS_ADMIN|ALL))/,
              "HIGH: Container privilege escalation via capability flags",
              if(
                $e.principal.process.command_line = /(-v\s+\/[^:]*:\/|--device\s+\/dev\/(mem|kmem))/,
                "HIGH: Host root filesystem bind mount",
                "MEDIUM: Interactive shell exec into running container"
              )
            )
          )
        )
      )
    )
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $command_line = $e.principal.process.command_line
    $container_runtime = $e.principal.process.file.full_path

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM - Linux process telemetry Chronicle Forwarder on container hosts GCP Cloud Audit Logs (for GKE DaemonSet abuse)

Required Tables

UDM entity graph - process events

False Positives

Legitimate container orchestration operations by Kubernetes node agents (kubelet) that may use privileged containers for CNI plugins, storage drivers (CSI), or monitoring DaemonSets
Cloud provider managed node bootstrapping processes that temporarily use privileged containers for node initialization and driver installation on GKE, EKS, or AKS clusters
Developer workstations running Docker Desktop or Rancher Desktop where developers routinely use elevated flags for local development and testing environments

CrowdStrike LogScale (CQL)

cql

// T1543.005 — Container Service Persistence and Privilege Escalation
// Signal 1: Container run with suspicious flags
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(docker|podman|nerdctl)$/
| CommandLine = /(?i)\srun\s/
| CommandLine = /(--restart.{0,3}always|--privileged|--pid[=\s]host|--net[=\s]host|--network[=\s]host|--cap-add[=\s](SYS_ADMIN|ALL)|-v\s+\/[^:]*:\/|--volume\s+\/[^:]*:\/|--device\s+\/dev\/(mem|kmem))/
| PersistenceFlag := if(CommandLine = /--restart.{0,3}always/, "true", "false")
| PrivilegedFlag := if(CommandLine = /(--privileged|--pid[=\s]host|--net[=\s]host|--network[=\s]host|--cap-add[=\s](SYS_ADMIN|ALL))/, "true", "false")
| HostMountFlag := if(CommandLine = /(-v\s+\/[^:]*:\/|--volume\s+\/[^:]*:\/|--device\s+\/dev\/(mem|kmem))/, "true", "false")
| RiskScore := if(PersistenceFlag="true", 1, 0) + if(PrivilegedFlag="true", 1, 0) + if(HostMountFlag="true", 1, 0)
| AttackPattern := case {
    PersistenceFlag="true" AND PrivilegedFlag="true" => "CRITICAL: Persistent privileged container — auto-restart with full host kernel access" ;
    PersistenceFlag="true" AND HostMountFlag="true" => "CRITICAL: Persistent container with host root filesystem mount" ;
    PrivilegedFlag="true" AND HostMountFlag="true" => "HIGH: Privileged container with host root filesystem access" ;
    PersistenceFlag="true" => "MEDIUM: Container persistence via restart=always policy" ;
    PrivilegedFlag="true" => "HIGH: Container privilege escalation or host escape via capability flags" ;
    HostMountFlag="true" => "HIGH: Host root filesystem bind mount — full host file read/write" ;
    default => "MEDIUM: Suspicious container configuration"
  }
| ContainerRuntime := replace("(?i).*(docker|podman|nerdctl)$", "\\1", ImageFileName)
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine, PersistenceFlag, PrivilegedFlag, HostMountFlag, RiskScore, AttackPattern, ContainerRuntime])
| sort(field=@timestamp, order=desc)

// Signal 2: Container exec spawning interactive shell
| union [
  #event_simpleName=ProcessRollup2
  | ImageFileName = /(?i)(docker|podman|nerdctl)$/
  | CommandLine = /(?i)\sexec\s/
  | CommandLine = /(\/bin\/(bash|sh|zsh)|\s-i\s|sh\s-c\s)/
  | not(ParentImageFileName = /(containerd|dockerd|containerd-shim)/)
  | PersistenceFlag := "false"
  | PrivilegedFlag := "false"
  | HostMountFlag := "false"
  | RiskScore := 1
  | AttackPattern := "MEDIUM: Interactive shell exec into running container — potential lateral movement or post-exploitation"
  | ContainerRuntime := replace("(?i).*(docker|podman|nerdctl)$", "\\1", ImageFileName)
  | select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine, PersistenceFlag, PrivilegedFlag, HostMountFlag, RiskScore, AttackPattern, ContainerRuntime])
]

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor - ProcessRollup2 events on Linux container hosts Falcon for Containers / Kubernetes Protection Agent

Required Tables

ProcessRollup2

False Positives

CrowdStrike Falcon sensor container itself may generate similar process telemetry when the Falcon sensor DaemonSet is deployed with privileged access to collect kernel-level telemetry
Legitimate Kubernetes CSI driver pods, CNI plugin DaemonSets (Calico, Cilium, Flannel), and storage provisioners that require --privileged mode for kernel module access
Automated blue team validation tools (Atomic Red Team, Caldera, VECTR) running T1543.005 test cases in authorized security testing environments

Last updated: 2026-04-21 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1543.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1543Create or Modify System Process

Related Sub-techniques

T1543.001Launch Agent T1543.002Systemd Service T1543.003Windows Service T1543.004Launch Daemon

Container Service

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections