T1543.005 Google Chronicle · YARA-L

Detect Container Service in Google Chronicle

Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may achieve persistence or escalate their privileges on a host. Common abuse patterns include using 'docker run' or 'podman run' with the '--restart=always' directive to configure a container to persistently restart after daemon restarts or host reboots, using '--privileged', '--pid=host', or '--net=host' flags to break container isolation and gain access to the underlying host kernel, bind-mounting the root filesystem ('-v /:/') to read or modify host files, and leveraging Kubernetes DaemonSets to deploy malicious containers persistently across all current and future cluster nodes. Threat actor groups including TeamTNT have exploited exposed Docker APIs to deploy cryptomining and backdoor containers with restart=always policies. Privilege escalation via docker group membership is documented in GTFOBins and widely exploited in post-exploitation scenarios.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1543 Create or Modify System Process
Sub-technique
T1543.005 Container Service
Canonical reference
https://attack.mitre.org/techniques/T1543/005/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule T1543_005_Container_Service_Persistence_Escalation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1543.005 container service abuse including persistence via restart=always, privilege escalation via --privileged/--pid=host/--net=host/--cap-add flags, and host filesystem bind mounts"
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1543.005"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-21"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(docker|podman|nerdctl)$/
    (
      (
        $e.principal.process.command_line = /(?i)\srun\s/ and
        (
          $e.principal.process.command_line = /--restart.{0,3}always/ or
          $e.principal.process.command_line = /--privileged/ or
          $e.principal.process.command_line = /--pid[=\s]host/ or
          $e.principal.process.command_line = /--net[=\s]host/ or
          $e.principal.process.command_line = /--network[=\s]host/ or
          $e.principal.process.command_line = /--cap-add[=\s](SYS_ADMIN|ALL)/ or
          $e.principal.process.command_line = /-v\s+\/[^:]*:\/|--volume\s+\/[^:]*:\// or
          $e.principal.process.command_line = /--device\s+\/dev\/(mem|kmem)/
        )
      ) or
      (
        $e.principal.process.command_line = /(?i)\sexec\s/ and
        $e.principal.process.command_line = /(\/bin\/(bash|sh|zsh)|\s-i\s|sh\s-c)/
      )
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if($e.principal.process.command_line = /--restart.{0,3}always/, 1, 0) +
      if($e.principal.process.command_line = /(--privileged|--pid[=\s]host|--net[=\s]host|--network[=\s]host|--cap-add[=\s](SYS_ADMIN|ALL))/, 1, 0) +
      if($e.principal.process.command_line = /(-v\s+\/[^:]*:\/|--volume\s+\/[^:]*:\/|--device\s+\/dev\/(mem|kmem))/, 1, 0)
    )
    $attack_pattern = if(
      $e.principal.process.command_line = /--restart.{0,3}always/ and
      $e.principal.process.command_line = /(--privileged|--pid[=\s]host|--net[=\s]host)/,
      "CRITICAL: Persistent privileged container",
      if(
        $e.principal.process.command_line = /--restart.{0,3}always/ and
        $e.principal.process.command_line = /(-v\s+\/[^:]*:\/|--volume\s+\/[^:]*:\/)/ ,
        "CRITICAL: Persistent container with host filesystem mount",
        if(
          $e.principal.process.command_line = /(--privileged|--pid[=\s]host)/ and
          $e.principal.process.command_line = /(-v\s+\/[^:]*:\/|--volume\s+\/[^:]*:\/)/ ,
          "HIGH: Privileged container with root filesystem access",
          if(
            $e.principal.process.command_line = /--restart.{0,3}always/,
            "MEDIUM: Container persistence via restart=always",
            if(
              $e.principal.process.command_line = /(--privileged|--pid[=\s]host|--net[=\s]host|--cap-add[=\s](SYS_ADMIN|ALL))/,
              "HIGH: Container privilege escalation via capability flags",
              if(
                $e.principal.process.command_line = /(-v\s+\/[^:]*:\/|--device\s+\/dev\/(mem|kmem))/,
                "HIGH: Host root filesystem bind mount",
                "MEDIUM: Interactive shell exec into running container"
              )
            )
          )
        )
      )
    )
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $command_line = $e.principal.process.command_line
    $container_runtime = $e.principal.process.file.full_path

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1543.005 container service persistence and privilege escalation. Monitors process launch events for docker, podman, and nerdctl binaries executing run commands with dangerous flags or exec commands spawning interactive shells. Scores risk based on flag combinations and classifies attack patterns from MEDIUM to CRITICAL severity.

Data Sources

Google Chronicle UDM - Linux process telemetryChronicle Forwarder on container hostsGCP Cloud Audit Logs (for GKE DaemonSet abuse)

Required Tables

UDM entity graph - process events

False Positives & Tuning

  • Legitimate container orchestration operations by Kubernetes node agents (kubelet) that may use privileged containers for CNI plugins, storage drivers (CSI), or monitoring DaemonSets
  • Cloud provider managed node bootstrapping processes that temporarily use privileged containers for node initialization and driver installation on GKE, EKS, or AKS clusters
  • Developer workstations running Docker Desktop or Rancher Desktop where developers routinely use elevated flags for local development and testing environments
Download portable Sigma rule (.yml)

Other platforms for T1543.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Docker Container Persistence via restart=always

    Expected signal: Linux auditd EXECVE: type=EXECVE with a0=docker, a1=run, a2=-d, a3=--restart=always, a4=--name, a5=df00tech-persist-test. MDE DeviceProcessEvents: FileName=docker, ProcessCommandLine contains 'run' and '--restart=always'. Expected PersistenceFlag=true, PrivilegedFlag=false, HostMountFlag=false, RiskScore=1.

  2. Test 2Privileged Container Execution with Host PID Namespace

    Expected signal: Linux auditd EXECVE: type=EXECVE with args containing 'docker', 'run', '--privileged', '--pid=host'. MDE DeviceProcessEvents: ProcessCommandLine contains '--privileged' and '--pid=host'. PrivilegedFlag=true, RiskScore=1.

  3. Test 3Container with Host Root Filesystem Bind Mount

    Expected signal: Linux auditd EXECVE: args containing 'docker', 'run', '-v', '/:/host-root:ro'. MDE DeviceProcessEvents: ProcessCommandLine contains '-v /:/host-root'. HostMountFlag triggers on '-v /:/'. RiskScore=1.

  4. Test 4Combined Persistent Privileged Container (Critical Combination)

    Expected signal: Linux auditd EXECVE: args contain 'docker', 'run', '-d', '--restart=always', '--privileged', '--name', 'df00tech-critical-test'. MDE DeviceProcessEvents: ProcessCommandLine contains '--restart=always' and '--privileged'. PersistenceFlag=true, PrivilegedFlag=true, RiskScore=2.

  5. Test 5Kubernetes DaemonSet Creation for Cluster-Wide Persistence

    Expected signal: Kubernetes API server audit log: verb=create, objectRef.resource=daemonsets, objectRef.namespace=default, objectRef.name=df00tech-persist-daemonset, responseStatus.code=201. AzureDiagnostics Category=kube-audit or AKSAuditAdmin table: DaemonSet creation event with requesting user and full object spec.

Last updated: 2026-04-21 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1543.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1543Create or Modify System Process

Related Sub-techniques

T1543.001Launch AgentT1543.002Systemd ServiceT1543.003Windows ServiceT1543.004Launch Daemon

Related Techniques

T1543Create or Modify System ProcessT1610Deploy ContainerT1611Escape to HostT1543.002Systemd ServiceT1078.004Cloud AccountsT1496.001Compute HijackingT1552.007Container APIT1190Exploit Public-Facing ApplicationT1053.007Container Orchestration JobT1562.001Disable or Modify Tools

Same Tactic: Persistence

Popular Detections