Detect Container Service in Splunk
Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may achieve persistence or escalate their privileges on a host. Common abuse patterns include using 'docker run' or 'podman run' with the '--restart=always' directive to configure a container to persistently restart after daemon restarts or host reboots, using '--privileged', '--pid=host', or '--net=host' flags to break container isolation and gain access to the underlying host kernel, bind-mounting the root filesystem ('-v /:/') to read or modify host files, and leveraging Kubernetes DaemonSets to deploy malicious containers persistently across all current and future cluster nodes. Threat actor groups including TeamTNT have exploited exposed Docker APIs to deploy cryptomining and backdoor containers with restart=always policies. Privilege escalation via docker group membership is documented in GTFOBins and widely exploited in post-exploitation scenarios.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1543 Create or Modify System Process
- Sub-technique
- T1543.005 Container Service
- Canonical reference
- https://attack.mitre.org/techniques/T1543/005/
SPL Detection Query
// T1543.005 — Container Service persistence and privilege escalation
// Primary: Linux auditd EXECVE events for Docker/Podman suspicious flags
(index=linux OR index=os OR index=main) sourcetype="linux_audit" type=EXECVE
| eval arg_list=mvjoin(mvappend(a0,a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12,a13,a14,a15,a16,a17,a18,a19), " ")
| eval full_cmd=coalesce(arg_list, "")
| where (match(full_cmd, "(^|\s)(docker|podman|nerdctl)\s+run"))
| eval PersistenceFlag=if(match(full_cmd, "--restart.{0,3}always"), 1, 0)
| eval PrivilegedFlag=if(match(full_cmd, "--privileged|--pid.host|--net.host|--network.host|--cap-add.{0,1}SYS_ADMIN|--cap-add.{0,1}ALL"), 1, 0)
| eval HostMountFlag=if(match(full_cmd, "-v\s+/[^:]*:/|--volume\s+/[^:]*:/|--device\s+/dev/(mem|kmem)"), 1, 0)
| eval RiskScore=PersistenceFlag+PrivilegedFlag+HostMountFlag
| where RiskScore > 0
| eval AttackPattern=case(
PersistenceFlag=1 AND PrivilegedFlag=1, "CRITICAL: Persistent privileged container",
PersistenceFlag=1 AND HostMountFlag=1, "CRITICAL: Persistent container with host filesystem mount",
PrivilegedFlag=1 AND HostMountFlag=1, "HIGH: Privileged container with root filesystem access",
PersistenceFlag=1, "MEDIUM: Container persistence via restart=always",
PrivilegedFlag=1, "HIGH: Privileged container / capability escalation",
HostMountFlag=1, "HIGH: Host root filesystem bind mount",
1=1, "MEDIUM: Suspicious container configuration"
)
| eval ContainerRuntime=case(
match(full_cmd, "^docker"), "docker",
match(full_cmd, "^podman"), "podman",
match(full_cmd, "^nerdctl"), "nerdctl",
1=1, "unknown"
)
| lookup dnslookup clienthost as host OUTPUT clientip
| table _time, host, clientip, full_cmd, ContainerRuntime, PersistenceFlag, PrivilegedFlag, HostMountFlag, RiskScore, AttackPattern
| sort - _time
| append [
search (index=linux OR index=os OR index=main) sourcetype="linux_audit" type=EXECVE
| eval arg_list=mvjoin(mvappend(a0,a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12,a13,a14), " ")
| eval full_cmd=coalesce(arg_list, "")
| where match(full_cmd, "(^|\s)(docker|podman)\s+exec") AND match(full_cmd, "(/bin/bash|/bin/sh|/bin/zsh|\s-i\s|\ssh\s-c)")
| eval PersistenceFlag=0, PrivilegedFlag=0, HostMountFlag=0, RiskScore=1
| eval AttackPattern="MEDIUM: Interactive shell exec into running container"
| eval ContainerRuntime=if(match(full_cmd,"^docker"),"docker","podman")
| table _time, host, full_cmd, ContainerRuntime, PersistenceFlag, PrivilegedFlag, HostMountFlag, RiskScore, AttackPattern
]Detects container service abuse for persistence and privilege escalation using Linux auditd EXECVE events. Reconstructs the full command line from individual argument fields (a0-a19) to evaluate Docker, Podman, and nerdctl run commands for dangerous flags. PersistenceFlag triggers on restart=always; PrivilegedFlag triggers on --privileged, host namespace sharing, and SYS_ADMIN capabilities; HostMountFlag triggers on host directory bind mounts. An appended subsearch captures interactive shell execution via 'docker exec' or 'podman exec'. RiskScore aggregation prioritizes alerts with multiple indicators. Requires Linux auditd configured to capture execve syscalls (auditctl -a always,exit -F arch=b64 -S execve).
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate platform engineering deployments of monitoring agents (Prometheus node-exporter, Falco, Datadog) that require --privileged to access kernel interfaces
- DevOps teams using Docker-in-Docker (DinD) CI/CD pipelines that require privileged mode or socket mounts
- Container security tooling (Sysdig, Tetragon, eBPF tracers) that require host PID namespace or capabilities
- Infrastructure automation (Ansible playbooks, Terraform apply) using containers with defined restart policies in managed environments
- Developer workstations and sandbox environments where privileged containers are commonly used for experimentation
Other platforms for T1543.005
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Docker Container Persistence via restart=always
Expected signal: Linux auditd EXECVE: type=EXECVE with a0=docker, a1=run, a2=-d, a3=--restart=always, a4=--name, a5=df00tech-persist-test. MDE DeviceProcessEvents: FileName=docker, ProcessCommandLine contains 'run' and '--restart=always'. Expected PersistenceFlag=true, PrivilegedFlag=false, HostMountFlag=false, RiskScore=1.
- Test 2Privileged Container Execution with Host PID Namespace
Expected signal: Linux auditd EXECVE: type=EXECVE with args containing 'docker', 'run', '--privileged', '--pid=host'. MDE DeviceProcessEvents: ProcessCommandLine contains '--privileged' and '--pid=host'. PrivilegedFlag=true, RiskScore=1.
- Test 3Container with Host Root Filesystem Bind Mount
Expected signal: Linux auditd EXECVE: args containing 'docker', 'run', '-v', '/:/host-root:ro'. MDE DeviceProcessEvents: ProcessCommandLine contains '-v /:/host-root'. HostMountFlag triggers on '-v /:/'. RiskScore=1.
- Test 4Combined Persistent Privileged Container (Critical Combination)
Expected signal: Linux auditd EXECVE: args contain 'docker', 'run', '-d', '--restart=always', '--privileged', '--name', 'df00tech-critical-test'. MDE DeviceProcessEvents: ProcessCommandLine contains '--restart=always' and '--privileged'. PersistenceFlag=true, PrivilegedFlag=true, RiskScore=2.
- Test 5Kubernetes DaemonSet Creation for Cluster-Wide Persistence
Expected signal: Kubernetes API server audit log: verb=create, objectRef.resource=daemonsets, objectRef.namespace=default, objectRef.name=df00tech-persist-daemonset, responseStatus.code=201. AzureDiagnostics Category=kube-audit or AKSAuditAdmin table: DaemonSet creation event with requesting user and full object spec.
References (12)
- https://attack.mitre.org/techniques/T1543/005/
- https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign
- https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters
- https://gtfobins.github.io/gtfobins/docker/
- https://docs.docker.com/config/containers/start-containers-automatically/
- https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
- https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
- https://www.redhat.com/sysadmin/podman-run-pods-systemd-services
- https://falco.org/docs/rules/default-macros/
- https://learn.microsoft.com/en-us/azure/aks/monitor-aks
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.005/T1543.005.md
Unlock Pro Content
Get the full detection package for T1543.005 including response playbook, investigation guide, and atomic red team tests.