T1609 Container Administration Command Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ContainerExecPatterns = dynamic(["exec", "run", "attach"]);
let SuspiciousShells = dynamic(["sh", "bash", "ash", "zsh", "/bin/sh", "/bin/bash"]);
let PrivilegedFlags = dynamic(["--privileged", "--cap-add", "--security-opt label=disable", "--pid=host", "--net=host", "--ipc=host"]);
DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName in~ ("docker", "kubectl", "crictl", "ctr", "nerdctl", "podman")
    or InitiatingProcessFileName in~ ("docker", "kubectl", "crictl", "ctr", "nerdctl", "podman")
| where ProcessCommandLine has_any (ContainerExecPatterns)
| extend IsInteractiveShell = ProcessCommandLine has "-it" or ProcessCommandLine has "--tty" or ProcessCommandLine has "-i "
| extend SpawnsShell = ProcessCommandLine has_any (SuspiciousShells)
| extend UsesPrivilegedFlag = ProcessCommandLine has_any (PrivilegedFlags)
| extend IsKubectlExec = FileName =~ "kubectl" and ProcessCommandLine has "exec"
| extend IsCurlKubelet = (FileName =~ "curl" or FileName =~ "wget") and 
    (ProcessCommandLine has ":10250" or ProcessCommandLine has "/exec" or ProcessCommandLine has "/run")
| extend RiskScore = toint(0)
    + iif(IsInteractiveShell, 30, 0)
    + iif(SpawnsShell, 25, 0)
    + iif(UsesPrivilegedFlag, 35, 0)
    + iif(IsKubectlExec, 20, 0)
    + iif(IsCurlKubelet, 40, 0)
    + iif(InitiatingProcessFileName in~ ("python", "python3", "ruby", "perl", "php", "node"), 30, 0)
| where RiskScore >= 25
| project
    TimeGenerated,
    DeviceName,
    AccountName,
    AccountDomain,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessParentFileName,
    IsInteractiveShell,
    SpawnsShell,
    UsesPrivilegedFlag,
    IsKubectlExec,
    IsCurlKubelet,
    RiskScore
| sort by RiskScore desc, TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate DevOps engineers running 'kubectl exec' or 'docker exec' for container debugging and troubleshooting during business hours
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) executing docker run or kubectl exec as part of automated build, test, or deployment workflows
Container health check scripts or monitoring agents (Datadog, Dynatrace, Prometheus node exporter installers) that use crictl or docker exec to inspect running container state

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1) OR (sourcetype="linux_secure" OR sourcetype="syslog")
| eval cmd=coalesce(CommandLine, process, command)
| eval proc=coalesce(Image, process_name, comm)
| search (proc="*docker*" OR proc="*kubectl*" OR proc="*crictl*" OR proc="*podman*" OR proc="*nerdctl*" OR proc="*ctr*")
    AND (cmd="*exec*" OR cmd="*run*" OR cmd="*attach*")
| eval is_interactive_shell=if(match(cmd, "(-it|--tty|-i\s)"), 1, 0)
| eval spawns_shell=if(match(cmd, "(/bin/sh|/bin/bash|\bsh\b|\bbash\b|\bash\b|/bin/ash)"), 1, 0)
| eval privileged_flag=if(match(cmd, "(--privileged|--cap-add|--pid=host|--net=host|--ipc=host)"), 1, 0)
| eval is_kubectl_exec=if(match(proc, "kubectl") AND match(cmd, "exec"), 1, 0)
| eval parent=coalesce(ParentImage, parent_process, ppid)
| eval scripting_parent=if(match(parent, "(python|ruby|perl|php|node|nodejs)"), 1, 0)
| eval risk_score=(is_interactive_shell*30) + (spawns_shell*25) + (privileged_flag*35) + (is_kubectl_exec*20) + (scripting_parent*30)
| where risk_score >= 25
| eval host=coalesce(host, Computer, hostname)
| eval user=coalesce(User, user, src_user)
| table _time, host, user, proc, cmd, parent, is_interactive_shell, spawns_shell, privileged_flag, is_kubectl_exec, scripting_parent, risk_score
| sort - risk_score, _time

high severity medium confidence

Data Sources

Sysmon Linux Secure Logs Syslog

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux_secure syslog

False Positives

Authorized platform engineering teams using kubectl exec for live container debugging, log inspection, or configuration validation in development and staging clusters
Automated deployment orchestration tools running docker exec to perform post-start container initialization scripts or configuration injection
Container security scanning tools (Falco, Aqua, Sysdig) that use crictl exec or docker exec to perform runtime compliance checks and policy validation

Elastic Security (EQL)

eql

process where process.name in ("docker", "kubectl", "crictl", "ctr", "podman", "nsenter", "runc") and (process.args : ("exec", "run", "create", "deploy", "--privileged", "--pid=host", "--net=host", "--cap-add", "SYS_ADMIN", "nsenter") or process.command_line : ("*--privileged*", "*--pid=host*", "*--cap-add=SYS_ADMIN*", "*nsenter*pid*1*"))

high severity medium confidence

Data Sources

Elastic Endpoint Security Kubernetes Audit Logs

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate DevOps engineers running 'kubectl exec' or 'docker exec' for container debugging and troubleshooting during business hours
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) executing docker run or kubectl exec as part of automated build, test, or deployment workflows
Container health check scripts or monitoring agents (Datadog, Dynatrace, Prometheus node exporter installers) that use crictl or docker exec to inspect running container state

IBM QRadar (AQL)

sql

SELECT username as "Username", "UTF8(payload)" as "CommandLine", sourceip as "SourceIP", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%--privileged%' OR "CommandLine" ILIKE '%nsenter%pid%1%' THEN 90 WHEN "CommandLine" ILIKE '%--pid=host%' OR "CommandLine" ILIKE '%--cap-add=SYS_ADMIN%' THEN 80 WHEN "CommandLine" ILIKE '%docker exec%' OR "CommandLine" ILIKE '%kubectl exec%' THEN 65 ELSE 50 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%docker%' OR "CommandLine" ILIKE '%kubectl%' OR "CommandLine" ILIKE '%crictl%' OR "CommandLine" ILIKE '%podman%' OR "CommandLine" ILIKE '%nsenter%') ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Linux OS Kubernetes Audit

Required Tables

events

False Positives

Legitimate DevOps engineers running 'kubectl exec' or 'docker exec' for container debugging and troubleshooting during business hours
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) executing docker run or kubectl exec as part of automated build, test, or deployment workflows
Container health check scripts or monitoring agents (Datadog, Dynatrace, Prometheus node exporter installers) that use crictl or docker exec to inspect running container state

Sumo Logic CSE

sql

_sourceCategory=endpoint/linux OR _sourceCategory=endpoint/kubernetes | json auto | where process_name in ("docker", "kubectl", "crictl", "ctr", "podman", "nsenter", "runc") | if(matches(command_line, "*--privileged*") or matches(command_line, "*nsenter*pid*1*"), "Critical", if(matches(command_line, "*--pid=host*") or matches(command_line, "*--cap-add=SYS_ADMIN*"), "High", "Medium")) as RiskLevel | stats count by user_name, process_name, command_line, RiskLevel | sort by count desc

high severity medium confidence

Data Sources

Linux Endpoint Events Kubernetes Audit Logs

Required Tables

endpoint/linux endpoint/kubernetes

False Positives

Legitimate DevOps engineers running 'kubectl exec' or 'docker exec' for container debugging and troubleshooting during business hours
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) executing docker run or kubectl exec as part of automated build, test, or deployment workflows
Container health check scripts or monitoring agents (Datadog, Dynatrace, Prometheus node exporter installers) that use crictl or docker exec to inspect running container state

Google Chronicle / SecOps

yaral

rule detect_container_abuse {
  meta:
    author = "Argus"
    description = "Detects suspicious container management and escape attempts"
    severity = "HIGH"
    technique = "T1609_T1611"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      $e.target.process.file.full_path = "/usr/bin/docker" or
      $e.target.process.file.full_path = "/usr/bin/kubectl" or
      $e.target.process.file.full_path = "/usr/bin/nsenter" or
      re.regex($e.target.process.file.full_path, `crictl|podman|runc`) nocase
    )
    (
      re.regex($e.target.process.command_line, `--privileged|--pid=host|--cap-add=SYS_ADMIN|nsenter.*--pid.*1`) nocase
    )
  condition:
    $e
}

high severity medium confidence

Data Sources

Endpoint Telemetry Kubernetes Audit Logs

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate DevOps engineers running 'kubectl exec' or 'docker exec' for container debugging and troubleshooting during business hours
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) executing docker run or kubectl exec as part of automated build, test, or deployment workflows
Container health check scripts or monitoring agents (Datadog, Dynatrace, Prometheus node exporter installers) that use crictl or docker exec to inspect running container state

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /docker|kubectl|crictl|podman|nsenter|runc/i
| case {
    CommandHistory = /--privileged|nsenter.*pid.*1/i | RiskLevel := "Critical";
    CommandHistory = /--pid=host|--cap-add=SYS_ADMIN|--net=host/i | RiskLevel := "High";
    CommandHistory = /exec|run.*-it/i | RiskLevel := "Medium";
    * | RiskLevel := "Low"
  }
| where RiskLevel in ("Critical", "High", "Medium")
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, RiskLevel])

high severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor)

Required Tables

ProcessRollup2

False Positives

Legitimate DevOps engineers running 'kubectl exec' or 'docker exec' for container debugging and troubleshooting during business hours
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) executing docker run or kubectl exec as part of automated build, test, or deployment workflows
Container health check scripts or monitoring agents (Datadog, Dynatrace, Prometheus node exporter installers) that use crictl or docker exec to inspect running container state

Container Administration Command

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Execution

Popular Detections