T1610 Deploy Container Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName in~ ("docker", "kubectl", "podman", "nerdctl", "crictl", "ctr")
| where ProcessCommandLine has_any ("run ", "create ", "apply ", "exec ")
| extend IsPrivileged = ProcessCommandLine has "--privileged"
| extend IsHostNet = ProcessCommandLine has "--net=host" or ProcessCommandLine has "--network=host"
| extend IsHostPid = ProcessCommandLine has "--pid=host"
| extend IsHostIpc = ProcessCommandLine has "--ipc=host"
| extend IsHostMount = ProcessCommandLine has_any ("-v /:/", "--volume /:/", "-v /proc", "--volume /proc", "-v /sys", "-v /dev", "--volume /dev")
| extend HasCapAdd = ProcessCommandLine has "--cap-add=SYS_ADMIN" or ProcessCommandLine has "--cap-add=ALL" or ProcessCommandLine has "--cap-add NET_ADMIN"
| extend NoSeccomp = ProcessCommandLine has "seccomp=unconfined" or ProcessCommandLine has "apparmor=unconfined"
| extend HasEnvSecret = ProcessCommandLine has_any ("-e AWS_", "-e KUBECONFIG", "-e TOKEN", "--env AWS_", "--env TOKEN")
| extend RiskScore = (toint(IsPrivileged) * 40)
    + (toint(IsHostNet) * 20)
    + (toint(IsHostPid) * 25)
    + (toint(IsHostIpc) * 15)
    + (toint(IsHostMount) * 40)
    + (toint(HasCapAdd) * 20)
    + (toint(NoSeccomp) * 10)
    + (toint(HasEnvSecret) * 15)
| where RiskScore >= 20
| extend ContainerImage = extract(@"(?:run|create)\s+(?:--?[\w=:\-]+\s+)*([\w./:@-]+)", 1, ProcessCommandLine)
| extend SuspiciousFlags = strcat(
    iff(IsPrivileged, "[PRIVILEGED] ", ""),
    iff(IsHostNet, "[HOST_NET] ", ""),
    iff(IsHostPid, "[HOST_PID] ", ""),
    iff(IsHostMount, "[HOST_MOUNT] ", ""),
    iff(HasCapAdd, "[CAP_ADD] ", ""),
    iff(NoSeccomp, "[NO_SECCOMP] ", "")
  )
| project
    TimeGenerated,
    DeviceName,
    AccountName,
    AccountDomain,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessAccountName,
    ContainerImage,
    SuspiciousFlags,
    RiskScore
| sort by RiskScore desc, TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate container infrastructure teams running privileged containers for monitoring agents (e.g., Datadog, Falco, Sysdig) that require host-level access
Kubernetes node-level tooling such as DaemonSets for log collection (Fluentd, Filebeat) that mount /var/log or /proc on the host
CI/CD pipelines (Jenkins, GitLab Runner, GitHub Actions self-hosted) that use docker-in-docker (DinD) with --privileged to build container images
Authorized security tooling like vulnerability scanners (Trivy, Anchore) that inspect host filesystems
Container runtime health checks by orchestration platforms that invoke crictl or ctr with management subcommands

Splunk

spl

index=* ((sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1) OR (sourcetype="linux_auditd" type="EXECVE") OR (sourcetype="syslog" OR sourcetype="linux_secure"))
| eval cmd=coalesce(CommandLine, command, cmd)
| eval proc=coalesce(Image, process, comm)
| where match(proc, "(?i)(docker|kubectl|podman|nerdctl|crictl|ctr)$")
| where match(cmd, "(?i)\s+(run|create|apply|exec)\s")
| eval is_privileged=if(match(cmd, "--privileged"), 1, 0)
| eval is_host_net=if(match(cmd, "--net(work)?=host"), 1, 0)
| eval is_host_pid=if(match(cmd, "--pid=host"), 1, 0)
| eval is_host_ipc=if(match(cmd, "--ipc=host"), 1, 0)
| eval is_host_mount=if(match(cmd, "-v\s+/[:/]") OR match(cmd, "--volume\s+/[:/]") OR match(cmd, "-v\s+/proc") OR match(cmd, "-v\s+/dev"), 1, 0)
| eval has_cap_add=if(match(cmd, "--cap-add=(SYS_ADMIN|ALL|NET_ADMIN)"), 1, 0)
| eval no_seccomp=if(match(cmd, "seccomp=unconfined") OR match(cmd, "apparmor=unconfined"), 1, 0)
| eval has_env_secret=if(match(cmd, "-e\s+(AWS_|TOKEN|KUBECONFIG|SECRET)") OR match(cmd, "--env\s+(AWS_|TOKEN)"), 1, 0)
| eval risk_score=(is_privileged*40)+(is_host_net*20)+(is_host_pid*25)+(is_host_ipc*15)+(is_host_mount*40)+(has_cap_add*20)+(no_seccomp*10)+(has_env_secret*15)
| where risk_score >= 20
| eval suspicious_flags=mvappend(
    if(is_privileged=1, "PRIVILEGED", null()),
    if(is_host_net=1, "HOST_NET", null()),
    if(is_host_pid=1, "HOST_PID", null()),
    if(is_host_mount=1, "HOST_MOUNT", null()),
    if(has_cap_add=1, "CAP_ADD", null()),
    if(no_seccomp=1, "NO_SECCOMP", null())
  )
| eval suspicious_flags=mvjoin(suspicious_flags, ", ")
| rex field=cmd mode=sed "s/\s+/ /g"
| table _time, host, user, proc, cmd, suspicious_flags, risk_score
| sort - risk_score

high severity medium confidence

Data Sources

Sysmon for Linux Linux Audit Linux Syslog

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux_auditd syslog

False Positives

Infrastructure monitoring agents deployed as privileged DaemonSets (Datadog Agent, New Relic Infrastructure, Falco) that require host namespace access
Container image build pipelines using Docker-in-Docker (DinD) in CI/CD environments where --privileged is a documented build requirement
Kubernetes cluster operators using kubectl apply with YAML manifests that define privileged init containers for node bootstrapping
Authorized penetration testing or red team exercises performing container escape validation in dedicated lab environments
Storage and backup tools (Portworx, Longhorn, Velero) that require SYS_ADMIN capabilities to manage block devices and filesystem snapshots

Elastic Security (EQL)

eql

process where process.name in ("docker", "kubectl", "crictl", "ctr", "podman", "nsenter", "runc") and (process.args : ("exec", "run", "create", "deploy", "--privileged", "--pid=host", "--net=host", "--cap-add", "SYS_ADMIN", "nsenter") or process.command_line : ("*--privileged*", "*--pid=host*", "*--cap-add=SYS_ADMIN*", "*nsenter*pid*1*"))

high severity medium confidence

Data Sources

Elastic Endpoint Security Kubernetes Audit Logs

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate container infrastructure teams running privileged containers for monitoring agents (e.g., Datadog, Falco, Sysdig) that require host-level access
Kubernetes node-level tooling such as DaemonSets for log collection (Fluentd, Filebeat) that mount /var/log or /proc on the host
CI/CD pipelines (Jenkins, GitLab Runner, GitHub Actions self-hosted) that use docker-in-docker (DinD) with --privileged to build container images
Authorized security tooling like vulnerability scanners (Trivy, Anchore) that inspect host filesystems
Container runtime health checks by orchestration platforms that invoke crictl or ctr with management subcommands

IBM QRadar (AQL)

sql

SELECT username as "Username", "UTF8(payload)" as "CommandLine", sourceip as "SourceIP", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%--privileged%' OR "CommandLine" ILIKE '%nsenter%pid%1%' THEN 90 WHEN "CommandLine" ILIKE '%--pid=host%' OR "CommandLine" ILIKE '%--cap-add=SYS_ADMIN%' THEN 80 WHEN "CommandLine" ILIKE '%docker exec%' OR "CommandLine" ILIKE '%kubectl exec%' THEN 65 ELSE 50 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%docker%' OR "CommandLine" ILIKE '%kubectl%' OR "CommandLine" ILIKE '%crictl%' OR "CommandLine" ILIKE '%podman%' OR "CommandLine" ILIKE '%nsenter%') ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Linux OS Kubernetes Audit

Required Tables

events

False Positives

Legitimate container infrastructure teams running privileged containers for monitoring agents (e.g., Datadog, Falco, Sysdig) that require host-level access
Kubernetes node-level tooling such as DaemonSets for log collection (Fluentd, Filebeat) that mount /var/log or /proc on the host
CI/CD pipelines (Jenkins, GitLab Runner, GitHub Actions self-hosted) that use docker-in-docker (DinD) with --privileged to build container images
Authorized security tooling like vulnerability scanners (Trivy, Anchore) that inspect host filesystems
Container runtime health checks by orchestration platforms that invoke crictl or ctr with management subcommands

Sumo Logic CSE

sql

_sourceCategory=endpoint/linux OR _sourceCategory=endpoint/kubernetes | json auto | where process_name in ("docker", "kubectl", "crictl", "ctr", "podman", "nsenter", "runc") | if(matches(command_line, "*--privileged*") or matches(command_line, "*nsenter*pid*1*"), "Critical", if(matches(command_line, "*--pid=host*") or matches(command_line, "*--cap-add=SYS_ADMIN*"), "High", "Medium")) as RiskLevel | stats count by user_name, process_name, command_line, RiskLevel | sort by count desc

high severity medium confidence

Data Sources

Linux Endpoint Events Kubernetes Audit Logs

Required Tables

endpoint/linux endpoint/kubernetes

False Positives

Legitimate container infrastructure teams running privileged containers for monitoring agents (e.g., Datadog, Falco, Sysdig) that require host-level access
Kubernetes node-level tooling such as DaemonSets for log collection (Fluentd, Filebeat) that mount /var/log or /proc on the host
CI/CD pipelines (Jenkins, GitLab Runner, GitHub Actions self-hosted) that use docker-in-docker (DinD) with --privileged to build container images
Authorized security tooling like vulnerability scanners (Trivy, Anchore) that inspect host filesystems
Container runtime health checks by orchestration platforms that invoke crictl or ctr with management subcommands

Google Chronicle / SecOps

yaral

rule detect_container_abuse {
  meta:
    author = "Argus"
    description = "Detects suspicious container management and escape attempts"
    severity = "HIGH"
    technique = "T1609_T1611"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      $e.target.process.file.full_path = "/usr/bin/docker" or
      $e.target.process.file.full_path = "/usr/bin/kubectl" or
      $e.target.process.file.full_path = "/usr/bin/nsenter" or
      re.regex($e.target.process.file.full_path, `crictl|podman|runc`) nocase
    )
    (
      re.regex($e.target.process.command_line, `--privileged|--pid=host|--cap-add=SYS_ADMIN|nsenter.*--pid.*1`) nocase
    )
  condition:
    $e
}

high severity medium confidence

Data Sources

Endpoint Telemetry Kubernetes Audit Logs

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate container infrastructure teams running privileged containers for monitoring agents (e.g., Datadog, Falco, Sysdig) that require host-level access
Kubernetes node-level tooling such as DaemonSets for log collection (Fluentd, Filebeat) that mount /var/log or /proc on the host
CI/CD pipelines (Jenkins, GitLab Runner, GitHub Actions self-hosted) that use docker-in-docker (DinD) with --privileged to build container images
Authorized security tooling like vulnerability scanners (Trivy, Anchore) that inspect host filesystems
Container runtime health checks by orchestration platforms that invoke crictl or ctr with management subcommands

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /docker|kubectl|crictl|podman|nsenter|runc/i
| case {
    CommandHistory = /--privileged|nsenter.*pid.*1/i | RiskLevel := "Critical";
    CommandHistory = /--pid=host|--cap-add=SYS_ADMIN|--net=host/i | RiskLevel := "High";
    CommandHistory = /exec|run.*-it/i | RiskLevel := "Medium";
    * | RiskLevel := "Low"
  }
| where RiskLevel in ("Critical", "High", "Medium")
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, RiskLevel])

high severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor)

Required Tables

ProcessRollup2

False Positives

Legitimate container infrastructure teams running privileged containers for monitoring agents (e.g., Datadog, Falco, Sysdig) that require host-level access
Kubernetes node-level tooling such as DaemonSets for log collection (Fluentd, Filebeat) that mount /var/log or /proc on the host
CI/CD pipelines (Jenkins, GitLab Runner, GitHub Actions self-hosted) that use docker-in-docker (DinD) with --privileged to build container images
Authorized security tooling like vulnerability scanners (Trivy, Anchore) that inspect host filesystems
Container runtime health checks by orchestration platforms that invoke crictl or ctr with management subcommands

Deploy Container

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections