T1610

Deploy Container

Defense Evasion Execution Last updated:

This detection identifies adversaries deploying containers with dangerous configurations to execute malicious payloads or escape defense controls. The detection monitors container runtime CLI invocations (docker, kubectl, podman, crictl) for high-risk flags such as --privileged, --net=host, --pid=host, and host filesystem volume mounts that are commonly abused by threat actors such as TeamTNT, Kinsing, and Doki to achieve container escape, cryptomining, and lateral movement. Risk scoring prioritizes privileged and host-mount combinations that enable direct node access in Kubernetes environments.

What is T1610 Deploy Container?

Deploy Container (T1610) maps to the Defense Evasion and Execution tactics — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for Deploy Container, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Defense Evasion Execution
Technique
T1610 Deploy Container
Canonical reference
https://attack.mitre.org/techniques/T1610/
Microsoft Sentinel / Defender
kusto 
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName in~ ("docker", "kubectl", "podman", "nerdctl", "crictl", "ctr")
| where ProcessCommandLine has_any ("run ", "create ", "apply ", "exec ")
| extend IsPrivileged = ProcessCommandLine has "--privileged"
| extend IsHostNet = ProcessCommandLine has "--net=host" or ProcessCommandLine has "--network=host"
| extend IsHostPid = ProcessCommandLine has "--pid=host"
| extend IsHostIpc = ProcessCommandLine has "--ipc=host"
| extend IsHostMount = ProcessCommandLine has_any ("-v /:/", "--volume /:/", "-v /proc", "--volume /proc", "-v /sys", "-v /dev", "--volume /dev")
| extend HasCapAdd = ProcessCommandLine has "--cap-add=SYS_ADMIN" or ProcessCommandLine has "--cap-add=ALL" or ProcessCommandLine has "--cap-add NET_ADMIN"
| extend NoSeccomp = ProcessCommandLine has "seccomp=unconfined" or ProcessCommandLine has "apparmor=unconfined"
| extend HasEnvSecret = ProcessCommandLine has_any ("-e AWS_", "-e KUBECONFIG", "-e TOKEN", "--env AWS_", "--env TOKEN")
| extend RiskScore = (toint(IsPrivileged) * 40)
    + (toint(IsHostNet) * 20)
    + (toint(IsHostPid) * 25)
    + (toint(IsHostIpc) * 15)
    + (toint(IsHostMount) * 40)
    + (toint(HasCapAdd) * 20)
    + (toint(NoSeccomp) * 10)
    + (toint(HasEnvSecret) * 15)
| where RiskScore >= 20
| extend ContainerImage = extract(@"(?:run|create)\s+(?:--?[\w=:\-]+\s+)*([\w./:@-]+)", 1, ProcessCommandLine)
| extend SuspiciousFlags = strcat(
    iff(IsPrivileged, "[PRIVILEGED] ", ""),
    iff(IsHostNet, "[HOST_NET] ", ""),
    iff(IsHostPid, "[HOST_PID] ", ""),
    iff(IsHostMount, "[HOST_MOUNT] ", ""),
    iff(HasCapAdd, "[CAP_ADD] ", ""),
    iff(NoSeccomp, "[NO_SECCOMP] ", "")
  )
| project
    TimeGenerated,
    DeviceName,
    AccountName,
    AccountDomain,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessAccountName,
    ContainerImage,
    SuspiciousFlags,
    RiskScore
| sort by RiskScore desc, TimeGenerated desc

Detects container deployment commands (docker, kubectl, podman) with high-risk flags associated with privilege escalation and container escape: --privileged, host namespace sharing (--net=host, --pid=host, --ipc=host), root filesystem volume mounts (-v /:/), dangerous capability additions (SYS_ADMIN, ALL), and disabled security profiles. A risk score is calculated to prioritize the most dangerous combinations. Triggers on both Docker and Kubernetes CLI invocations.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

  • Legitimate container infrastructure teams running privileged containers for monitoring agents (e.g., Datadog, Falco, Sysdig) that require host-level access
  • Kubernetes node-level tooling such as DaemonSets for log collection (Fluentd, Filebeat) that mount /var/log or /proc on the host
  • CI/CD pipelines (Jenkins, GitLab Runner, GitHub Actions self-hosted) that use docker-in-docker (DinD) with --privileged to build container images
  • Authorized security tooling like vulnerability scanners (Trivy, Anchore) that inspect host filesystems
  • Container runtime health checks by orchestration platforms that invoke crictl or ctr with management subcommands

Sigma rule & cross-platform mapping

The detection logic for Deploy Container (T1610) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1610 Sigma rules on detection.fyi

Platform-specific guides for T1610

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-03-20 Research depth: deep
References (6)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Deploy Privileged Container with Host Filesystem Mount

    Expected signal: Sysmon EventCode=1: Image=docker, CommandLine contains '--privileged' and '-v /:/host'. Follow-up EventCode=1 for 'docker exec' accessing /host/etc/passwd. Linux auditd EXECVE record for docker invocation.

  2. Test 2Deploy Container with Host Network and PID Namespace

    Expected signal: Sysmon EventCode=1: CommandLine contains '--net=host --pid=host'. DeviceNetworkEvents will show container traffic attributed to host network interface rather than docker0 bridge. Docker daemon log records container creation with HostConfig.NetworkMode=host.

  3. Test 3Deploy Privileged Pod via kubectl with hostPath Mount

    Expected signal: Sysmon EventCode=1: Image=kubectl, CommandLine='kubectl apply -f /tmp/atomic-t1610-pod.yaml'. Kubernetes API server audit log: CREATE verb on pods resource by current user with pod spec containing securityContext.privileged=true and hostPath volume. Second EventCode=1 for 'kubectl exec' access.

Unlock Pro Content

Get the full detection package for T1610 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0005Defense EvasionTA0002Execution

Related Techniques

T1611Escape to HostT1496Resource HijackingT1578.004Revert Cloud InstanceT1564.012File/Path ExclusionsT1053.005Scheduled TaskT1552.007Container APIT1190Exploit Public-Facing Application

Same Tactic: Defense Evasion

Popular Detections