Which SIEM platforms have a T1610 detection rule?

df00tech provides T1610 (Deploy Container) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Deploy Container (T1610)?

Detecting Deploy Container requires the following data sources: Microsoft Defender for Endpoint.

What severity and confidence is the T1610 detection?

The T1610 detection is rated high severity with medium confidence.

What are common false positives for T1610?

Common false positives for T1610 include: Legitimate container infrastructure teams running privileged containers for monitoring agents (e.g., Datadog, Falco, Sysdig) that require host-level access; Kubernetes node-level tooling such as DaemonSets for log collection (Fluentd, Filebeat) that mount /var/log or /proc on the host; CI/CD pipelines (Jenkins, GitLab Runner, GitHub Actions self-hosted) that use docker-in-docker (DinD) with --privileged to build container images.

T1610 IBM QRadar · QRadar

Detect Deploy Container in IBM QRadar

This detection identifies adversaries deploying containers with dangerous configurations to execute malicious payloads or escape defense controls. The detection monitors container runtime CLI invocations (docker, kubectl, podman, crictl) for high-risk flags such as --privileged, --net=host, --pid=host, and host filesystem volume mounts that are commonly abused by threat actors such as TeamTNT, Kinsing, and Doki to achieve container escape, cryptomining, and lateral movement. Risk scoring prioritizes privileged and host-mount combinations that enable direct node access in Kubernetes environments.

MITRE ATT&CK

Tactic: Defense Evasion Execution
Technique: T1610 Deploy Container
Canonical reference: https://attack.mitre.org/techniques/T1610/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT username as "Username", "UTF8(payload)" as "CommandLine", sourceip as "SourceIP", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%--privileged%' OR "CommandLine" ILIKE '%nsenter%pid%1%' THEN 90 WHEN "CommandLine" ILIKE '%--pid=host%' OR "CommandLine" ILIKE '%--cap-add=SYS_ADMIN%' THEN 80 WHEN "CommandLine" ILIKE '%docker exec%' OR "CommandLine" ILIKE '%kubectl exec%' THEN 65 ELSE 50 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%docker%' OR "CommandLine" ILIKE '%kubectl%' OR "CommandLine" ILIKE '%crictl%' OR "CommandLine" ILIKE '%podman%' OR "CommandLine" ILIKE '%nsenter%') ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

IBM QRadar AQL translation of the T1610 detection. Uses SQL-like syntax with risk scoring. Detects container deployment commands (docker, kubectl, podman) with high-risk flags associated with

Data Sources

Linux OSKubernetes Audit

Required Tables

events

False Positives & Tuning

Legitimate container infrastructure teams running privileged containers for monitoring agents (e.g., Datadog, Falco, Sysdig) that require host-level access
Kubernetes node-level tooling such as DaemonSets for log collection (Fluentd, Filebeat) that mount /var/log or /proc on the host
CI/CD pipelines (Jenkins, GitLab Runner, GitHub Actions self-hosted) that use docker-in-docker (DinD) with --privileged to build container images
Authorized security tooling like vulnerability scanners (Trivy, Anchore) that inspect host filesystems
Container runtime health checks by orchestration platforms that invoke crictl or ctr with management subcommands

Download portable Sigma rule (.yml)

Other platforms for T1610

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Deploy Privileged Container with Host Filesystem Mount
Expected signal: Sysmon EventCode=1: Image=docker, CommandLine contains '--privileged' and '-v /:/host'. Follow-up EventCode=1 for 'docker exec' accessing /host/etc/passwd. Linux auditd EXECVE record for docker invocation.
Test 2Deploy Container with Host Network and PID Namespace
Expected signal: Sysmon EventCode=1: CommandLine contains '--net=host --pid=host'. DeviceNetworkEvents will show container traffic attributed to host network interface rather than docker0 bridge. Docker daemon log records container creation with HostConfig.NetworkMode=host.
Test 3Deploy Privileged Pod via kubectl with hostPath Mount
Expected signal: Sysmon EventCode=1: Image=kubectl, CommandLine='kubectl apply -f /tmp/atomic-t1610-pod.yaml'. Kubernetes API server audit log: CREATE verb on pods resource by current user with pod spec containing securityContext.privileged=true and hostPath volume. Second EventCode=1 for 'kubectl exec' access.

Last updated: 2026-03-20 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1610 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Related Techniques

T1611Escape to Host T1496Resource Hijacking T1578.004Revert Cloud Instance T1564.012File/Path Exclusions T1053.005Scheduled Task T1552.007Container API T1190Exploit Public-Facing Application

Detect Deploy Container in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1610

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1610

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox