Detect Deploy Container in Microsoft Sentinel
This detection identifies adversaries deploying containers with dangerous configurations to execute malicious payloads or escape defense controls. The detection monitors container runtime CLI invocations (docker, kubectl, podman, crictl) for high-risk flags such as --privileged, --net=host, --pid=host, and host filesystem volume mounts that are commonly abused by threat actors such as TeamTNT, Kinsing, and Doki to achieve container escape, cryptomining, and lateral movement. Risk scoring prioritizes privileged and host-mount combinations that enable direct node access in Kubernetes environments.
MITRE ATT&CK
- Tactic
- Defense Evasion Execution
- Technique
- T1610 Deploy Container
- Canonical reference
- https://attack.mitre.org/techniques/T1610/
KQL Detection Query
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName in~ ("docker", "kubectl", "podman", "nerdctl", "crictl", "ctr")
| where ProcessCommandLine has_any ("run ", "create ", "apply ", "exec ")
| extend IsPrivileged = ProcessCommandLine has "--privileged"
| extend IsHostNet = ProcessCommandLine has "--net=host" or ProcessCommandLine has "--network=host"
| extend IsHostPid = ProcessCommandLine has "--pid=host"
| extend IsHostIpc = ProcessCommandLine has "--ipc=host"
| extend IsHostMount = ProcessCommandLine has_any ("-v /:/", "--volume /:/", "-v /proc", "--volume /proc", "-v /sys", "-v /dev", "--volume /dev")
| extend HasCapAdd = ProcessCommandLine has "--cap-add=SYS_ADMIN" or ProcessCommandLine has "--cap-add=ALL" or ProcessCommandLine has "--cap-add NET_ADMIN"
| extend NoSeccomp = ProcessCommandLine has "seccomp=unconfined" or ProcessCommandLine has "apparmor=unconfined"
| extend HasEnvSecret = ProcessCommandLine has_any ("-e AWS_", "-e KUBECONFIG", "-e TOKEN", "--env AWS_", "--env TOKEN")
| extend RiskScore = (toint(IsPrivileged) * 40)
+ (toint(IsHostNet) * 20)
+ (toint(IsHostPid) * 25)
+ (toint(IsHostIpc) * 15)
+ (toint(IsHostMount) * 40)
+ (toint(HasCapAdd) * 20)
+ (toint(NoSeccomp) * 10)
+ (toint(HasEnvSecret) * 15)
| where RiskScore >= 20
| extend ContainerImage = extract(@"(?:run|create)\s+(?:--?[\w=:\-]+\s+)*([\w./:@-]+)", 1, ProcessCommandLine)
| extend SuspiciousFlags = strcat(
iff(IsPrivileged, "[PRIVILEGED] ", ""),
iff(IsHostNet, "[HOST_NET] ", ""),
iff(IsHostPid, "[HOST_PID] ", ""),
iff(IsHostMount, "[HOST_MOUNT] ", ""),
iff(HasCapAdd, "[CAP_ADD] ", ""),
iff(NoSeccomp, "[NO_SECCOMP] ", "")
)
| project
TimeGenerated,
DeviceName,
AccountName,
AccountDomain,
FileName,
ProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessAccountName,
ContainerImage,
SuspiciousFlags,
RiskScore
| sort by RiskScore desc, TimeGenerated descDetects container deployment commands (docker, kubectl, podman) with high-risk flags associated with privilege escalation and container escape: --privileged, host namespace sharing (--net=host, --pid=host, --ipc=host), root filesystem volume mounts (-v /:/), dangerous capability additions (SYS_ADMIN, ALL), and disabled security profiles. A risk score is calculated to prioritize the most dangerous combinations. Triggers on both Docker and Kubernetes CLI invocations.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate container infrastructure teams running privileged containers for monitoring agents (e.g., Datadog, Falco, Sysdig) that require host-level access
- Kubernetes node-level tooling such as DaemonSets for log collection (Fluentd, Filebeat) that mount /var/log or /proc on the host
- CI/CD pipelines (Jenkins, GitLab Runner, GitHub Actions self-hosted) that use docker-in-docker (DinD) with --privileged to build container images
- Authorized security tooling like vulnerability scanners (Trivy, Anchore) that inspect host filesystems
- Container runtime health checks by orchestration platforms that invoke crictl or ctr with management subcommands
Other platforms for T1610
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Deploy Privileged Container with Host Filesystem Mount
Expected signal: Sysmon EventCode=1: Image=docker, CommandLine contains '--privileged' and '-v /:/host'. Follow-up EventCode=1 for 'docker exec' accessing /host/etc/passwd. Linux auditd EXECVE record for docker invocation.
- Test 2Deploy Container with Host Network and PID Namespace
Expected signal: Sysmon EventCode=1: CommandLine contains '--net=host --pid=host'. DeviceNetworkEvents will show container traffic attributed to host network interface rather than docker0 bridge. Docker daemon log records container creation with HostConfig.NetworkMode=host.
- Test 3Deploy Privileged Pod via kubectl with hostPath Mount
Expected signal: Sysmon EventCode=1: Image=kubectl, CommandLine='kubectl apply -f /tmp/atomic-t1610-pod.yaml'. Kubernetes API server audit log: CREATE verb on pods resource by current user with pod spec containing securityContext.privileged=true and hostPath volume. Second EventCode=1 for 'kubectl exec' access.
References (8)
- https://attack.mitre.org/techniques/T1610/
- https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
- https://www.intezer.com/blog/research/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/
- https://appSecco.com/kubernetes-namespace-breakout-2020
- https://docs.docker.com/engine/api/v1.41/#operation/ContainerCreate
- https://kubernetes.io/docs/concepts/workloads/
- https://github.com/inguardians/peirates
- https://sysdig.com/blog/detecting-mitre-attck-techniques-falco-t1610/
Unlock Pro Content
Get the full detection package for T1610 including response playbook, investigation guide, and atomic red team tests.