Detect Deploy Container in Splunk
This detection identifies adversaries deploying containers with dangerous configurations to execute malicious payloads or escape defense controls. The detection monitors container runtime CLI invocations (docker, kubectl, podman, crictl) for high-risk flags such as --privileged, --net=host, --pid=host, and host filesystem volume mounts that are commonly abused by threat actors such as TeamTNT, Kinsing, and Doki to achieve container escape, cryptomining, and lateral movement. Risk scoring prioritizes privileged and host-mount combinations that enable direct node access in Kubernetes environments.
MITRE ATT&CK
- Tactic
- Defense Evasion Execution
- Technique
- T1610 Deploy Container
- Canonical reference
- https://attack.mitre.org/techniques/T1610/
SPL Detection Query
index=* ((sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1) OR (sourcetype="linux_auditd" type="EXECVE") OR (sourcetype="syslog" OR sourcetype="linux_secure"))
| eval cmd=coalesce(CommandLine, command, cmd)
| eval proc=coalesce(Image, process, comm)
| where match(proc, "(?i)(docker|kubectl|podman|nerdctl|crictl|ctr)$")
| where match(cmd, "(?i)\s+(run|create|apply|exec)\s")
| eval is_privileged=if(match(cmd, "--privileged"), 1, 0)
| eval is_host_net=if(match(cmd, "--net(work)?=host"), 1, 0)
| eval is_host_pid=if(match(cmd, "--pid=host"), 1, 0)
| eval is_host_ipc=if(match(cmd, "--ipc=host"), 1, 0)
| eval is_host_mount=if(match(cmd, "-v\s+/[:/]") OR match(cmd, "--volume\s+/[:/]") OR match(cmd, "-v\s+/proc") OR match(cmd, "-v\s+/dev"), 1, 0)
| eval has_cap_add=if(match(cmd, "--cap-add=(SYS_ADMIN|ALL|NET_ADMIN)"), 1, 0)
| eval no_seccomp=if(match(cmd, "seccomp=unconfined") OR match(cmd, "apparmor=unconfined"), 1, 0)
| eval has_env_secret=if(match(cmd, "-e\s+(AWS_|TOKEN|KUBECONFIG|SECRET)") OR match(cmd, "--env\s+(AWS_|TOKEN)"), 1, 0)
| eval risk_score=(is_privileged*40)+(is_host_net*20)+(is_host_pid*25)+(is_host_ipc*15)+(is_host_mount*40)+(has_cap_add*20)+(no_seccomp*10)+(has_env_secret*15)
| where risk_score >= 20
| eval suspicious_flags=mvappend(
if(is_privileged=1, "PRIVILEGED", null()),
if(is_host_net=1, "HOST_NET", null()),
if(is_host_pid=1, "HOST_PID", null()),
if(is_host_mount=1, "HOST_MOUNT", null()),
if(has_cap_add=1, "CAP_ADD", null()),
if(no_seccomp=1, "NO_SECCOMP", null())
)
| eval suspicious_flags=mvjoin(suspicious_flags, ", ")
| rex field=cmd mode=sed "s/\s+/ /g"
| table _time, host, user, proc, cmd, suspicious_flags, risk_score
| sort - risk_scoreDetects privileged and escape-capable container deployment commands on Linux hosts via Sysmon process creation (EventCode=1) or Linux audit/syslog sources. Evaluates container CLI invocations for --privileged mode, host namespace sharing, root filesystem mounts, dangerous Linux capabilities, and disabled security profiles. Scores risk per flag combination to surface highest-severity events first.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Infrastructure monitoring agents deployed as privileged DaemonSets (Datadog Agent, New Relic Infrastructure, Falco) that require host namespace access
- Container image build pipelines using Docker-in-Docker (DinD) in CI/CD environments where --privileged is a documented build requirement
- Kubernetes cluster operators using kubectl apply with YAML manifests that define privileged init containers for node bootstrapping
- Authorized penetration testing or red team exercises performing container escape validation in dedicated lab environments
- Storage and backup tools (Portworx, Longhorn, Velero) that require SYS_ADMIN capabilities to manage block devices and filesystem snapshots
Other platforms for T1610
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Deploy Privileged Container with Host Filesystem Mount
Expected signal: Sysmon EventCode=1: Image=docker, CommandLine contains '--privileged' and '-v /:/host'. Follow-up EventCode=1 for 'docker exec' accessing /host/etc/passwd. Linux auditd EXECVE record for docker invocation.
- Test 2Deploy Container with Host Network and PID Namespace
Expected signal: Sysmon EventCode=1: CommandLine contains '--net=host --pid=host'. DeviceNetworkEvents will show container traffic attributed to host network interface rather than docker0 bridge. Docker daemon log records container creation with HostConfig.NetworkMode=host.
- Test 3Deploy Privileged Pod via kubectl with hostPath Mount
Expected signal: Sysmon EventCode=1: Image=kubectl, CommandLine='kubectl apply -f /tmp/atomic-t1610-pod.yaml'. Kubernetes API server audit log: CREATE verb on pods resource by current user with pod spec containing securityContext.privileged=true and hostPath volume. Second EventCode=1 for 'kubectl exec' access.
References (8)
- https://attack.mitre.org/techniques/T1610/
- https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
- https://www.intezer.com/blog/research/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/
- https://appSecco.com/kubernetes-namespace-breakout-2020
- https://docs.docker.com/engine/api/v1.41/#operation/ContainerCreate
- https://kubernetes.io/docs/concepts/workloads/
- https://github.com/inguardians/peirates
- https://sysdig.com/blog/detecting-mitre-attck-techniques-falco-t1610/
Unlock Pro Content
Get the full detection package for T1610 including response playbook, investigation guide, and atomic red team tests.