T1611 Escape to Host Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ContainerEscapeBinaries = dynamic(["nsenter", "unshare", "insmod", "modprobe"]);
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName in~ (ContainerEscapeBinaries)
    or (FileName =~ "docker" and ProcessCommandLine has_any ("docker.sock", "/var/run/docker.sock") and ProcessCommandLine has "run")
    or (FileName in~ ("sh", "bash", "python", "python3", "perl") and ProcessCommandLine has_all ("/cgroup", "release_agent"))
    or (FileName =~ "keyctl" and ProcessCommandLine has_any ("session", "link", "show"))
    or (ProcessCommandLine has_all ("mount", "/proc/1/root"))
    or (ProcessCommandLine has_all ("nsenter", "-t 1"))
    or (FileName =~ "chroot" and ProcessCommandLine has "/host")
| extend EscapeType = case(
    ProcessCommandLine has_all ("nsenter", "-t 1"), "Namespace Entry - PID 1 Targeting",
    FileName =~ "nsenter", "Namespace Entry (nsenter)",
    FileName =~ "unshare" and ProcessCommandLine has_any ("--mount", "--pid", "--net", "--user"), "Namespace Unshare",
    FileName =~ "keyctl" and ProcessCommandLine has_any ("session", "link"), "Keychain Secret Theft",
    FileName =~ "docker" and ProcessCommandLine has "docker.sock", "Docker Socket Abuse",
    ProcessCommandLine has_all ("/cgroup", "release_agent"), "Cgroup Release Agent Escape",
    FileName in~ ("insmod", "modprobe"), "Kernel Module Load",
    ProcessCommandLine has_all ("mount", "/proc/1/root"), "Host Filesystem Mount via /proc",
    FileName =~ "chroot" and ProcessCommandLine has "/host", "Chroot Escape",
    "Container Escape Indicator"
)
| extend RiskScore = case(
    EscapeType =~ "Cgroup Release Agent Escape", 95,
    EscapeType =~ "Namespace Entry - PID 1 Targeting", 90,
    EscapeType =~ "Host Filesystem Mount via /proc", 90,
    EscapeType =~ "Docker Socket Abuse", 85,
    EscapeType =~ "Namespace Entry (nsenter)", 80,
    EscapeType =~ "Kernel Module Load", 80,
    EscapeType =~ "Keychain Secret Theft", 75,
    EscapeType =~ "Namespace Unshare", 70,
    65
)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine, EscapeType, RiskScore,
    ProcessId, InitiatingProcessId, SHA256
| order by RiskScore desc, TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate container orchestration runtimes (kubelet, containerd, cri-o) using nsenter internally for container exec and health check operations
System administrators using nsenter or unshare on the host for namespace debugging or network troubleshooting tasks
Legitimate kernel driver installation by hardware vendors or OS package managers using insmod/modprobe during system initialization

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval proc=lower(mvindex(split(Image, "/"), -1)), cmd=lower(CommandLine)
| eval is_escape=case(
    match(proc, "^nsenter$"), 1,
    match(proc, "^unshare$") AND match(cmd, "(--mount|--pid|--net|--user)"), 1,
    match(proc, "^(insmod|modprobe)$"), 1,
    match(proc, "^keyctl$") AND match(cmd, "(session|link|show)"), 1,
    match(proc, "^docker$") AND match(cmd, "docker\.sock") AND match(cmd, "run"), 1,
    match(cmd, "/cgroup") AND match(cmd, "release_agent"), 1,
    match(cmd, "/proc/1/root") AND match(cmd, "mount"), 1,
    match(cmd, "nsenter") AND match(cmd, "-t 1"), 1,
    1=1, 0
  )
| where is_escape=1
| eval escape_type=case(
    match(cmd, "nsenter") AND match(cmd, "-t 1"), "Namespace Entry - PID 1 Targeting",
    match(proc, "^nsenter$"), "Namespace Entry",
    match(proc, "^unshare$"), "Namespace Unshare",
    match(proc, "^(insmod|modprobe)$"), "Kernel Module Load",
    match(proc, "^keyctl$"), "Keychain Secret Theft",
    match(proc, "^docker$") AND match(cmd, "docker\.sock"), "Docker Socket Abuse",
    match(cmd, "release_agent"), "Cgroup Release Agent Escape",
    match(cmd, "/proc/1/root"), "Host Filesystem via /proc",
    1=1, "Container Escape Indicator"
  )
| eval severity=case(
    match(escape_type, "(Cgroup Release Agent|Namespace Entry - PID 1|Host Filesystem)"), "critical",
    match(escape_type, "(Docker Socket|Kernel Module|Namespace Entry)"), "high",
    1=1, "medium"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, escape_type, severity, ProcessId, ProcessGuid
| sort -_time

high severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Container runtimes such as containerd-shim and cri-o using nsenter internally during container exec, pause, and health check lifecycle operations
Linux administrators performing namespace isolation testing with unshare on the host OS outside of container contexts
Legitimate kernel module loading by hardware drivers, security software (e.g., Falco eBPF probes), or OS updates using modprobe during non-boot hours

Elastic Security (EQL)

eql

process where process.name in ("docker", "kubectl", "crictl", "ctr", "podman", "nsenter", "runc") and (process.args : ("exec", "run", "create", "deploy", "--privileged", "--pid=host", "--net=host", "--cap-add", "SYS_ADMIN", "nsenter") or process.command_line : ("*--privileged*", "*--pid=host*", "*--cap-add=SYS_ADMIN*", "*nsenter*pid*1*"))

high severity medium confidence

Data Sources

Elastic Endpoint Security Kubernetes Audit Logs

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate container orchestration runtimes (kubelet, containerd, cri-o) using nsenter internally for container exec and health check operations
System administrators using nsenter or unshare on the host for namespace debugging or network troubleshooting tasks
Legitimate kernel driver installation by hardware vendors or OS package managers using insmod/modprobe during system initialization

IBM QRadar (AQL)

sql

SELECT username as "Username", "UTF8(payload)" as "CommandLine", sourceip as "SourceIP", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%--privileged%' OR "CommandLine" ILIKE '%nsenter%pid%1%' THEN 90 WHEN "CommandLine" ILIKE '%--pid=host%' OR "CommandLine" ILIKE '%--cap-add=SYS_ADMIN%' THEN 80 WHEN "CommandLine" ILIKE '%docker exec%' OR "CommandLine" ILIKE '%kubectl exec%' THEN 65 ELSE 50 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%docker%' OR "CommandLine" ILIKE '%kubectl%' OR "CommandLine" ILIKE '%crictl%' OR "CommandLine" ILIKE '%podman%' OR "CommandLine" ILIKE '%nsenter%') ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Linux OS Kubernetes Audit

Required Tables

events

False Positives

Legitimate container orchestration runtimes (kubelet, containerd, cri-o) using nsenter internally for container exec and health check operations
System administrators using nsenter or unshare on the host for namespace debugging or network troubleshooting tasks
Legitimate kernel driver installation by hardware vendors or OS package managers using insmod/modprobe during system initialization

Sumo Logic CSE

sql

_sourceCategory=endpoint/linux OR _sourceCategory=endpoint/kubernetes | json auto | where process_name in ("docker", "kubectl", "crictl", "ctr", "podman", "nsenter", "runc") | if(matches(command_line, "*--privileged*") or matches(command_line, "*nsenter*pid*1*"), "Critical", if(matches(command_line, "*--pid=host*") or matches(command_line, "*--cap-add=SYS_ADMIN*"), "High", "Medium")) as RiskLevel | stats count by user_name, process_name, command_line, RiskLevel | sort by count desc

high severity medium confidence

Data Sources

Linux Endpoint Events Kubernetes Audit Logs

Required Tables

endpoint/linux endpoint/kubernetes

False Positives

Legitimate container orchestration runtimes (kubelet, containerd, cri-o) using nsenter internally for container exec and health check operations
System administrators using nsenter or unshare on the host for namespace debugging or network troubleshooting tasks
Legitimate kernel driver installation by hardware vendors or OS package managers using insmod/modprobe during system initialization

Google Chronicle / SecOps

yaral

rule detect_container_abuse {
  meta:
    author = "Argus"
    description = "Detects suspicious container management and escape attempts"
    severity = "HIGH"
    technique = "T1609_T1611"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      $e.target.process.file.full_path = "/usr/bin/docker" or
      $e.target.process.file.full_path = "/usr/bin/kubectl" or
      $e.target.process.file.full_path = "/usr/bin/nsenter" or
      re.regex($e.target.process.file.full_path, `crictl|podman|runc`) nocase
    )
    (
      re.regex($e.target.process.command_line, `--privileged|--pid=host|--cap-add=SYS_ADMIN|nsenter.*--pid.*1`) nocase
    )
  condition:
    $e
}

high severity medium confidence

Data Sources

Endpoint Telemetry Kubernetes Audit Logs

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate container orchestration runtimes (kubelet, containerd, cri-o) using nsenter internally for container exec and health check operations
System administrators using nsenter or unshare on the host for namespace debugging or network troubleshooting tasks
Legitimate kernel driver installation by hardware vendors or OS package managers using insmod/modprobe during system initialization

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /docker|kubectl|crictl|podman|nsenter|runc/i
| case {
    CommandHistory = /--privileged|nsenter.*pid.*1/i | RiskLevel := "Critical";
    CommandHistory = /--pid=host|--cap-add=SYS_ADMIN|--net=host/i | RiskLevel := "High";
    CommandHistory = /exec|run.*-it/i | RiskLevel := "Medium";
    * | RiskLevel := "Low"
  }
| where RiskLevel in ("Critical", "High", "Medium")
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, RiskLevel])

high severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor)

Required Tables

ProcessRollup2

False Positives

Legitimate container orchestration runtimes (kubelet, containerd, cri-o) using nsenter internally for container exec and health check operations
System administrators using nsenter or unshare on the host for namespace debugging or network troubleshooting tasks
Legitimate kernel driver installation by hardware vendors or OS package managers using insmod/modprobe during system initialization

Escape to Host

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Privilege Escalation

Popular Detections