T1611

Escape to Host

Privilege Escalation Last updated:

This detection identifies adversaries attempting to escape containerized or virtualized environments to gain access to the underlying host. Key indicators include execution of namespace manipulation utilities (nsenter, unshare), privileged container operations, Docker socket abuse from within containers, cgroup release_agent exploitation, kernel module loading via insmod/modprobe, and host filesystem access via /proc/1/root bind mounts. The detection targets techniques used by malware families such as Doki, Hildegard, and Siloscape, as well as threat groups like TeamTNT that exploit container misconfigurations or kernel vulnerabilities to break out of isolation boundaries and gain host-level code execution.

What is T1611 Escape to Host?

Escape to Host (T1611) maps to the Privilege Escalation tactic — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.

This page provides production-ready detection logic for Escape to Host, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Privilege Escalation
Technique
T1611 Escape to Host
Canonical reference
https://attack.mitre.org/techniques/T1611/
Microsoft Sentinel / Defender
kusto 
let ContainerEscapeBinaries = dynamic(["nsenter", "unshare", "insmod", "modprobe"]);
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName in~ (ContainerEscapeBinaries)
    or (FileName =~ "docker" and ProcessCommandLine has_any ("docker.sock", "/var/run/docker.sock") and ProcessCommandLine has "run")
    or (FileName in~ ("sh", "bash", "python", "python3", "perl") and ProcessCommandLine has_all ("/cgroup", "release_agent"))
    or (FileName =~ "keyctl" and ProcessCommandLine has_any ("session", "link", "show"))
    or (ProcessCommandLine has_all ("mount", "/proc/1/root"))
    or (ProcessCommandLine has_all ("nsenter", "-t 1"))
    or (FileName =~ "chroot" and ProcessCommandLine has "/host")
| extend EscapeType = case(
    ProcessCommandLine has_all ("nsenter", "-t 1"), "Namespace Entry - PID 1 Targeting",
    FileName =~ "nsenter", "Namespace Entry (nsenter)",
    FileName =~ "unshare" and ProcessCommandLine has_any ("--mount", "--pid", "--net", "--user"), "Namespace Unshare",
    FileName =~ "keyctl" and ProcessCommandLine has_any ("session", "link"), "Keychain Secret Theft",
    FileName =~ "docker" and ProcessCommandLine has "docker.sock", "Docker Socket Abuse",
    ProcessCommandLine has_all ("/cgroup", "release_agent"), "Cgroup Release Agent Escape",
    FileName in~ ("insmod", "modprobe"), "Kernel Module Load",
    ProcessCommandLine has_all ("mount", "/proc/1/root"), "Host Filesystem Mount via /proc",
    FileName =~ "chroot" and ProcessCommandLine has "/host", "Chroot Escape",
    "Container Escape Indicator"
)
| extend RiskScore = case(
    EscapeType =~ "Cgroup Release Agent Escape", 95,
    EscapeType =~ "Namespace Entry - PID 1 Targeting", 90,
    EscapeType =~ "Host Filesystem Mount via /proc", 90,
    EscapeType =~ "Docker Socket Abuse", 85,
    EscapeType =~ "Namespace Entry (nsenter)", 80,
    EscapeType =~ "Kernel Module Load", 80,
    EscapeType =~ "Keychain Secret Theft", 75,
    EscapeType =~ "Namespace Unshare", 70,
    65
)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine, EscapeType, RiskScore,
    ProcessId, InitiatingProcessId, SHA256
| order by RiskScore desc, TimeGenerated desc

Detects container escape attempts by monitoring for namespace manipulation utilities (nsenter targeting PID 1, unshare with namespace flags), cgroup release_agent abuse, Docker socket access from within containers to spawn new privileged containers, kernel module loading via insmod/modprobe, and host root filesystem access via /proc/1/root mounts. Risk scores prioritize highest-confidence techniques.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

  • Legitimate container orchestration runtimes (kubelet, containerd, cri-o) using nsenter internally for container exec and health check operations
  • System administrators using nsenter or unshare on the host for namespace debugging or network troubleshooting tasks
  • Legitimate kernel driver installation by hardware vendors or OS package managers using insmod/modprobe during system initialization

Sigma rule & cross-platform mapping

The detection logic for Escape to Host (T1611) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1611 Sigma rules on detection.fyi

Platform-specific guides for T1611

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-03-20 Research depth: deep
References (5)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Container Escape via nsenter Targeting Host PID 1

    Expected signal: Sysmon EventCode=1: Image=nsenter, CommandLine contains '-t 1 -m -u -i -n -p'; parent process chain includes containerd-shim or runc; AccountName=root; SHA256 of nsenter binary logged

  2. Test 2Container Escape via Cgroup v1 Release Agent

    Expected signal: Sysmon EventCode=1: Image=mount with cgroup filesystem type; Sysmon EventCode=11 (File Create): TargetFilename matches /sys/fs/cgroup/*/release_agent or /tmp/cgrp_escape/release_agent; auditd SYSCALL=mount and write to cgroup path

  3. Test 3Container Escape via Docker Socket Bind Mount

    Expected signal: Sysmon EventCode=1: Image=docker, CommandLine contains 'docker.sock' and 'run -v /:/'; second process creation for chroot with /hostroot argument; DeviceNetworkEvents showing Unix socket connection to /var/run/docker.sock

Unlock Pro Content

Get the full detection package for T1611 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hub

TA0004Privilege Escalation

Related Techniques

T1609Container Administration CommandT1068Exploitation for Privilege EscalationT1543Create or Modify System ProcessT1053.007Container Orchestration JobT1552Unsecured CredentialsT1055.011Extra Window Memory Injection

Same Tactic: Privilege Escalation

Popular Detections