Detect Escape to Host in IBM QRadar
This detection identifies adversaries attempting to escape containerized or virtualized environments to gain access to the underlying host. Key indicators include execution of namespace manipulation utilities (nsenter, unshare), privileged container operations, Docker socket abuse from within containers, cgroup release_agent exploitation, kernel module loading via insmod/modprobe, and host filesystem access via /proc/1/root bind mounts. The detection targets techniques used by malware families such as Doki, Hildegard, and Siloscape, as well as threat groups like TeamTNT that exploit container misconfigurations or kernel vulnerabilities to break out of isolation boundaries and gain host-level code execution.
MITRE ATT&CK
- Tactic
- Privilege Escalation
- Technique
- T1611 Escape to Host
- Canonical reference
- https://attack.mitre.org/techniques/T1611/
QRadar Detection Query
SELECT username as "Username", "UTF8(payload)" as "CommandLine", sourceip as "SourceIP", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%--privileged%' OR "CommandLine" ILIKE '%nsenter%pid%1%' THEN 90 WHEN "CommandLine" ILIKE '%--pid=host%' OR "CommandLine" ILIKE '%--cap-add=SYS_ADMIN%' THEN 80 WHEN "CommandLine" ILIKE '%docker exec%' OR "CommandLine" ILIKE '%kubectl exec%' THEN 65 ELSE 50 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%docker%' OR "CommandLine" ILIKE '%kubectl%' OR "CommandLine" ILIKE '%crictl%' OR "CommandLine" ILIKE '%podman%' OR "CommandLine" ILIKE '%nsenter%') ORDER BY "RiskScore" DESC LAST 24 HOURSIBM QRadar AQL translation of the T1611 detection. Uses SQL-like syntax with risk scoring. Detects container escape attempts by monitoring for namespace manipulation utilities (nsenter target
Data Sources
Required Tables
False Positives & Tuning
- Legitimate container orchestration runtimes (kubelet, containerd, cri-o) using nsenter internally for container exec and health check operations
- System administrators using nsenter or unshare on the host for namespace debugging or network troubleshooting tasks
- Legitimate kernel driver installation by hardware vendors or OS package managers using insmod/modprobe during system initialization
Other platforms for T1611
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Container Escape via nsenter Targeting Host PID 1
Expected signal: Sysmon EventCode=1: Image=nsenter, CommandLine contains '-t 1 -m -u -i -n -p'; parent process chain includes containerd-shim or runc; AccountName=root; SHA256 of nsenter binary logged
- Test 2Container Escape via Cgroup v1 Release Agent
Expected signal: Sysmon EventCode=1: Image=mount with cgroup filesystem type; Sysmon EventCode=11 (File Create): TargetFilename matches /sys/fs/cgroup/*/release_agent or /tmp/cgrp_escape/release_agent; auditd SYSCALL=mount and write to cgroup path
- Test 3Container Escape via Docker Socket Bind Mount
Expected signal: Sysmon EventCode=1: Image=docker, CommandLine contains 'docker.sock' and 'run -v /:/'; second process creation for chroot with /hostroot argument; DeviceNetworkEvents showing Unix socket connection to /var/run/docker.sock
References (8)
- https://attack.mitre.org/techniques/T1611/
- https://docs.docker.com/storage/bind-mounts/
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
- https://intezer.com/blog/cloud-security/doki-infecting-docker-servers-in-the-cloud/
- https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
- https://www.crowdstrike.com/blog/cve-2022-0492-linux-container-escape/
- https://github.com/IntezerLabs/peirates
- https://www.microsoft.com/security/blog/2021/07/19/windows-server-containers-are-open-and-here-is-why-that-is-okay/
Unlock Pro Content
Get the full detection package for T1611 including response playbook, investigation guide, and atomic red team tests.