Detect Escape to Host in Microsoft Sentinel
This detection identifies adversaries attempting to escape containerized or virtualized environments to gain access to the underlying host. Key indicators include execution of namespace manipulation utilities (nsenter, unshare), privileged container operations, Docker socket abuse from within containers, cgroup release_agent exploitation, kernel module loading via insmod/modprobe, and host filesystem access via /proc/1/root bind mounts. The detection targets techniques used by malware families such as Doki, Hildegard, and Siloscape, as well as threat groups like TeamTNT that exploit container misconfigurations or kernel vulnerabilities to break out of isolation boundaries and gain host-level code execution.
MITRE ATT&CK
- Tactic
- Privilege Escalation
- Technique
- T1611 Escape to Host
- Canonical reference
- https://attack.mitre.org/techniques/T1611/
KQL Detection Query
let ContainerEscapeBinaries = dynamic(["nsenter", "unshare", "insmod", "modprobe"]);
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName in~ (ContainerEscapeBinaries)
or (FileName =~ "docker" and ProcessCommandLine has_any ("docker.sock", "/var/run/docker.sock") and ProcessCommandLine has "run")
or (FileName in~ ("sh", "bash", "python", "python3", "perl") and ProcessCommandLine has_all ("/cgroup", "release_agent"))
or (FileName =~ "keyctl" and ProcessCommandLine has_any ("session", "link", "show"))
or (ProcessCommandLine has_all ("mount", "/proc/1/root"))
or (ProcessCommandLine has_all ("nsenter", "-t 1"))
or (FileName =~ "chroot" and ProcessCommandLine has "/host")
| extend EscapeType = case(
ProcessCommandLine has_all ("nsenter", "-t 1"), "Namespace Entry - PID 1 Targeting",
FileName =~ "nsenter", "Namespace Entry (nsenter)",
FileName =~ "unshare" and ProcessCommandLine has_any ("--mount", "--pid", "--net", "--user"), "Namespace Unshare",
FileName =~ "keyctl" and ProcessCommandLine has_any ("session", "link"), "Keychain Secret Theft",
FileName =~ "docker" and ProcessCommandLine has "docker.sock", "Docker Socket Abuse",
ProcessCommandLine has_all ("/cgroup", "release_agent"), "Cgroup Release Agent Escape",
FileName in~ ("insmod", "modprobe"), "Kernel Module Load",
ProcessCommandLine has_all ("mount", "/proc/1/root"), "Host Filesystem Mount via /proc",
FileName =~ "chroot" and ProcessCommandLine has "/host", "Chroot Escape",
"Container Escape Indicator"
)
| extend RiskScore = case(
EscapeType =~ "Cgroup Release Agent Escape", 95,
EscapeType =~ "Namespace Entry - PID 1 Targeting", 90,
EscapeType =~ "Host Filesystem Mount via /proc", 90,
EscapeType =~ "Docker Socket Abuse", 85,
EscapeType =~ "Namespace Entry (nsenter)", 80,
EscapeType =~ "Kernel Module Load", 80,
EscapeType =~ "Keychain Secret Theft", 75,
EscapeType =~ "Namespace Unshare", 70,
65
)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, EscapeType, RiskScore,
ProcessId, InitiatingProcessId, SHA256
| order by RiskScore desc, TimeGenerated descDetects container escape attempts by monitoring for namespace manipulation utilities (nsenter targeting PID 1, unshare with namespace flags), cgroup release_agent abuse, Docker socket access from within containers to spawn new privileged containers, kernel module loading via insmod/modprobe, and host root filesystem access via /proc/1/root mounts. Risk scores prioritize highest-confidence techniques.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate container orchestration runtimes (kubelet, containerd, cri-o) using nsenter internally for container exec and health check operations
- System administrators using nsenter or unshare on the host for namespace debugging or network troubleshooting tasks
- Legitimate kernel driver installation by hardware vendors or OS package managers using insmod/modprobe during system initialization
Other platforms for T1611
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Container Escape via nsenter Targeting Host PID 1
Expected signal: Sysmon EventCode=1: Image=nsenter, CommandLine contains '-t 1 -m -u -i -n -p'; parent process chain includes containerd-shim or runc; AccountName=root; SHA256 of nsenter binary logged
- Test 2Container Escape via Cgroup v1 Release Agent
Expected signal: Sysmon EventCode=1: Image=mount with cgroup filesystem type; Sysmon EventCode=11 (File Create): TargetFilename matches /sys/fs/cgroup/*/release_agent or /tmp/cgrp_escape/release_agent; auditd SYSCALL=mount and write to cgroup path
- Test 3Container Escape via Docker Socket Bind Mount
Expected signal: Sysmon EventCode=1: Image=docker, CommandLine contains 'docker.sock' and 'run -v /:/'; second process creation for chroot with /hostroot argument; DeviceNetworkEvents showing Unix socket connection to /var/run/docker.sock
References (8)
- https://attack.mitre.org/techniques/T1611/
- https://docs.docker.com/storage/bind-mounts/
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
- https://intezer.com/blog/cloud-security/doki-infecting-docker-servers-in-the-cloud/
- https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
- https://www.crowdstrike.com/blog/cve-2022-0492-linux-container-escape/
- https://github.com/IntezerLabs/peirates
- https://www.microsoft.com/security/blog/2021/07/19/windows-server-containers-are-open-and-here-is-why-that-is-okay/
Unlock Pro Content
Get the full detection package for T1611 including response playbook, investigation guide, and atomic red team tests.