T1611 Splunk · SPL

Detect Escape to Host in Splunk

This detection identifies adversaries attempting to escape containerized or virtualized environments to gain access to the underlying host. Key indicators include execution of namespace manipulation utilities (nsenter, unshare), privileged container operations, Docker socket abuse from within containers, cgroup release_agent exploitation, kernel module loading via insmod/modprobe, and host filesystem access via /proc/1/root bind mounts. The detection targets techniques used by malware families such as Doki, Hildegard, and Siloscape, as well as threat groups like TeamTNT that exploit container misconfigurations or kernel vulnerabilities to break out of isolation boundaries and gain host-level code execution.

MITRE ATT&CK

Tactic
Privilege Escalation
Technique
T1611 Escape to Host
Canonical reference
https://attack.mitre.org/techniques/T1611/

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval proc=lower(mvindex(split(Image, "/"), -1)), cmd=lower(CommandLine)
| eval is_escape=case(
    match(proc, "^nsenter$"), 1,
    match(proc, "^unshare$") AND match(cmd, "(--mount|--pid|--net|--user)"), 1,
    match(proc, "^(insmod|modprobe)$"), 1,
    match(proc, "^keyctl$") AND match(cmd, "(session|link|show)"), 1,
    match(proc, "^docker$") AND match(cmd, "docker\.sock") AND match(cmd, "run"), 1,
    match(cmd, "/cgroup") AND match(cmd, "release_agent"), 1,
    match(cmd, "/proc/1/root") AND match(cmd, "mount"), 1,
    match(cmd, "nsenter") AND match(cmd, "-t 1"), 1,
    1=1, 0
  )
| where is_escape=1
| eval escape_type=case(
    match(cmd, "nsenter") AND match(cmd, "-t 1"), "Namespace Entry - PID 1 Targeting",
    match(proc, "^nsenter$"), "Namespace Entry",
    match(proc, "^unshare$"), "Namespace Unshare",
    match(proc, "^(insmod|modprobe)$"), "Kernel Module Load",
    match(proc, "^keyctl$"), "Keychain Secret Theft",
    match(proc, "^docker$") AND match(cmd, "docker\.sock"), "Docker Socket Abuse",
    match(cmd, "release_agent"), "Cgroup Release Agent Escape",
    match(cmd, "/proc/1/root"), "Host Filesystem via /proc",
    1=1, "Container Escape Indicator"
  )
| eval severity=case(
    match(escape_type, "(Cgroup Release Agent|Namespace Entry - PID 1|Host Filesystem)"), "critical",
    match(escape_type, "(Docker Socket|Kernel Module|Namespace Entry)"), "high",
    1=1, "medium"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, escape_type, severity, ProcessId, ProcessGuid
| sort -_time
high severity medium confidence

Detects container escape techniques via Sysmon process creation events (EventCode 1). Identifies nsenter targeting PID 1, unshare namespace manipulation, insmod/modprobe kernel module loading, Docker socket abuse for privileged container spawning, cgroup release_agent exploitation, and host root filesystem access via /proc/1/root. Severity is classified by technique confidence level.

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Container runtimes such as containerd-shim and cri-o using nsenter internally during container exec, pause, and health check lifecycle operations
  • Linux administrators performing namespace isolation testing with unshare on the host OS outside of container contexts
  • Legitimate kernel module loading by hardware drivers, security software (e.g., Falco eBPF probes), or OS updates using modprobe during non-boot hours
Download portable Sigma rule (.yml)

Other platforms for T1611

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Container Escape via nsenter Targeting Host PID 1

    Expected signal: Sysmon EventCode=1: Image=nsenter, CommandLine contains '-t 1 -m -u -i -n -p'; parent process chain includes containerd-shim or runc; AccountName=root; SHA256 of nsenter binary logged

  2. Test 2Container Escape via Cgroup v1 Release Agent

    Expected signal: Sysmon EventCode=1: Image=mount with cgroup filesystem type; Sysmon EventCode=11 (File Create): TargetFilename matches /sys/fs/cgroup/*/release_agent or /tmp/cgrp_escape/release_agent; auditd SYSCALL=mount and write to cgroup path

  3. Test 3Container Escape via Docker Socket Bind Mount

    Expected signal: Sysmon EventCode=1: Image=docker, CommandLine contains 'docker.sock' and 'run -v /:/'; second process creation for chroot with /hostroot argument; DeviceNetworkEvents showing Unix socket connection to /var/run/docker.sock

Last updated: 2026-03-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1611 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1609Container Administration CommandT1068Exploitation for Privilege EscalationT1543Create or Modify System ProcessT1053.007Container Orchestration JobT1552Unsecured CredentialsT1055.011Extra Window Memory Injection

Same Tactic: Privilege Escalation

Popular Detections