title: Container CLI/API (T1059.013)
id: df00tech-t1059-013
status: experimental
description: "Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments. The Docker CLI manages containers via the dockerd daemon API. Kubernetes kubectl and the Kubernetes API server enable cluster management. Adversaries may leverage Docker CLI/API/SDK to pull images, run containers, execute commands inside containers, and scan for cloud credentials. TeamTNT has extensively targeted misconfigured Docker and Kubernetes environments, using container CLIs to deploy cryptominers, exfiltrate cloud credentials, and spread laterally across clusters."
references:
  - https://attack.mitre.org/techniques/T1059/013/
  - https://df00tech.com/detections/T1059.013
author: df00tech
date: 2026/04/16
tags:
  - attack.t1059.013
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - DevOps engineers and SREs using kubectl and docker for routine container management
  - CI/CD pipelines building and deploying container images
  - Container orchestration systems performing scheduled container operations
level: high