title: Container Service (T1543.005)
id: df00tech-t1543-005
status: experimental
description: "Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may achieve persistence or escalate their privileges on a host. Common abuse patterns include using 'docker run' or 'podman run' with the '--restart=always' directive to configure a container to persistently restart after daemon restarts or host reboots, using '--privileged', '--pid=host', or '--net=host' flags to break container isolation and gain access to the underlying host kernel, bind-mounting the root filesystem ('-v /:/') to read or modify host files, and leveraging Kubernetes DaemonSets to deploy malicious containers persistently across all current and future cluster nodes. Threat actor groups including TeamTNT have exploited exposed Docker APIs to deploy cryptomining and backdoor containers with restart=always policies. Privilege escalation via docker group membership is documented in GTFOBins and widely exploited in post-exploitation scenarios."
references:
  - https://attack.mitre.org/techniques/T1543/005/
  - https://df00tech.com/detections/T1543.005
author: df00tech
date: 2026/04/21
tags:
  - attack.t1543.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate infrastructure-as-code pipelines (Ansible, Terraform, Puppet) deploying containers with specific restart policies in staging and production environments"
  - "Platform engineering teams running privileged containers for system-level tooling such as monitoring exporters (node-exporter, Falco), network packet capture tools, or kernel debuggers"
  - "Container security tooling (Falco, Sysdig, Tetragon) that require --privileged or specific capabilities to instrument the kernel"
  - "Developers using 'docker exec' to debug running containers in development environments"
  - CI/CD systems running Docker-in-Docker (DinD) builds that require privileged containers or socket mounts
level: high