title: Escape to Host (T1611)
id: df00tech-t1611
status: experimental
description: "This detection identifies adversaries attempting to escape containerized or virtualized environments to gain access to the underlying host. Key indicators include execution of namespace manipulation utilities (nsenter, unshare), privileged container operations, Docker socket abuse from within containers, cgroup release_agent exploitation, kernel module loading via insmod/modprobe, and host filesystem access via /proc/1/root bind mounts. The detection targets techniques used by malware families such as Doki, Hildegard, and Siloscape, as well as threat groups like TeamTNT that exploit container misconfigurations or kernel vulnerabilities to break out of isolation boundaries and gain host-level code execution."
references:
  - https://attack.mitre.org/techniques/T1611/
  - https://df00tech.com/detections/T1611
author: df00tech
date: 2026/03/20
tags:
  - attack.t1611
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate container orchestration runtimes (kubelet, containerd, cri-o) using nsenter internally for container exec and health check operations"
  - System administrators using nsenter or unshare on the host for namespace debugging or network troubleshooting tasks
  - Legitimate kernel driver installation by hardware vendors or OS package managers using insmod/modprobe during system initialization
level: high