EXPLORE
Sign In
← Back to Explore
elasticmediumTTP

Suspicious Container Runtime CLI Execution

Detects execution of container runtime CLI tools (ctr, crictl, nerdctl) with arguments indicating container creation, command execution inside existing containers, image manipulation, or host filesystem mounting. These tools interact directly with the container runtime socket, bypassing the Kubernetes API server, RBAC authorization, admission webhooks, pod security standards, and Kubernetes audit logging entirely. Attackers with host-level access may use these tools to create privileged ghost containers, exec into other pods to steal service account tokens and secrets, pull attacker-controlled images, and destroy evidence, all while remaining invisible to Kubernetes-level monitoring.

MITRE ATT&CK

T1609T1611
executionprivilege-escalation

Detection Query

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
(
  (
    process.name in ("ctr", "crictl", "nerdctl") and
    (
      (process.args == "tasks" and process.args == "exec") or
      (process.args == "run" and process.args in ("--privileged", "--rm", "--mount", "--net-host", "--pid-host")) or
      (process.args == "snapshots" and process.args == "mount")
    )
  ) or
  (
    (process.executable like ("/dev/shm/*", "/tmp/*", "/var/tmp/*") or process.name : ".*") and
    process.args like ("*containerd.sock*", "*k8s.io*")
  )
) and
not process.parent.executable in (
  "/usr/bin/kubelet", "/usr/local/bin/kubelet",
  "/usr/bin/containerd", "/usr/sbin/containerd",
  "/lib/systemd/systemd", "/usr/lib/systemd/systemd", "/sbin/init"
)

Author

Elastic

Created

2026/05/01

Data Sources

Elastic Defend for Containerslogs-cloud_defend.process*

References

Tags

Data Source: Elastic Defend for ContainersDomain: ContainerOS: LinuxUse Case: Threat DetectionTactic: ExecutionResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/05/01"
integration = ["cloud_defend"]
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/05/01"

[rule]
author = ["Elastic"]
description = """
Detects execution of container runtime CLI tools (ctr, crictl, nerdctl) with arguments indicating container creation,
command execution inside existing containers, image manipulation, or host filesystem mounting. These tools interact
directly with the container runtime socket, bypassing the Kubernetes API server, RBAC authorization, admission webhooks,
pod security standards, and Kubernetes audit logging entirely. Attackers with host-level access may use these tools to
create privileged ghost containers, exec into other pods to steal service account tokens and secrets, pull
attacker-controlled images, and destroy evidence, all while remaining invisible to Kubernetes-level monitoring.
"""
false_positives = [
    """
    Platform automation, node bootstrap, and legitimate break-glass admin sessions may use these CLIs with overlapping
    arguments. Tune by parent process, user, or host role (worker vs bastion).
    """,
]
from = "now-6m"
index = ["logs-cloud_defend.process*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Container Runtime CLI Execution"
note = """## Triage and analysis

### Investigating Suspicious Container Runtime CLI Execution

Review the full argv list and working directory. Confirm whether the session is interactive, whether the image or bundle
referenced is trusted, and whether bind mounts or privileged flags target host paths such as `/`, `/etc`, or Docker
sockets.

### Possible investigation steps

- Reconstruct the container ID or snapshot key passed to `tasks`, `snapshots`, or `content` subcommands.
- Correlate with file, network, and Kubernetes audit activity for pulls from unusual registries or subsequent pod
  changes.
- Check whether the parent should legitimately be kubelet, containerd, or systemd on that host class.

### Response and remediation

- If unauthorized, isolate the node, revoke credentials available to the session, and hunt for new privileged
  workloads or image imports.
"""
references = [
    "https://attack.mitre.org/techniques/T1609/",
    "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation",
]
risk_score = 47
rule_id = "0398c0a2-1237-478e-84c4-84510f1925e6"
severity = "medium"
tags = [
    "Data Source: Elastic Defend for Containers",
    "Domain: Container",
    "OS: Linux",
    "Use Case: Threat Detection",
    "Tactic: Execution",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
(
  (
    process.name in ("ctr", "crictl", "nerdctl") and
    (
      (process.args == "tasks" and process.args == "exec") or
      (process.args == "run" and process.args in ("--privileged", "--rm", "--mount", "--net-host", "--pid-host")) or
      (process.args == "snapshots" and process.args == "mount")
    )
  ) or
  (
    (process.executable like ("/dev/shm/*", "/tmp/*", "/var/tmp/*") or process.name : ".*") and
    process.args like ("*containerd.sock*", "*k8s.io*")
  )
) and
not process.parent.executable in (
  "/usr/bin/kubelet", "/usr/local/bin/kubelet",
  "/usr/bin/containerd", "/usr/sbin/containerd",
  "/lib/systemd/systemd", "/usr/lib/systemd/systemd", "/sbin/init"
)
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1609"
name = "Container Administration Command"
reference = "https://attack.mitre.org/techniques/T1609/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1611"
name = "Escape to Host"
reference = "https://attack.mitre.org/techniques/T1611/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"