EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Cisco Isovalent - Nsenter Usage in Kubernetes Pod

This analytic detects the execution of the nsenter utility from within a container, a technique often used for exploitation and container escape. Nsenter allows an attacker to enter the namespaces of another process—such as the host's init process (PID 1)—and execute a shell or other binaries with elevated privileges. For example, an attacker may use docker exec to gain a shell in a container, enumerate the PID of a target container or the host, and then use nsenter to access all namespaces (mount, UTS, IPC, net, pid) of the host or another container. Example to escape to the host: `nsenter --target 1 --mount --uts --ipc --net --pid -- bash`. The WorkloadAncestorsBinary field is used to track the ancestry of the process, this is useful to understand the context of the nsenter usage. The options -m -u -n -i -p correspond to the various Linux namespaces. Adversaries exploit nsenter when pods are misconfigured with excessive privileges (e.g., privileged, hostPID, or broad hostPath mounts), enabling them to interact with the underlying node filesystem and processes. This can be an indicator of a container escape attempt or privilege escalation. Security teams should pay close attention to any nsenter invocation from within containers, especially outside of normal maintenance activity or in workloads with elevated privileges.

MITRE ATT&CK

T1543

Detection Query

`cisco_isovalent_process_exec` process_name="nsenter"
| eval WorkloadAncestorsBinary=mvjoin(parent_process_name, " <- ")
| stats count
        min(_time) as firstTime
        max(_time) as lastTime
        values(process) as process
        values(WorkloadAncestorsBinary) as WorkloadAncestorsBinary
    by cluster_name container_id pod_name pod_namespace pod_image_name parent_process_name process_name process_exec process_id node_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___nsenter_usage_in_kubernetes_pod_filter`

Author

Bhavin Patel, Splunk

Created

2026-03-10

Data Sources

Cisco Isovalent Process Exec

References

Tags

Cisco Isovalent Suspicious Activity
Raw Content
name: Cisco Isovalent - Nsenter Usage in Kubernetes Pod
id: cd07120d-4265-481a-ba0f-3b91fbc5a02f
version: 3
date: '2026-03-10'
author: Bhavin Patel, Splunk
type: Anomaly
data_source:
    - Cisco Isovalent Process Exec
status: production
description: |
    This analytic detects the execution of the nsenter utility from within a container, a technique often used for exploitation and container escape. Nsenter allows an attacker to enter the namespaces of another process—such as the host's init process (PID 1)—and execute a shell or other binaries with elevated privileges. For example, an attacker may use docker exec to gain a shell in a container, enumerate the PID of a target container or the host, and then use nsenter to access all namespaces (mount, UTS, IPC, net, pid) of the host or another container.  Example to escape to the host: `nsenter --target 1 --mount --uts --ipc --net --pid -- bash`. The WorkloadAncestorsBinary field is used to track the ancestry of the process, this is useful to understand the context of the nsenter usage.

    The options -m -u -n -i -p correspond to the various Linux namespaces. Adversaries exploit nsenter when pods are misconfigured with excessive privileges (e.g., privileged, hostPID, or broad hostPath mounts), enabling them to interact with the underlying node filesystem and processes. This can be an indicator of a container escape attempt or privilege escalation. Security teams should pay close attention to any nsenter invocation from within containers, especially outside of normal maintenance activity or in workloads with elevated privileges.
search: |
    `cisco_isovalent_process_exec` process_name="nsenter"
    | eval WorkloadAncestorsBinary=mvjoin(parent_process_name, " <- ")
    | stats count
            min(_time) as firstTime
            max(_time) as lastTime
            values(process) as process
            values(WorkloadAncestorsBinary) as WorkloadAncestorsBinary
        by cluster_name container_id pod_name pod_namespace pod_image_name parent_process_name process_name process_exec process_id node_name
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `cisco_isovalent___nsenter_usage_in_kubernetes_pod_filter`
how_to_implement: The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior.
known_false_positives: It is highly unlikely that nsenter will be used in a legitimate way, investigate the alert in context to rule out benign operations.
references:
    - https://isovalent.com/blog/post/2021-11-container-escape/
    - https://kubehound.io/reference/attacks/CE_NSENTER/
drilldown_searches:
    - name: View the detection results for - "$pod_name$"
      search: '%original_detection_search% | search pod_name = "$pod_name$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$pod_name$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: An nsenter escape attempt has been detected by user on container pod - [$pod_name$]
    risk_objects:
        - field: pod_name
          type: system
          score: 20
    threat_objects:
        - field: process_name
          type: process_name
tags:
    analytic_story:
        - Cisco Isovalent Suspicious Activity
    asset_type: Endpoint
    mitre_attack_id:
        - T1543
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_isovalent/cisco_isovalent.log
          source: not_applicable
          sourcetype: cisco:isovalent:processExec