Suspicious Container Runtime CLI Execution

  1[metadata]
  2creation_date = "2026/05/01"
  3integration = ["cloud_defend"]
  4maturity = "production"
  5min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
  6min_stack_version = "9.3.0"
  7updated_date = "2026/05/01"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects execution of container runtime CLI tools (ctr, crictl, nerdctl) with arguments indicating container creation,
 13command execution inside existing containers, image manipulation, or host filesystem mounting. These tools interact
 14directly with the container runtime socket, bypassing the Kubernetes API server, RBAC authorization, admission webhooks,
 15pod security standards, and Kubernetes audit logging entirely. Attackers with host-level access may use these tools to
 16create privileged ghost containers, exec into other pods to steal service account tokens and secrets, pull
 17attacker-controlled images, and destroy evidence, all while remaining invisible to Kubernetes-level monitoring.
 18"""
 19false_positives = [
 20    """
 21    Platform automation, node bootstrap, and legitimate break-glass admin sessions may use these CLIs with overlapping
 22    arguments. Tune by parent process, user, or host role (worker vs bastion).
 23    """,
 24]
 25from = "now-6m"
 26index = ["logs-cloud_defend.process*"]
 27language = "eql"
 28license = "Elastic License v2"
 29name = "Suspicious Container Runtime CLI Execution"
 30note = """## Triage and analysis
 31
 32### Investigating Suspicious Container Runtime CLI Execution
 33
 34Review the full argv list and working directory. Confirm whether the session is interactive, whether the image or bundle
 35referenced is trusted, and whether bind mounts or privileged flags target host paths such as `/`, `/etc`, or Docker
 36sockets.
 37
 38### Possible investigation steps
 39
 40- Reconstruct the container ID or snapshot key passed to `tasks`, `snapshots`, or `content` subcommands.
 41- Correlate with file, network, and Kubernetes audit activity for pulls from unusual registries or subsequent pod
 42  changes.
 43- Check whether the parent should legitimately be kubelet, containerd, or systemd on that host class.
 44
 45### Response and remediation
 46
 47- If unauthorized, isolate the node, revoke credentials available to the session, and hunt for new privileged
 48  workloads or image imports.
 49"""
 50references = [
 51    "https://attack.mitre.org/techniques/T1609/",
 52    "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation",
 53]
 54risk_score = 47
 55rule_id = "0398c0a2-1237-478e-84c4-84510f1925e6"
 56severity = "medium"
 57tags = [
 58    "Data Source: Elastic Defend for Containers",
 59    "Domain: Container",
 60    "OS: Linux",
 61    "Use Case: Threat Detection",
 62    "Tactic: Execution",
 63    "Resources: Investigation Guide",
 64]
 65timestamp_override = "event.ingested"
 66type = "eql"
 67query = '''
 68process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 69(
 70  (
 71    process.name in ("ctr", "crictl", "nerdctl") and
 72    (
 73      (process.args == "tasks" and process.args == "exec") or
 74      (process.args == "run" and process.args in ("--privileged", "--rm", "--mount", "--net-host", "--pid-host")) or
 75      (process.args == "snapshots" and process.args == "mount")
 76    )
 77  ) or
 78  (
 79    (process.executable like ("/dev/shm/*", "/tmp/*", "/var/tmp/*") or process.name : ".*") and
 80    process.args like ("*containerd.sock*", "*k8s.io*")
 81  )
 82) and
 83not process.parent.executable in (
 84  "/usr/bin/kubelet", "/usr/local/bin/kubelet",
 85  "/usr/bin/containerd", "/usr/sbin/containerd",
 86  "/lib/systemd/systemd", "/usr/lib/systemd/systemd", "/sbin/init"
 87)
 88'''
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92
 93[[rule.threat.technique]]
 94id = "T1609"
 95name = "Container Administration Command"
 96reference = "https://attack.mitre.org/techniques/T1609/"
 97
 98[rule.threat.tactic]
 99id = "TA0002"
100name = "Execution"
101reference = "https://attack.mitre.org/tactics/TA0002/"
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105
106[[rule.threat.technique]]
107id = "T1611"
108name = "Escape to Host"
109reference = "https://attack.mitre.org/techniques/T1611/"
110
111[rule.threat.tactic]
112id = "TA0004"
113name = "Privilege Escalation"
114reference = "https://attack.mitre.org/tactics/TA0004/"