Container Runtime CLI Execution with Suspicious Arguments

  1[metadata]
  2creation_date = "2026/04/29"
  3integration = ["endpoint", "auditd_manager"]
  4maturity = "production"
  5updated_date = "2026/04/29"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects execution of container runtime CLI tools (ctr, crictl, nerdctl) with arguments indicating container creation,
 11command execution inside existing containers, image manipulation, or host filesystem mounting. These tools interact
 12directly with the container runtime socket, bypassing the Kubernetes API server, RBAC authorization, admission webhooks,
 13pod security standards, and Kubernetes audit logging entirely. Attackers with host-level access may use these tools to
 14create privileged ghost containers, exec into other pods to steal service account tokens and secrets, pull
 15attacker-controlled images, and destroy evidence, all while remaining invisible to Kubernetes-level monitoring.
 16"""
 17false_positives = [
 18    """
 19    Platform automation, node bootstrap, and legitimate break-glass admin sessions may use these CLIs with overlapping
 20    arguments. Tune by parent process, user, or host role (worker vs bastion).
 21    """,
 22]
 23from = "now-9m"
 24index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*"]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Container Runtime CLI Execution with Suspicious Arguments"
 28note = """## Triage and analysis
 29
 30### Investigating Container Runtime CLI Execution with Suspicious Arguments
 31
 32Review the full argv list and working directory. Confirm whether the session is interactive, whether the image or bundle
 33referenced is trusted, and whether bind mounts or privileged flags target host paths such as `/`, `/etc`, or Docker
 34sockets.
 35
 36### Possible investigation steps
 37
 38- Reconstruct the container ID or snapshot key passed to `tasks`, `snapshots`, or `content` subcommands.
 39- Correlate with file, network, and Kubernetes audit activity for pulls from unusual registries or subsequent pod
 40  changes.
 41- Check whether the parent should legitimately be kubelet, containerd, or systemd on that host class.
 42
 43### Response and remediation
 44
 45- If unauthorized, isolate the node, revoke credentials available to the session, and hunt for new privileged
 46  workloads or image imports.
 47"""
 48references = [
 49    "https://attack.mitre.org/techniques/T1609/",
 50    "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation",
 51]
 52risk_score = 47
 53rule_id = "86b3a245-03de-49a5-ab57-ae44d8f064da"
 54setup = """## Setup
 55
 56Requires process execution telemetry with arguments from **Elastic Defend** (`logs-endpoint.events.process*`) and/or
 57**Auditd Manager** / Auditbeat (`logs-auditd_manager.auditd-*`, `auditbeat-*`).
 58
 59Ensure exec-related auditing captures full argv for `ctr`, `crictl`, and `nerdctl`. See
 60https://docs.elastic.co/integrations/auditd_manager
 61"""
 62severity = "medium"
 63tags = [
 64    "Data Source: Auditd Manager",
 65    "Data Source: Elastic Defend",
 66    "Domain: Container",
 67    "Domain: Endpoint",
 68    "OS: Linux",
 69    "Use Case: Threat Detection",
 70    "Tactic: Execution",
 71    "Resources: Investigation Guide",
 72]
 73timestamp_override = "event.ingested"
 74type = "eql"
 75query = '''
 76process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "executed") and
 77(
 78  (
 79    process.name in ("ctr", "crictl", "nerdctl") and
 80    (
 81      (process.args == "tasks" and process.args == "exec") or
 82      (process.args == "run" and process.args in ("--privileged", "--rm", "--mount", "--net-host", "--pid-host")) or
 83      (process.args == "snapshots" and process.args == "mount")
 84    )
 85  ) or
 86  (
 87    (process.executable like ("/dev/shm/*", "/tmp/*", "/var/tmp/*") or process.name : ".*") and
 88    process.args like ("*containerd.sock*", "k8s.io")
 89  )
 90) and
 91not process.parent.executable in (
 92  "/usr/bin/kubelet", "/usr/local/bin/kubelet",
 93  "/usr/bin/containerd", "/usr/sbin/containerd",
 94  "/lib/systemd/systemd", "/usr/lib/systemd/systemd", "/sbin/init"
 95)
 96'''
 97
 98[[rule.threat]]
 99framework = "MITRE ATT&CK"
100
101[[rule.threat.technique]]
102id = "T1609"
103name = "Container Administration Command"
104reference = "https://attack.mitre.org/techniques/T1609/"
105
106[rule.threat.tactic]
107id = "TA0002"
108name = "Execution"
109reference = "https://attack.mitre.org/tactics/TA0002/"
110
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113
114[[rule.threat.technique]]
115id = "T1611"
116name = "Escape to Host"
117reference = "https://attack.mitre.org/techniques/T1611/"
118
119[rule.threat.tactic]
120id = "TA0004"
121name = "Privilege Escalation"
122reference = "https://attack.mitre.org/tactics/TA0004/"