Container Administration Command T1609
Tactic: Execution
Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.
Events covered
1 catalog event is tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| ESF | exec | Process Execution (Notify) |
Authoring guide
Patterns shared across the 27 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (33 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (340 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (107 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 3 rules
- Kubernetes Potential Enumeration Activity
- Potential Remote Command Execution In Pod Container
- Potential Sidecar Injection Into Running Deployment
Elastic 24 rules
- Container Management Utility Execution Detected via Defend for Containers
- Container Management Utility Run Inside A Container
- Container Runtime CLI Execution with Suspicious Arguments
- Direct Interactive Kubernetes API Request by Common Utilities
- Direct Interactive Kubernetes API Request by Unusual Utilities
- Direct Interactive Kubernetes API Request Detected via Defend for Containers
- Docker Socket Enumeration
- Forbidden Direct Interactive Kubernetes API Request
- Interactive Exec Into Container Detected via Defend for Containers
- Kubectl Apply Pod from URL
- Kubernetes Ephemeral Container Added to Pod
- Kubernetes Pod Creation Using Common Debug or Base Images
- Kubernetes Pod Exec Cloud Instance Metadata Access
- Kubernetes Pod Exec Potential Reverse Shell
- Kubernetes Pod Exec Sensitive File or Credential Path Access
- Kubernetes Pod Exec with Curl or Wget to HTTPS
- Kubernetes User Exec into Pod
- Pod or Container Creation with Suspicious Command-Line
- Potential Kubectl Masquerading via Unexpected Process
- Potential Kubeletctl Execution
- Potential Kubeletctl Execution Detected via Defend for Containers
- Privileged Container Creation with Host Directory Mount
- Privileged Docker Container Creation
- Suspicious Container Runtime CLI Execution